WebCore: Fix for NULL ptr deref in canvas's toDataURL().

https://bugs.webkit.org/show_bug.cgi?id=30254

Reviewed by Eric Seidel.

Test: fast/canvas/canvas-toDataURL-crash.html

* html/HTMLCanvasElement.cpp:
(WebCore::HTMLCanvasElement::toDataURL):

LayoutTests: New test for NULL ptr deref in canvas's toDataURL().
https://bugs.webkit.org/show_bug.cgi?id=30254

Reviewed by Eric Seidel.

* fast/canvas/canvas-toDataURL-crash-expected.txt: Added.
* fast/canvas/canvas-toDataURL-crash.html: Added.



git-svn-id: svn://svn.chromium.org/blink/trunk@49561 bbb929c8-8fbe-4397-9dbb-9b2b20218538

5 files changed, 39 insertions, 1 deletions

diff --git a/third_party/WebKit/LayoutTests/ChangeLog b/third_party/WebKit/LayoutTests/ChangeLog
index 5631c6d..1a015fa 100644
--- a/third_party/WebKit/LayoutTests/ChangeLog
+++ b/third_party/WebKit/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2009-10-09  Stephen White  <senorblanco@chromium.org>
+
+        Reviewed by Eric Seidel.
+
+        New test for NULL ptr deref in canvas's toDataURL().
+        https://bugs.webkit.org/show_bug.cgi?id=30254
+
+        * fast/canvas/canvas-toDataURL-crash-expected.txt: Added.
+        * fast/canvas/canvas-toDataURL-crash.html: Added.
+
 2009-10-13  Dimitri Glazkov  <dglazkov@chromium.org>
 
         No review, rolling out r49554, because it broke Win and Chromium builds.
diff --git a/third_party/WebKit/LayoutTests/fast/canvas/canvas-toDataURL-crash-expected.txt b/third_party/WebKit/LayoutTests/fast/canvas/canvas-toDataURL-crash-expected.txt
new file mode 100644
index 0000000..557a26c
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/fast/canvas/canvas-toDataURL-crash-expected.txt
@@ -0,0 +1,5 @@
+PASS
+
+Calling toDataURL() on a huge canvas shouldn't crash. If the text above is "PASS", the test passed.
+
+
diff --git a/third_party/WebKit/LayoutTests/fast/canvas/canvas-toDataURL-crash.html b/third_party/WebKit/LayoutTests/fast/canvas/canvas-toDataURL-crash.html
new file mode 100644
index 0000000..f058dec
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/fast/canvas/canvas-toDataURL-crash.html
@@ -0,0 +1,11 @@
+<p id="console"></p>
+<p>Calling toDataURL() on a huge canvas shouldn't crash.  If the text above is "PASS", the test passed.</p>
+<canvas id="foo" width="65536" height="65536"></canvas>
+<script>
+var canvas = document.getElementById('foo');
+var url = canvas.toDataURL();
+var p = document.getElementById('console');
+p.innerHTML = "PASS";
+if (window.layoutTestController)
+  layoutTestController.dumpAsText();
+</script>
diff --git a/third_party/WebKit/WebCore/ChangeLog b/third_party/WebKit/WebCore/ChangeLog
index dc572ea..35ed0ab 100644
--- a/third_party/WebKit/WebCore/ChangeLog
+++ b/third_party/WebKit/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2009-10-09  Stephen White  <senorblanco@chromium.org>
+
+        Reviewed by Eric Seidel.
+
+        Fix for NULL ptr deref in canvas's toDataURL().
+        https://bugs.webkit.org/show_bug.cgi?id=30254
+
+        Test: fast/canvas/canvas-toDataURL-crash.html
+
+        * html/HTMLCanvasElement.cpp:
+        (WebCore::HTMLCanvasElement::toDataURL):
+
 2009-10-14  Pavel Feldman  <pfeldman@chromium.org>
 
         Not reviewed, reverting r49558 since it broke profiler tests.
diff --git a/third_party/WebKit/WebCore/html/HTMLCanvasElement.cpp b/third_party/WebKit/WebCore/html/HTMLCanvasElement.cpp
index e3fe329..335b20f 100644
--- a/third_party/WebKit/WebCore/html/HTMLCanvasElement.cpp
+++ b/third_party/WebKit/WebCore/html/HTMLCanvasElement.cpp
@@ -138,7 +138,7 @@ String HTMLCanvasElement::toDataURL(const String& mimeType, ExceptionCode& ec)
         return String();
     }
 
-    if (m_size.isEmpty())
+    if (m_size.isEmpty() || !buffer())
         return String("data:,");
 
     if (mimeType.isNull() || !MIMETypeRegistry::isSupportedImageMIMETypeForEncoding(mimeType))