diff options
5 files changed, 39 insertions, 1 deletions
diff --git a/third_party/WebKit/LayoutTests/ChangeLog b/third_party/WebKit/LayoutTests/ChangeLog index 5631c6d..1a015fa 100644 --- a/third_party/WebKit/LayoutTests/ChangeLog +++ b/third_party/WebKit/LayoutTests/ChangeLog @@ -1,3 +1,13 @@ +2009-10-09 Stephen White <senorblanco@chromium.org> + + Reviewed by Eric Seidel. + + New test for NULL ptr deref in canvas's toDataURL(). + https://bugs.webkit.org/show_bug.cgi?id=30254 + + * fast/canvas/canvas-toDataURL-crash-expected.txt: Added. + * fast/canvas/canvas-toDataURL-crash.html: Added. + 2009-10-13 Dimitri Glazkov <dglazkov@chromium.org> No review, rolling out r49554, because it broke Win and Chromium builds. diff --git a/third_party/WebKit/LayoutTests/fast/canvas/canvas-toDataURL-crash-expected.txt b/third_party/WebKit/LayoutTests/fast/canvas/canvas-toDataURL-crash-expected.txt new file mode 100644 index 0000000..557a26c --- /dev/null +++ b/third_party/WebKit/LayoutTests/fast/canvas/canvas-toDataURL-crash-expected.txt @@ -0,0 +1,5 @@ +PASS + +Calling toDataURL() on a huge canvas shouldn't crash. If the text above is "PASS", the test passed. + + diff --git a/third_party/WebKit/LayoutTests/fast/canvas/canvas-toDataURL-crash.html b/third_party/WebKit/LayoutTests/fast/canvas/canvas-toDataURL-crash.html new file mode 100644 index 0000000..f058dec --- /dev/null +++ b/third_party/WebKit/LayoutTests/fast/canvas/canvas-toDataURL-crash.html @@ -0,0 +1,11 @@ +<p id="console"></p> +<p>Calling toDataURL() on a huge canvas shouldn't crash. If the text above is "PASS", the test passed.</p> +<canvas id="foo" width="65536" height="65536"></canvas> +<script> +var canvas = document.getElementById('foo'); +var url = canvas.toDataURL(); +var p = document.getElementById('console'); +p.innerHTML = "PASS"; +if (window.layoutTestController) + layoutTestController.dumpAsText(); +</script> diff --git a/third_party/WebKit/WebCore/ChangeLog b/third_party/WebKit/WebCore/ChangeLog index dc572ea..35ed0ab 100644 --- a/third_party/WebKit/WebCore/ChangeLog +++ b/third_party/WebKit/WebCore/ChangeLog @@ -1,3 +1,15 @@ +2009-10-09 Stephen White <senorblanco@chromium.org> + + Reviewed by Eric Seidel. + + Fix for NULL ptr deref in canvas's toDataURL(). + https://bugs.webkit.org/show_bug.cgi?id=30254 + + Test: fast/canvas/canvas-toDataURL-crash.html + + * html/HTMLCanvasElement.cpp: + (WebCore::HTMLCanvasElement::toDataURL): + 2009-10-14 Pavel Feldman <pfeldman@chromium.org> Not reviewed, reverting r49558 since it broke profiler tests. diff --git a/third_party/WebKit/WebCore/html/HTMLCanvasElement.cpp b/third_party/WebKit/WebCore/html/HTMLCanvasElement.cpp index e3fe329..335b20f 100644 --- a/third_party/WebKit/WebCore/html/HTMLCanvasElement.cpp +++ b/third_party/WebKit/WebCore/html/HTMLCanvasElement.cpp @@ -138,7 +138,7 @@ String HTMLCanvasElement::toDataURL(const String& mimeType, ExceptionCode& ec) return String(); } - if (m_size.isEmpty()) + if (m_size.isEmpty() || !buffer()) return String("data:,"); if (mimeType.isNull() || !MIMETypeRegistry::isSupportedImageMIMETypeForEncoding(mimeType)) |