<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[193898] trunk/Source/WebCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/193898">193898</a></dd>
<dt>Author</dt> <dd>zandobersek@gmail.com</dd>
<dt>Date</dt> <dd>2015-12-10 02:24:55 -0800 (Thu, 10 Dec 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>[TexMap] pixel coverage multiplication in TiledBackingStore can overflow
https://bugs.webkit.org/show_bug.cgi?id=152055
Reviewed by Carlos Garcia Campos.
The computation of the pixel coverage in TiledBackingStore can easily overflow
when the candidate size is relatively large (for instance when the backed
layer is transformed in a way that increases its perceived size). This can result
in missing tiles for this specific backing store, at least until the layer in
question is transformed again into a shape that produces a smaller candidate size.
To avoid the integer overflow, the multiplication is done in a safe manner,
defaulting to the max positive value an integer can hold in case the overflow
is detected.
* platform/graphics/texmap/coordinated/TiledBackingStore.cpp:
(WebCore::TiledBackingStore::adjustForContentsRect):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreplatformgraphicstexmapcoordinatedTiledBackingStorecpp">trunk/Source/WebCore/platform/graphics/texmap/coordinated/TiledBackingStore.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (193897 => 193898)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2015-12-10 10:23:06 UTC (rev 193897)
+++ trunk/Source/WebCore/ChangeLog 2015-12-10 10:24:55 UTC (rev 193898)
</span><span class="lines">@@ -1,5 +1,25 @@
</span><span class="cx"> 2015-12-10 Zan Dobersek <zdobersek@igalia.com>
</span><span class="cx">
</span><ins>+ [TexMap] pixel coverage multiplication in TiledBackingStore can overflow
+ https://bugs.webkit.org/show_bug.cgi?id=152055
+
+ Reviewed by Carlos Garcia Campos.
+
+ The computation of the pixel coverage in TiledBackingStore can easily overflow
+ when the candidate size is relatively large (for instance when the backed
+ layer is transformed in a way that increases its perceived size). This can result
+ in missing tiles for this specific backing store, at least until the layer in
+ question is transformed again into a shape that produces a smaller candidate size.
+
+ To avoid the integer overflow, the multiplication is done in a safe manner,
+ defaulting to the max positive value an integer can hold in case the overflow
+ is detected.
+
+ * platform/graphics/texmap/coordinated/TiledBackingStore.cpp:
+ (WebCore::TiledBackingStore::adjustForContentsRect):
+
+2015-12-10 Zan Dobersek <zdobersek@igalia.com>
+
</ins><span class="cx"> [TexMap] Clean up BitmapTexturePool
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=152073
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformgraphicstexmapcoordinatedTiledBackingStorecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/graphics/texmap/coordinated/TiledBackingStore.cpp (193897 => 193898)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/graphics/texmap/coordinated/TiledBackingStore.cpp 2015-12-10 10:23:06 UTC (rev 193897)
+++ trunk/Source/WebCore/platform/graphics/texmap/coordinated/TiledBackingStore.cpp 2015-12-10 10:24:55 UTC (rev 193898)
</span><span class="lines">@@ -23,6 +23,7 @@
</span><span class="cx"> #if USE(COORDINATED_GRAPHICS)
</span><span class="cx"> #include "GraphicsContext.h"
</span><span class="cx"> #include "TiledBackingStoreClient.h"
</span><ins>+#include <wtf/CheckedArithmetic.h>
</ins><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><span class="lines">@@ -269,7 +270,9 @@
</span><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> // Try to create a cover rect of the same size as the candidate, but within content bounds.
</span><del>- int pixelsCovered = candidateSize.width() * candidateSize.height();
</del><ins>+ int pixelsCovered = 0;
+ if (!WTF::safeMultiply(candidateSize.width(), candidateSize.height(), pixelsCovered))
+ pixelsCovered = std::numeric_limits<int>::max();
</ins><span class="cx">
</span><span class="cx"> if (rect.width() < candidateSize.width())
</span><span class="cx"> rect.inflateY(((pixelsCovered / rect.width()) - rect.height()) / 2);
</span></span></pre>
</div>
</div>
</body>
</html>