<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[206244] trunk/Source</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/206244">206244</a></dd>
<dt>Author</dt> <dd>bfulgham@apple.com</dd>
<dt>Date</dt> <dd>2016-09-21 18:23:26 -0700 (Wed, 21 Sep 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Correct uses of 'safeCast'
https://bugs.webkit.org/show_bug.cgi?id=162301
<rdar://problem/28343658>
Reviewed by Antti Koivisto.
Source/WebCore:
A number of integer calculations in BitmapImage and PDFDocumentImage
are not properly checked for overflow. Correct this.
Tested by fast/images/large-size-image-crash.html
* loader/cache/MemoryCache.cpp:
(WebCore::MemoryCache::adjustSize): RELEASE_ASSERT on overflow.
* platform/graphics/BitmapImage.cpp:
(WebCore::BitmapImage::destroyMetadataAndNotify):
(WebCore::BitmapImage::cacheFrame):
(WebCore::BitmapImage::didDecodeProperties):
(WebCore::BitmapImage::dataChanged):
(WebCore::BitmapImage::ensureFrameAtIndexIsCached):
(WebCore::BitmapImage::frameImageAtIndex):
* platform/graphics/BitmapImage.h:
* platform/graphics/cg/PDFDocumentImage.cpp:
(WebCore::PDFDocumentImage::decodedSizeChanged):
(WebCore::PDFDocumentImage::updateCachedImageIfNeeded):
Source/WTF:
* wtf/StdLibExtras.h:
(WTF::safeCast): RELEASE_ASSERT on overflow.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWTFChangeLog">trunk/Source/WTF/ChangeLog</a></li>
<li><a href="#trunkSourceWTFwtfStdLibExtrash">trunk/Source/WTF/wtf/StdLibExtras.h</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreloadercacheMemoryCachecpp">trunk/Source/WebCore/loader/cache/MemoryCache.cpp</a></li>
<li><a href="#trunkSourceWebCoreplatformgraphicsBitmapImagecpp">trunk/Source/WebCore/platform/graphics/BitmapImage.cpp</a></li>
<li><a href="#trunkSourceWebCoreplatformgraphicscgPDFDocumentImagecpp">trunk/Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWTFChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/ChangeLog (206243 => 206244)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/ChangeLog 2016-09-21 23:50:24 UTC (rev 206243)
+++ trunk/Source/WTF/ChangeLog 2016-09-22 01:23:26 UTC (rev 206244)
</span><span class="lines">@@ -1,3 +1,14 @@
</span><ins>+2016-09-20 Brent Fulgham <bfulgham@apple.com>
+
+ Correct uses of 'safeCast'
+ https://bugs.webkit.org/show_bug.cgi?id=162301
+ <rdar://problem/28343658>
+
+ Reviewed by Antti Koivisto.
+
+ * wtf/StdLibExtras.h:
+ (WTF::safeCast): RELEASE_ASSERT on overflow.
+
</ins><span class="cx"> 2016-09-21 Commit Queue <commit-queue@webkit.org>
</span><span class="cx">
</span><span class="cx"> Unreviewed, rolling out r206222 and r206227.
</span></span></pre></div>
<a id="trunkSourceWTFwtfStdLibExtrash"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/wtf/StdLibExtras.h (206243 => 206244)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/wtf/StdLibExtras.h 2016-09-21 23:50:24 UTC (rev 206243)
+++ trunk/Source/WTF/wtf/StdLibExtras.h 2016-09-22 01:23:26 UTC (rev 206244)
</span><span class="lines">@@ -159,7 +159,7 @@
</span><span class="cx"> template<typename ToType, typename FromType>
</span><span class="cx"> inline ToType safeCast(FromType value)
</span><span class="cx"> {
</span><del>- ASSERT(isInBounds<ToType>(value));
</del><ins>+ RELEASE_ASSERT(isInBounds<ToType>(value));
</ins><span class="cx"> return static_cast<ToType>(value);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (206243 => 206244)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-09-21 23:50:24 UTC (rev 206243)
+++ trunk/Source/WebCore/ChangeLog 2016-09-22 01:23:26 UTC (rev 206244)
</span><span class="lines">@@ -1,3 +1,30 @@
</span><ins>+2016-09-20 Brent Fulgham <bfulgham@apple.com>
+
+ Correct uses of 'safeCast'
+ https://bugs.webkit.org/show_bug.cgi?id=162301
+ <rdar://problem/28343658>
+
+ Reviewed by Antti Koivisto.
+
+ A number of integer calculations in BitmapImage and PDFDocumentImage
+ are not properly checked for overflow. Correct this.
+
+ Tested by fast/images/large-size-image-crash.html
+
+ * loader/cache/MemoryCache.cpp:
+ (WebCore::MemoryCache::adjustSize): RELEASE_ASSERT on overflow.
+ * platform/graphics/BitmapImage.cpp:
+ (WebCore::BitmapImage::destroyMetadataAndNotify):
+ (WebCore::BitmapImage::cacheFrame):
+ (WebCore::BitmapImage::didDecodeProperties):
+ (WebCore::BitmapImage::dataChanged):
+ (WebCore::BitmapImage::ensureFrameAtIndexIsCached):
+ (WebCore::BitmapImage::frameImageAtIndex):
+ * platform/graphics/BitmapImage.h:
+ * platform/graphics/cg/PDFDocumentImage.cpp:
+ (WebCore::PDFDocumentImage::decodedSizeChanged):
+ (WebCore::PDFDocumentImage::updateCachedImageIfNeeded):
+
</ins><span class="cx"> 2016-09-21 Chris Dumez <cdumez@apple.com>
</span><span class="cx">
</span><span class="cx"> Setting HTMLMeterElement's attributes to non-finite values throws wrong exception type
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheMemoryCachecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/MemoryCache.cpp (206243 => 206244)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/MemoryCache.cpp 2016-09-21 23:50:24 UTC (rev 206243)
+++ trunk/Source/WebCore/loader/cache/MemoryCache.cpp 2016-09-22 01:23:26 UTC (rev 206244)
</span><span class="lines">@@ -644,10 +644,10 @@
</span><span class="cx"> void MemoryCache::adjustSize(bool live, int delta)
</span><span class="cx"> {
</span><span class="cx"> if (live) {
</span><del>- ASSERT(delta >= 0 || ((int)m_liveSize + delta >= 0));
</del><ins>+ RELEASE_ASSERT(delta >= 0 || ((int)m_liveSize + delta >= 0));
</ins><span class="cx"> m_liveSize += delta;
</span><span class="cx"> } else {
</span><del>- ASSERT(delta >= 0 || ((int)m_deadSize + delta >= 0));
</del><ins>+ RELEASE_ASSERT(delta >= 0 || ((int)m_deadSize + delta >= 0));
</ins><span class="cx"> m_deadSize += delta;
</span><span class="cx"> }
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformgraphicsBitmapImagecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/graphics/BitmapImage.cpp (206243 => 206244)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/graphics/BitmapImage.cpp 2016-09-21 23:50:24 UTC (rev 206243)
+++ trunk/Source/WebCore/platform/graphics/BitmapImage.cpp 2016-09-22 01:23:26 UTC (rev 206244)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 2006 Samuel Weinig (sam.weinig@gmail.com)
</span><del>- * Copyright (C) 2004, 2005, 2006, 2008, 2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2004-2006, 2008, 2015-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -36,6 +36,7 @@
</span><span class="cx"> #include "MIMETypeRegistry.h"
</span><span class="cx"> #include "TextStream.h"
</span><span class="cx"> #include "Timer.h"
</span><ins>+#include <wtf/CheckedArithmetic.h>
</ins><span class="cx"> #include <wtf/CurrentTime.h>
</span><span class="cx"> #include <wtf/Vector.h>
</span><span class="cx"> #include <wtf/text/WTFString.h>
</span><span class="lines">@@ -142,17 +143,20 @@
</span><span class="cx"> m_solidColor = Nullopt;
</span><span class="cx"> invalidatePlatformData();
</span><span class="cx">
</span><del>- ASSERT(m_decodedSize >= frameBytesCleared);
- m_decodedSize -= frameBytesCleared;
</del><ins>+ if (!WTF::safeSub(m_decodedSize, frameBytesCleared, m_decodedSize))
+ CRASH_WITH_SECURITY_IMPLICATION();
</ins><span class="cx">
</span><span class="cx"> // Clearing the ImageSource destroys the extra decoded data used for determining image properties.
</span><ins>+ long long adjustedFrameBytesCleared = frameBytesCleared;
</ins><span class="cx"> if (clearedSource == ClearedSource::Yes) {
</span><del>- frameBytesCleared += m_decodedPropertiesSize;
</del><ins>+ adjustedFrameBytesCleared += m_decodedPropertiesSize;
</ins><span class="cx"> m_decodedPropertiesSize = 0;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (frameBytesCleared && imageObserver())
- imageObserver()->decodedSizeChanged(this, -safeCast<int>(frameBytesCleared));
</del><ins>+ if (adjustedFrameBytesCleared && imageObserver()) {
+ Checked<int> checkedDelta = adjustedFrameBytesCleared;
+ imageObserver()->decodedSizeChanged(this, -checkedDelta.unsafeGet());
+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void BitmapImage::cacheFrame(size_t index, SubsamplingLevel subsamplingLevel, ImageFrame::Caching caching)
</span><span class="lines">@@ -172,14 +176,26 @@
</span><span class="cx"> LOG(Images, "BitmapImage %p cacheFrame %lu (%s%u bytes, complete %d)", this, index, caching == ImageFrame::Caching::Metadata ? "metadata only, " : "", m_frames[index].frameBytes(), m_frames[index].isComplete());
</span><span class="cx">
</span><span class="cx"> if (m_frames[index].hasNativeImage()) {
</span><del>- int deltaBytes = safeCast<int>(m_frames[index].frameBytes());
- m_decodedSize += deltaBytes;
</del><ins>+ if (!WTF::safeAdd(m_decodedSize, m_frames[index].frameBytes(), m_decodedSize)) {
+ LOG(Images, "BitmapImage %p cacheFrame m_decodedSize overflowed unsigned.", this);
+ destroyDecodedData(false);
+ return;
+ }
+
</ins><span class="cx"> // The fully-decoded frame will subsume the partially decoded data used
</span><span class="cx"> // to determine image properties.
</span><del>- deltaBytes -= m_decodedPropertiesSize;
</del><ins>+ long long deltaBytes = m_frames[index].frameBytes() - m_decodedPropertiesSize;
</ins><span class="cx"> m_decodedPropertiesSize = 0;
</span><ins>+
+ Checked<int, RecordOverflow> checkedDeltaBytes = deltaBytes;
+ if (checkedDeltaBytes.hasOverflowed()) {
+ LOG(Images, "BitmapImage %p cacheFrame deltaBytes=%lld overflowed integer.", this, deltaBytes);
+ destroyDecodedData(false);
+ return;
+ }
+
</ins><span class="cx"> if (imageObserver())
</span><del>- imageObserver()->decodedSizeChanged(this, deltaBytes);
</del><ins>+ imageObserver()->decodedSizeChanged(this, checkedDeltaBytes.unsafeGet());
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -192,7 +208,7 @@
</span><span class="cx"> if (m_decodedPropertiesSize == updatedSize)
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- int deltaBytes = updatedSize - m_decodedPropertiesSize;
</del><ins>+ long long deltaBytes = updatedSize - m_decodedPropertiesSize;
</ins><span class="cx"> #if !ASSERT_DISABLED
</span><span class="cx"> bool overflow = updatedSize > m_decodedPropertiesSize && deltaBytes < 0;
</span><span class="cx"> bool underflow = updatedSize < m_decodedPropertiesSize && deltaBytes > 0;
</span><span class="lines">@@ -199,8 +215,10 @@
</span><span class="cx"> ASSERT(!overflow && !underflow);
</span><span class="cx"> #endif
</span><span class="cx"> m_decodedPropertiesSize = updatedSize;
</span><del>- if (imageObserver())
- imageObserver()->decodedSizeChanged(this, deltaBytes);
</del><ins>+ if (imageObserver()) {
+ Checked<int> checkedDeltaBytes = deltaBytes;
+ imageObserver()->decodedSizeChanged(this, checkedDeltaBytes.unsafeGet());
+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void BitmapImage::updateSize() const
</span><span class="lines">@@ -256,7 +274,7 @@
</span><span class="cx"> // start of the frame data), and any or none of them might be the particular
</span><span class="cx"> // frame affected by appending new data here. Thus we have to clear all the
</span><span class="cx"> // incomplete frames to be safe.
</span><del>- unsigned frameBytesCleared = 0;
</del><ins>+ Checked<unsigned> frameBytesCleared = 0;
</ins><span class="cx"> for (auto& frame : m_frames) {
</span><span class="cx"> // NOTE: Don't call frameIsCompleteAtIndex() here, that will try to
</span><span class="cx"> // decode any uncached (i.e. never-decoded or
</span><span class="lines">@@ -264,10 +282,10 @@
</span><span class="cx"> if (frame.hasMetadata() && !frame.isComplete())
</span><span class="cx"> frameBytesCleared += frame.clear();
</span><span class="cx"> }
</span><del>- destroyMetadataAndNotify(frameBytesCleared, ClearedSource::No);
</del><ins>+ destroyMetadataAndNotify(frameBytesCleared.unsafeGet(), ClearedSource::No);
</ins><span class="cx"> #else
</span><span class="cx"> // FIXME: why is this different for iOS?
</span><del>- int deltaBytes = 0;
</del><ins>+ Checked<int> deltaBytes = 0;
</ins><span class="cx"> if (!m_frames.isEmpty()) {
</span><span class="cx"> if (int bytes = m_frames[m_frames.size() - 1].clear()) {
</span><span class="cx"> deltaBytes += bytes;
</span><span class="lines">@@ -275,7 +293,7 @@
</span><span class="cx"> m_decodedPropertiesSize = 0;
</span><span class="cx"> }
</span><span class="cx"> }
</span><del>- destroyMetadataAndNotify(deltaBytes, ClearedSource::No);
</del><ins>+ destroyMetadataAndNotify(deltaBytes.unsafeGet(), ClearedSource::No);
</ins><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> // Feed all the data we've seen so far to the image decoder.
</span><span class="lines">@@ -356,11 +374,24 @@
</span><span class="cx"> LOG(Images, " subsamplingLevel was %d, resampling", m_frames[index].subsamplingLevel());
</span><span class="cx">
</span><span class="cx"> // If the image is already cached, but at too small a size, re-decode a larger version.
</span><del>- int sizeChange = -m_frames[index].clear();
</del><ins>+ unsigned sizeChange = m_frames[index].clear();
</ins><span class="cx"> invalidatePlatformData();
</span><del>- m_decodedSize += sizeChange;
</del><ins>+
+ if (WTF::safeSub(m_decodedSize, sizeChange, m_decodedSize)) {
+ LOG(Images, "BitmapImage %p frameImageAtIndex m_decodedSize overflowed unsigned.", this);
+ destroyDecodedData(false);
+ return nullptr;
+ }
+
+ Checked<int, RecordOverflow> checkedSizeChange = -sizeChange;
+ if (checkedSizeChange.hasOverflowed()) {
+ LOG(Images, "BitmapImage %p frameImageAtIndex sizeChange=%u overflowed integer.", this, -sizeChange);
+ destroyDecodedData(false);
+ return nullptr;
+ }
+
</ins><span class="cx"> if (imageObserver())
</span><del>- imageObserver()->decodedSizeChanged(this, sizeChange);
</del><ins>+ imageObserver()->decodedSizeChanged(this, checkedSizeChange.unsafeGet());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // If we haven't fetched a frame yet, do so.
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformgraphicscgPDFDocumentImagecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp (206243 => 206244)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp 2016-09-21 23:50:24 UTC (rev 206243)
+++ trunk/Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp 2016-09-22 01:23:26 UTC (rev 206244)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2004, 2005, 2006, 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2004-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -38,10 +38,12 @@
</span><span class="cx"> #include "ImageObserver.h"
</span><span class="cx"> #include "IntRect.h"
</span><span class="cx"> #include "Length.h"
</span><ins>+#include "Logging.h"
</ins><span class="cx"> #include "SharedBuffer.h"
</span><span class="cx"> #include "TextStream.h"
</span><span class="cx"> #include <CoreGraphics/CGContext.h>
</span><span class="cx"> #include <CoreGraphics/CGPDFDocument.h>
</span><ins>+#include <wtf/CheckedArithmetic.h>
</ins><span class="cx"> #include <wtf/MathExtras.h>
</span><span class="cx"> #include <wtf/RAMSize.h>
</span><span class="cx"> #include <wtf/RetainPtr.h>
</span><span class="lines">@@ -181,14 +183,20 @@
</span><span class="cx"> if (!m_cachedBytes && !newCachedBytes)
</span><span class="cx"> return;
</span><span class="cx">
</span><ins>+ long long deltaBytes = m_cachedBytes - newCachedBytes;
+
+ Checked<int> checkedDeltaBytes = deltaBytes;
</ins><span class="cx"> if (imageObserver())
</span><del>- imageObserver()->decodedSizeChanged(this, -safeCast<int>(m_cachedBytes) + newCachedBytes);
</del><ins>+ imageObserver()->decodedSizeChanged(this, -checkedDeltaBytes.unsafeGet());
</ins><span class="cx">
</span><span class="cx"> ASSERT(s_allDecodedDataSize >= m_cachedBytes);
</span><span class="cx"> // Update with the difference in two steps to avoid unsigned underflow subtraction.
</span><del>- s_allDecodedDataSize -= m_cachedBytes;
- s_allDecodedDataSize += newCachedBytes;
</del><ins>+ if (!WTF::safeSub(s_allDecodedDataSize, m_cachedBytes, s_allDecodedDataSize))
+ CRASH_WITH_SECURITY_IMPLICATION();
</ins><span class="cx">
</span><ins>+ if (!WTF::safeAdd(s_allDecodedDataSize, newCachedBytes, s_allDecodedDataSize))
+ CRASH_WITH_SECURITY_IMPLICATION();
+
</ins><span class="cx"> m_cachedBytes = newCachedBytes;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -235,10 +243,20 @@
</span><span class="cx"> // Cache the PDF image only if the size of the new image won't exceed the cache threshold.
</span><span class="cx"> if (m_pdfImageCachingPolicy == PDFImageCachingBelowMemoryLimit) {
</span><span class="cx"> IntSize scaledSize = ImageBuffer::compatibleBufferSize(cachedImageSize, context);
</span><del>- if (s_allDecodedDataSize + safeCast<size_t>(scaledSize.width()) * scaledSize.height() * 4 - m_cachedBytes > s_maxDecodedDataSize) {
</del><ins>+ Checked<size_t, RecordOverflow> scaledBytes = scaledSize.area() * 4;
+
+ if (scaledBytes.hasOverflowed()) {
+ LOG(Images, "PDFDocumentImage %p updateCachedImageIfNeeded scaledBytes overflowed size_t.", this);
</ins><span class="cx"> destroyDecodedData();
</span><span class="cx"> return;
</span><span class="cx"> }
</span><ins>+
+ Checked<size_t, RecordOverflow> potentialDecodedDataSize = s_allDecodedDataSize + scaledBytes - m_cachedBytes;
+ if (potentialDecodedDataSize.hasOverflowed() || potentialDecodedDataSize.unsafeGet() > s_maxDecodedDataSize) {
+ LOG(Images, "PDFDocumentImage %p updateCachedImageIfNeeded potentialDecodedDataSize overflowed size_t.", this);
+ destroyDecodedData();
+ return;
+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> m_cachedImageBuffer = ImageBuffer::createCompatibleBuffer(cachedImageSize, context);
</span><span class="lines">@@ -259,7 +277,14 @@
</span><span class="cx"> m_cachedSourceRect = srcRect;
</span><span class="cx">
</span><span class="cx"> IntSize internalSize = m_cachedImageBuffer->internalSize();
</span><del>- decodedSizeChanged(safeCast<size_t>(internalSize.width()) * internalSize.height() * 4);
</del><ins>+ Checked<size_t, RecordOverflow> scaledBytes = internalSize.area() * 4;
+ if (scaledBytes.hasOverflowed()) {
+ LOG(Images, "PDFDocumentImage %p updateCachedImageIfNeeded scaledBytes overflowed size_t.", this);
+ destroyDecodedData();
+ return;
+ }
+
+ decodedSizeChanged(scaledBytes.unsafeGet());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void PDFDocumentImage::draw(GraphicsContext& context, const FloatRect& dstRect, const FloatRect& srcRect, CompositeOperator op, BlendMode, ImageOrientationDescription)
</span></span></pre>
</div>
</div>
</body>
</html>