<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[207953] branches/safari-602-branch/Source</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/207953">207953</a></dd>
<dt>Author</dt> <dd>matthew_hanson@apple.com</dd>
<dt>Date</dt> <dd>2016-10-27 00:34:21 -0700 (Thu, 27 Oct 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/207708">r207708</a>. rdar://problem/28962914</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#branchessafari602branchSourceWebCoreChangeLog">branches/safari-602-branch/Source/WebCore/ChangeLog</a></li>
<li><a href="#branchessafari602branchSourceWebCorehtmlHTMLPlugInImageElementcpp">branches/safari-602-branch/Source/WebCore/html/HTMLPlugInImageElement.cpp</a></li>
<li><a href="#branchessafari602branchSourceWebCorehtmlImageDatacpp">branches/safari-602-branch/Source/WebCore/html/ImageData.cpp</a></li>
<li><a href="#branchessafari602branchSourceWebCorehtmlMediaElementSessioncpp">branches/safari-602-branch/Source/WebCore/html/MediaElementSession.cpp</a></li>
<li><a href="#branchessafari602branchSourceWebCoreplatformgraphicsBitmapImagecpp">branches/safari-602-branch/Source/WebCore/platform/graphics/BitmapImage.cpp</a></li>
<li><a href="#branchessafari602branchSourceWebCoreplatformgraphicsImageSourcecpp">branches/safari-602-branch/Source/WebCore/platform/graphics/ImageSource.cpp</a></li>
<li><a href="#branchessafari602branchSourceWebCoreplatformgraphicsIntRecth">branches/safari-602-branch/Source/WebCore/platform/graphics/IntRect.h</a></li>
<li><a href="#branchessafari602branchSourceWebCoreplatformgraphicsIntSizeh">branches/safari-602-branch/Source/WebCore/platform/graphics/IntSize.h</a></li>
<li><a href="#branchessafari602branchSourceWebCoreplatformgraphicscaLayerPoolcpp">branches/safari-602-branch/Source/WebCore/platform/graphics/ca/LayerPool.cpp</a></li>
<li><a href="#branchessafari602branchSourceWebCoreplatformgraphicscgImageDecoderCGcpp">branches/safari-602-branch/Source/WebCore/platform/graphics/cg/ImageDecoderCG.cpp</a></li>
<li><a href="#branchessafari602branchSourceWebCoreplatformgraphicsfiltersFEGaussianBlurcpp">branches/safari-602-branch/Source/WebCore/platform/graphics/filters/FEGaussianBlur.cpp</a></li>
<li><a href="#branchessafari602branchSourceWebCoreplatformgraphicsfiltersFilterEffectcpp">branches/safari-602-branch/Source/WebCore/platform/graphics/filters/FilterEffect.cpp</a></li>
<li><a href="#branchessafari602branchSourceWebCoreplatformimagedecodersImageDecodercpp">branches/safari-602-branch/Source/WebCore/platform/image-decoders/ImageDecoder.cpp</a></li>
<li><a href="#branchessafari602branchSourceWebCoreplatformiosLegacyTileLayerPoolmm">branches/safari-602-branch/Source/WebCore/platform/ios/LegacyTileLayerPool.mm</a></li>
<li><a href="#branchessafari602branchSourceWebCorerenderingRenderLayerCompositorcpp">branches/safari-602-branch/Source/WebCore/rendering/RenderLayerCompositor.cpp</a></li>
<li><a href="#branchessafari602branchSourceWebCorerenderingshapesShapecpp">branches/safari-602-branch/Source/WebCore/rendering/shapes/Shape.cpp</a></li>
<li><a href="#branchessafari602branchSourceWebKit2ChangeLog">branches/safari-602-branch/Source/WebKit2/ChangeLog</a></li>
<li><a href="#branchessafari602branchSourceWebKit2SharedShareableBitmapcpp">branches/safari-602-branch/Source/WebKit2/Shared/ShareableBitmap.cpp</a></li>
<li><a href="#branchessafari602branchSourceWebKit2SharedShareableBitmaph">branches/safari-602-branch/Source/WebKit2/Shared/ShareableBitmap.h</a></li>
<li><a href="#branchessafari602branchSourceWebKit2SharedcairoShareableBitmapCairocpp">branches/safari-602-branch/Source/WebKit2/Shared/cairo/ShareableBitmapCairo.cpp</a></li>
<li><a href="#branchessafari602branchSourceWebKit2UIProcessAPICocoaWKWebViewmm">branches/safari-602-branch/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="branchessafari602branchSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-602-branch/Source/WebCore/ChangeLog (207952 => 207953)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-602-branch/Source/WebCore/ChangeLog 2016-10-27 07:31:13 UTC (rev 207952)
+++ branches/safari-602-branch/Source/WebCore/ChangeLog 2016-10-27 07:34:21 UTC (rev 207953)
</span><span class="lines">@@ -1,3 +1,103 @@
</span><ins>+2016-10-26 David Kilzer <ddkilzer@apple.com>
+
+ Merge r207708. rdar://problem/28962914
+
+ * platform/graphics/BitmapImage.cpp:
+ (WebCore::BitmapImage::BitmapImage):
+ * platform/graphics/ImageSource.cpp:
+ (WebCore::ImageSource::frameBytesAtIndex):
+ - Add calls to unsafeGet() that don't exist in trunk.
+
+ 2016-10-21 David Kilzer <ddkilzer@apple.com>
+
+ Bug 163762: IntSize::area() should used checked arithmetic
+ <https://webkit.org/b/163762>
+
+ Reviewed by Darin Adler.
+
+ No new tests since no change in nominal behavior.
+
+ * platform/graphics/IntSize.h:
+ (WebCore::IntSize::area): Change to return a
+ Checked<unsigned, T> value. Use WTF:: namespace to avoid
+ including another header.
+
+ * platform/graphics/IntRect.h:
+ (WebCore::IntRect::area): Ditto.
+
+ The remaining changes are to use the Checked<unsigned> return
+ value of IntSize::area() and IntRect::area() correctly in
+ context, in addition to items noted below.
+
+ * html/HTMLPlugInImageElement.cpp:
+ (WebCore::HTMLPlugInImageElement::isTopLevelFullPagePlugin):
+ Declare contentWidth and contentHeight as float values to
+ prevent overflow when computing the area, and to make the
+ inequality comparison in the return statement uses the same type
+ for both sides.
+ * html/ImageData.cpp:
+ (WebCore::ImageData::ImageData):
+ * html/MediaElementSession.cpp:
+ (WebCore::isElementRectMostlyInMainFrame):
+ * platform/graphics/ImageBackingStore.h:
+ (WebCore::ImageBackingStore::setSize): Restructure logic to
+ compute area only once.
+ (WebCore::ImageBackingStore::clear):
+ * platform/graphics/ImageFrame.h:
+ (WebCore::ImageFrame::frameBytes):
+ * platform/graphics/ImageSource.cpp:
+ (WebCore::ImageSource::maximumSubsamplingLevel):
+ * platform/graphics/ca/LayerPool.cpp:
+ (WebCore::LayerPool::backingStoreBytesForSize):
+ * platform/graphics/cg/ImageDecoderCG.cpp:
+ (WebCore::ImageDecoder::frameBytesAtIndex):
+ * platform/graphics/filters/FEGaussianBlur.cpp:
+ (WebCore::FEGaussianBlur::platformApplySoftware):
+ * platform/graphics/filters/FilterEffect.cpp:
+ (WebCore::FilterEffect::asUnmultipliedImage):
+ (WebCore::FilterEffect::asPremultipliedImage):
+ (WebCore::FilterEffect::copyUnmultipliedImage):
+ (WebCore::FilterEffect::copyPremultipliedImage):
+ (WebCore::FilterEffect::createUnmultipliedImageResult):
+ (WebCore::FilterEffect::createPremultipliedImageResult):
+ * platform/graphics/win/ImageBufferDataDirect2D.cpp:
+ (WebCore::ImageBufferData::getData): Update overflow check,
+ rename local variable to numBytes, and compute numBytes once.
+ * platform/graphics/win/ImageDecoderDirect2D.cpp:
+ (WebCore::ImageDecoder::frameBytesAtIndex):
+ * platform/image-decoders/ImageDecoder.cpp:
+ (WebCore::ImageDecoder::frameBytesAtIndex):
+ * platform/ios/LegacyTileLayerPool.mm:
+ (WebCore::LegacyTileLayerPool::bytesBackingLayerWithPixelSize):
+ * rendering/RenderLayerCompositor.cpp:
+ (WebCore::RenderLayerCompositor::requiresCompositingForCanvas):
+ * rendering/shapes/Shape.cpp:
+ (WebCore::Shape::createRasterShape):
+
+2016-10-26 David Kilzer <ddkilzer@apple.com>
+
+ Merge r207560. rdar://problem/28962914
+
+ 2016-10-19 David Kilzer <ddkilzer@apple.com>
+
+ Bug 163670: Refine assertions in WebCore::ImageData constructors
+ <https://webkit.org/b/163670>
+ <rdar://problem/27497338>
+
+ Reviewed by Brent Fulgham.
+
+ No new tests because there is no change in nominal behavior.
+
+ * html/ImageData.cpp:
+ (WebCore::ImageData::ImageData(const IntSize&)): Change to use
+ ASSERT() since the worst-case scenario here is a nullptr deref.
+ Switch to IntSize::area() to compute the area.
+ (WebCore::ImageData::ImageData(const IntSize&, Ref<Uint8ClampedArray>&&)):
+ Add ASSERT() identical to the previous constructor, and change
+ ASSERT_WITH_SECURITY_IMPLICATION() to only fire when m_data is
+ not nullptr and the length check fails. Switch to
+ IntSize::area() to compute the area.
+
</ins><span class="cx"> 2016-10-26 Matthew Hanson <matthew_hanson@apple.com>
</span><span class="cx">
</span><span class="cx"> Merge r207523. rdar://problem/28718748
</span></span></pre></div>
<a id="branchessafari602branchSourceWebCorehtmlHTMLPlugInImageElementcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-602-branch/Source/WebCore/html/HTMLPlugInImageElement.cpp (207952 => 207953)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-602-branch/Source/WebCore/html/HTMLPlugInImageElement.cpp 2016-10-27 07:31:13 UTC (rev 207952)
+++ branches/safari-602-branch/Source/WebCore/html/HTMLPlugInImageElement.cpp 2016-10-27 07:34:21 UTC (rev 207953)
</span><span class="lines">@@ -587,9 +587,9 @@
</span><span class="cx"> auto& style = renderer.style();
</span><span class="cx"> IntSize visibleSize = frame.view()->visibleSize();
</span><span class="cx"> LayoutRect contentRect = renderer.contentBoxRect();
</span><del>- int contentWidth = contentRect.width();
- int contentHeight = contentRect.height();
- return is100Percent(style.width()) && is100Percent(style.height()) && contentWidth * contentHeight > visibleSize.area() * sizingFullPageAreaRatioThreshold;
</del><ins>+ float contentWidth = contentRect.width();
+ float contentHeight = contentRect.height();
+ return is100Percent(style.width()) && is100Percent(style.height()) && contentWidth * contentHeight > visibleSize.area().unsafeGet() * sizingFullPageAreaRatioThreshold;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void HTMLPlugInImageElement::checkSnapshotStatus()
</span></span></pre></div>
<a id="branchessafari602branchSourceWebCorehtmlImageDatacpp"></a>
<div class="modfile"><h4>Modified: branches/safari-602-branch/Source/WebCore/html/ImageData.cpp (207952 => 207953)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-602-branch/Source/WebCore/html/ImageData.cpp 2016-10-27 07:31:13 UTC (rev 207952)
+++ branches/safari-602-branch/Source/WebCore/html/ImageData.cpp 2016-10-27 07:34:21 UTC (rev 207953)
</span><span class="lines">@@ -113,9 +113,9 @@
</span><span class="cx">
</span><span class="cx"> ImageData::ImageData(const IntSize& size)
</span><span class="cx"> : m_size(size)
</span><del>- , m_data(Uint8ClampedArray::createUninitialized(size.width() * size.height() * 4))
</del><ins>+ , m_data(Uint8ClampedArray::createUninitialized((size.area() * 4).unsafeGet()))
</ins><span class="cx"> {
</span><del>- ASSERT_WITH_SECURITY_IMPLICATION(m_data);
</del><ins>+ ASSERT(m_data);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> ImageData::ImageData(const IntSize& size, Ref<Uint8ClampedArray>&& byteArray)
</span><span class="lines">@@ -122,7 +122,8 @@
</span><span class="cx"> : m_size(size)
</span><span class="cx"> , m_data(WTFMove(byteArray))
</span><span class="cx"> {
</span><del>- ASSERT_WITH_SECURITY_IMPLICATION(static_cast<unsigned>(size.width() * size.height() * 4) <= m_data->length());
</del><ins>+ ASSERT(m_data);
+ ASSERT_WITH_SECURITY_IMPLICATION(!m_data || (size.area() * 4).unsafeGet() <= m_data->length());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari602branchSourceWebCorehtmlMediaElementSessioncpp"></a>
<div class="modfile"><h4>Modified: branches/safari-602-branch/Source/WebCore/html/MediaElementSession.cpp (207952 => 207953)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-602-branch/Source/WebCore/html/MediaElementSession.cpp 2016-10-27 07:31:13 UTC (rev 207952)
+++ branches/safari-602-branch/Source/WebCore/html/MediaElementSession.cpp 2016-10-27 07:34:21 UTC (rev 207953)
</span><span class="lines">@@ -657,7 +657,7 @@
</span><span class="cx">
</span><span class="cx"> IntRect mainFrameRectAdjustedForScrollPosition = IntRect(-mainFrameView->documentScrollPositionRelativeToViewOrigin(), mainFrameView->contentsSize());
</span><span class="cx"> IntRect elementRectInMainFrame = element.clientRect();
</span><del>- unsigned int totalElementArea = elementRectInMainFrame.area();
</del><ins>+ unsigned totalElementArea = elementRectInMainFrame.area();
</ins><span class="cx"> elementRectInMainFrame.intersect(mainFrameRectAdjustedForScrollPosition);
</span><span class="cx">
</span><span class="cx"> return elementRectInMainFrame.area() > totalElementArea / 2;
</span></span></pre></div>
<a id="branchessafari602branchSourceWebCoreplatformgraphicsBitmapImagecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-602-branch/Source/WebCore/platform/graphics/BitmapImage.cpp (207952 => 207953)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-602-branch/Source/WebCore/platform/graphics/BitmapImage.cpp 2016-10-27 07:31:13 UTC (rev 207952)
+++ branches/safari-602-branch/Source/WebCore/platform/graphics/BitmapImage.cpp 2016-10-27 07:34:21 UTC (rev 207953)
</span><span class="lines">@@ -71,7 +71,7 @@
</span><span class="cx"> // Since we don't have a decoder, we can't figure out the image orientation.
</span><span class="cx"> // Set m_sizeRespectingOrientation to be the same as m_size so it's not 0x0.
</span><span class="cx"> m_sizeRespectingOrientation = m_size = NativeImage::size(image);
</span><del>- m_decodedSize = m_size.area() * 4;
</del><ins>+ m_decodedSize = (m_size.area() * 4).unsafeGet();
</ins><span class="cx">
</span><span class="cx"> m_frames.grow(1);
</span><span class="cx"> m_frames[0].m_hasAlpha = NativeImage::hasAlpha(image);
</span></span></pre></div>
<a id="branchessafari602branchSourceWebCoreplatformgraphicsImageSourcecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-602-branch/Source/WebCore/platform/graphics/ImageSource.cpp (207952 => 207953)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-602-branch/Source/WebCore/platform/graphics/ImageSource.cpp 2016-10-27 07:31:13 UTC (rev 207952)
+++ branches/safari-602-branch/Source/WebCore/platform/graphics/ImageSource.cpp 2016-10-27 07:34:21 UTC (rev 207953)
</span><span class="lines">@@ -206,7 +206,7 @@
</span><span class="cx">
</span><span class="cx"> unsigned ImageSource::frameBytesAtIndex(size_t index, SubsamplingLevel subsamplingLevel) const
</span><span class="cx"> {
</span><del>- return frameSizeAtIndex(index, subsamplingLevel).area() * 4;
</del><ins>+ return (frameSizeAtIndex(index, subsamplingLevel).area() * 4).unsafeGet();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> float ImageSource::frameDurationAtIndex(size_t index)
</span></span></pre></div>
<a id="branchessafari602branchSourceWebCoreplatformgraphicsIntRecth"></a>
<div class="modfile"><h4>Modified: branches/safari-602-branch/Source/WebCore/platform/graphics/IntRect.h (207952 => 207953)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-602-branch/Source/WebCore/platform/graphics/IntRect.h 2016-10-27 07:31:13 UTC (rev 207952)
+++ branches/safari-602-branch/Source/WebCore/platform/graphics/IntRect.h 2016-10-27 07:34:21 UTC (rev 207953)
</span><span class="lines">@@ -86,7 +86,7 @@
</span><span class="cx"> int width() const { return m_size.width(); }
</span><span class="cx"> int height() const { return m_size.height(); }
</span><span class="cx">
</span><del>- unsigned area() const { return m_size.area(); }
</del><ins>+ unsigned area() const { return m_size.area().unsafeGet(); }
</ins><span class="cx">
</span><span class="cx"> void setX(int x) { m_location.setX(x); }
</span><span class="cx"> void setY(int y) { m_location.setY(y); }
</span></span></pre></div>
<a id="branchessafari602branchSourceWebCoreplatformgraphicsIntSizeh"></a>
<div class="modfile"><h4>Modified: branches/safari-602-branch/Source/WebCore/platform/graphics/IntSize.h (207952 => 207953)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-602-branch/Source/WebCore/platform/graphics/IntSize.h 2016-10-27 07:31:13 UTC (rev 207952)
+++ branches/safari-602-branch/Source/WebCore/platform/graphics/IntSize.h 2016-10-27 07:34:21 UTC (rev 207953)
</span><span class="lines">@@ -125,9 +125,10 @@
</span><span class="cx">
</span><span class="cx"> IntSize constrainedBetween(const IntSize& min, const IntSize& max) const;
</span><span class="cx">
</span><del>- unsigned area() const
</del><ins>+ template <typename T = WTF::CrashOnOverflow>
+ Checked<unsigned, T> area() const
</ins><span class="cx"> {
</span><del>- return abs(m_width) * abs(m_height);
</del><ins>+ return Checked<unsigned, T>(abs(m_width)) * abs(m_height);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> int diagonalLengthSquared() const
</span></span></pre></div>
<a id="branchessafari602branchSourceWebCoreplatformgraphicscaLayerPoolcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-602-branch/Source/WebCore/platform/graphics/ca/LayerPool.cpp (207952 => 207953)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-602-branch/Source/WebCore/platform/graphics/ca/LayerPool.cpp 2016-10-27 07:31:13 UTC (rev 207952)
+++ branches/safari-602-branch/Source/WebCore/platform/graphics/ca/LayerPool.cpp 2016-10-27 07:34:21 UTC (rev 207953)
</span><span class="lines">@@ -56,7 +56,7 @@
</span><span class="cx">
</span><span class="cx"> unsigned LayerPool::backingStoreBytesForSize(const IntSize& size)
</span><span class="cx"> {
</span><del>- return size.width() * size.height() * 4;
</del><ins>+ return (size.area() * 4).unsafeGet();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> LayerPool::LayerList& LayerPool::listOfLayersWithSize(const IntSize& size, AccessType accessType)
</span></span></pre></div>
<a id="branchessafari602branchSourceWebCoreplatformgraphicscgImageDecoderCGcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-602-branch/Source/WebCore/platform/graphics/cg/ImageDecoderCG.cpp (207952 => 207953)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-602-branch/Source/WebCore/platform/graphics/cg/ImageDecoderCG.cpp 2016-10-27 07:31:13 UTC (rev 207952)
+++ branches/safari-602-branch/Source/WebCore/platform/graphics/cg/ImageDecoderCG.cpp 2016-10-27 07:34:21 UTC (rev 207953)
</span><span class="lines">@@ -335,7 +335,7 @@
</span><span class="cx"> unsigned ImageDecoder::frameBytesAtIndex(size_t index, SubsamplingLevel subsamplingLevel) const
</span><span class="cx"> {
</span><span class="cx"> IntSize frameSize = frameSizeAtIndex(index, subsamplingLevel);
</span><del>- return frameSize.area() * 4;
</del><ins>+ return (frameSize.area() * 4).unsafeGet();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> NativeImagePtr ImageDecoder::createFrameImageAtIndex(size_t index, SubsamplingLevel subsamplingLevel) const
</span></span></pre></div>
<a id="branchessafari602branchSourceWebCoreplatformgraphicsfiltersFEGaussianBlurcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-602-branch/Source/WebCore/platform/graphics/filters/FEGaussianBlur.cpp (207952 => 207953)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-602-branch/Source/WebCore/platform/graphics/filters/FEGaussianBlur.cpp 2016-10-27 07:31:13 UTC (rev 207952)
+++ branches/safari-602-branch/Source/WebCore/platform/graphics/filters/FEGaussianBlur.cpp 2016-10-27 07:34:21 UTC (rev 207953)
</span><span class="lines">@@ -539,7 +539,7 @@
</span><span class="cx">
</span><span class="cx"> IntSize paintSize = absolutePaintRect().size();
</span><span class="cx"> paintSize.scale(filter().filterScale());
</span><del>- RefPtr<Uint8ClampedArray> tmpImageData = Uint8ClampedArray::createUninitialized(paintSize.width() * paintSize.height() * 4);
</del><ins>+ RefPtr<Uint8ClampedArray> tmpImageData = Uint8ClampedArray::createUninitialized((paintSize.area() * 4).unsafeGet());
</ins><span class="cx"> if (!tmpImageData) {
</span><span class="cx"> WTFLogAlways("FEGaussianBlur::platformApplySoftware Unable to create buffer. Requested size was %d x %d\n", paintSize.width(), paintSize.height());
</span><span class="cx"> return;
</span></span></pre></div>
<a id="branchessafari602branchSourceWebCoreplatformgraphicsfiltersFilterEffectcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-602-branch/Source/WebCore/platform/graphics/filters/FilterEffect.cpp (207952 => 207953)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-602-branch/Source/WebCore/platform/graphics/filters/FilterEffect.cpp 2016-10-27 07:31:13 UTC (rev 207952)
+++ branches/safari-602-branch/Source/WebCore/platform/graphics/filters/FilterEffect.cpp 2016-10-27 07:34:21 UTC (rev 207953)
</span><span class="lines">@@ -237,7 +237,7 @@
</span><span class="cx"> IntSize scaledSize(rect.size());
</span><span class="cx"> ASSERT(!ImageBuffer::sizeNeedsClamping(scaledSize));
</span><span class="cx"> scaledSize.scale(m_filter.filterScale());
</span><del>- auto imageData = Uint8ClampedArray::createUninitialized(scaledSize.width() * scaledSize.height() * 4);
</del><ins>+ auto imageData = Uint8ClampedArray::createUninitialized((scaledSize.area() * 4).unsafeGet());
</ins><span class="cx"> copyUnmultipliedImage(imageData.get(), rect);
</span><span class="cx"> return WTFMove(imageData);
</span><span class="cx"> }
</span><span class="lines">@@ -247,7 +247,7 @@
</span><span class="cx"> IntSize scaledSize(rect.size());
</span><span class="cx"> ASSERT(!ImageBuffer::sizeNeedsClamping(scaledSize));
</span><span class="cx"> scaledSize.scale(m_filter.filterScale());
</span><del>- auto imageData = Uint8ClampedArray::createUninitialized(scaledSize.width() * scaledSize.height() * 4);
</del><ins>+ auto imageData = Uint8ClampedArray::createUninitialized((scaledSize.area() * 4).unsafeGet());
</ins><span class="cx"> copyPremultipliedImage(imageData.get(), rect);
</span><span class="cx"> return WTFMove(imageData);
</span><span class="cx"> }
</span><span class="lines">@@ -316,7 +316,7 @@
</span><span class="cx"> IntSize inputSize(m_absolutePaintRect.size());
</span><span class="cx"> ASSERT(!ImageBuffer::sizeNeedsClamping(inputSize));
</span><span class="cx"> inputSize.scale(m_filter.filterScale());
</span><del>- m_unmultipliedImageResult = Uint8ClampedArray::createUninitialized(inputSize.width() * inputSize.height() * 4);
</del><ins>+ m_unmultipliedImageResult = Uint8ClampedArray::createUninitialized((inputSize.area() * 4).unsafeGet());
</ins><span class="cx"> if (!m_unmultipliedImageResult) {
</span><span class="cx"> WTFLogAlways("FilterEffect::copyUnmultipliedImage Unable to create buffer. Requested size was %d x %d\n", inputSize.width(), inputSize.height());
</span><span class="cx"> return;
</span><span class="lines">@@ -323,7 +323,7 @@
</span><span class="cx"> }
</span><span class="cx"> unsigned char* sourceComponent = m_premultipliedImageResult->data();
</span><span class="cx"> unsigned char* destinationComponent = m_unmultipliedImageResult->data();
</span><del>- unsigned char* end = sourceComponent + (inputSize.width() * inputSize.height() * 4);
</del><ins>+ unsigned char* end = sourceComponent + (inputSize.area() * 4).unsafeGet();
</ins><span class="cx"> while (sourceComponent < end) {
</span><span class="cx"> int alpha = sourceComponent[3];
</span><span class="cx"> if (alpha) {
</span><span class="lines">@@ -356,7 +356,7 @@
</span><span class="cx"> IntSize inputSize(m_absolutePaintRect.size());
</span><span class="cx"> ASSERT(!ImageBuffer::sizeNeedsClamping(inputSize));
</span><span class="cx"> inputSize.scale(m_filter.filterScale());
</span><del>- m_premultipliedImageResult = Uint8ClampedArray::createUninitialized(inputSize.width() * inputSize.height() * 4);
</del><ins>+ m_premultipliedImageResult = Uint8ClampedArray::createUninitialized((inputSize.area() * 4).unsafeGet());
</ins><span class="cx"> if (!m_premultipliedImageResult) {
</span><span class="cx"> WTFLogAlways("FilterEffect::copyPremultipliedImage Unable to create buffer. Requested size was %d x %d\n", inputSize.width(), inputSize.height());
</span><span class="cx"> return;
</span><span class="lines">@@ -363,7 +363,7 @@
</span><span class="cx"> }
</span><span class="cx"> unsigned char* sourceComponent = m_unmultipliedImageResult->data();
</span><span class="cx"> unsigned char* destinationComponent = m_premultipliedImageResult->data();
</span><del>- unsigned char* end = sourceComponent + (inputSize.width() * inputSize.height() * 4);
</del><ins>+ unsigned char* end = sourceComponent + (inputSize.area() * 4).unsafeGet();
</ins><span class="cx"> while (sourceComponent < end) {
</span><span class="cx"> int alpha = sourceComponent[3];
</span><span class="cx"> destinationComponent[0] = static_cast<int>(sourceComponent[0]) * alpha / 255;
</span><span class="lines">@@ -403,7 +403,7 @@
</span><span class="cx"> IntSize resultSize(m_absolutePaintRect.size());
</span><span class="cx"> ASSERT(!ImageBuffer::sizeNeedsClamping(resultSize));
</span><span class="cx"> resultSize.scale(m_filter.filterScale());
</span><del>- m_unmultipliedImageResult = Uint8ClampedArray::createUninitialized(resultSize.width() * resultSize.height() * 4);
</del><ins>+ m_unmultipliedImageResult = Uint8ClampedArray::createUninitialized((resultSize.area() * 4).unsafeGet());
</ins><span class="cx"> return m_unmultipliedImageResult.get();
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -417,7 +417,7 @@
</span><span class="cx"> IntSize resultSize(m_absolutePaintRect.size());
</span><span class="cx"> ASSERT(!ImageBuffer::sizeNeedsClamping(resultSize));
</span><span class="cx"> resultSize.scale(m_filter.filterScale());
</span><del>- m_premultipliedImageResult = Uint8ClampedArray::createUninitialized(resultSize.width() * resultSize.height() * 4);
</del><ins>+ m_premultipliedImageResult = Uint8ClampedArray::createUninitialized((resultSize.area() * 4).unsafeGet());
</ins><span class="cx"> return m_premultipliedImageResult.get();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari602branchSourceWebCoreplatformimagedecodersImageDecodercpp"></a>
<div class="modfile"><h4>Modified: branches/safari-602-branch/Source/WebCore/platform/image-decoders/ImageDecoder.cpp (207952 => 207953)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-602-branch/Source/WebCore/platform/image-decoders/ImageDecoder.cpp 2016-10-27 07:31:13 UTC (rev 207952)
+++ branches/safari-602-branch/Source/WebCore/platform/image-decoders/ImageDecoder.cpp 2016-10-27 07:34:21 UTC (rev 207953)
</span><span class="lines">@@ -291,7 +291,7 @@
</span><span class="cx"> if (m_frameBufferCache.size() <= index)
</span><span class="cx"> return 0;
</span><span class="cx"> // FIXME: Use the dimension of the requested frame.
</span><del>- return m_size.area() * sizeof(ImageFrame::PixelData);
</del><ins>+ return (m_size.area() * sizeof(ImageFrame::PixelData)).unsafeGet();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> float ImageDecoder::frameDurationAtIndex(size_t index)
</span></span></pre></div>
<a id="branchessafari602branchSourceWebCoreplatformiosLegacyTileLayerPoolmm"></a>
<div class="modfile"><h4>Modified: branches/safari-602-branch/Source/WebCore/platform/ios/LegacyTileLayerPool.mm (207952 => 207953)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-602-branch/Source/WebCore/platform/ios/LegacyTileLayerPool.mm 2016-10-27 07:31:13 UTC (rev 207952)
+++ branches/safari-602-branch/Source/WebCore/platform/ios/LegacyTileLayerPool.mm 2016-10-27 07:34:21 UTC (rev 207953)
</span><span class="lines">@@ -55,7 +55,7 @@
</span><span class="cx">
</span><span class="cx"> unsigned LegacyTileLayerPool::bytesBackingLayerWithPixelSize(const IntSize& size)
</span><span class="cx"> {
</span><del>- return size.width() * size.height() * 4;
</del><ins>+ return (size.area() * 4).unsafeGet();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> LegacyTileLayerPool::LayerList& LegacyTileLayerPool::listOfLayersWithSize(const IntSize& size, AccessType accessType)
</span></span></pre></div>
<a id="branchessafari602branchSourceWebCorerenderingRenderLayerCompositorcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-602-branch/Source/WebCore/rendering/RenderLayerCompositor.cpp (207952 => 207953)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-602-branch/Source/WebCore/rendering/RenderLayerCompositor.cpp 2016-10-27 07:31:13 UTC (rev 207952)
+++ branches/safari-602-branch/Source/WebCore/rendering/RenderLayerCompositor.cpp 2016-10-27 07:34:21 UTC (rev 207953)
</span><span class="lines">@@ -2544,7 +2544,7 @@
</span><span class="cx"> bool isCanvasLargeEnoughToForceCompositing = true;
</span><span class="cx"> #else
</span><span class="cx"> HTMLCanvasElement* canvas = downcast<HTMLCanvasElement>(renderer.element());
</span><del>- bool isCanvasLargeEnoughToForceCompositing = canvas->size().area() >= canvasAreaThresholdRequiringCompositing;
</del><ins>+ bool isCanvasLargeEnoughToForceCompositing = canvas->size().area().unsafeGet() >= canvasAreaThresholdRequiringCompositing;
</ins><span class="cx"> #endif
</span><span class="cx"> CanvasCompositingStrategy compositingStrategy = canvasCompositingStrategy(renderer);
</span><span class="cx"> return compositingStrategy == CanvasAsLayerContents || (compositingStrategy == CanvasPaintedToLayer && isCanvasLargeEnoughToForceCompositing);
</span></span></pre></div>
<a id="branchessafari602branchSourceWebCorerenderingshapesShapecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-602-branch/Source/WebCore/rendering/shapes/Shape.cpp (207952 => 207953)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-602-branch/Source/WebCore/rendering/shapes/Shape.cpp 2016-10-27 07:31:13 UTC (rev 207952)
+++ branches/safari-602-branch/Source/WebCore/rendering/shapes/Shape.cpp 2016-10-27 07:34:21 UTC (rev 207953)
</span><span class="lines">@@ -196,7 +196,7 @@
</span><span class="cx"> int minBufferY = std::max(0, marginRect.y() - imageRect.y());
</span><span class="cx"> int maxBufferY = std::min(imageRect.height(), marginRect.maxY() - imageRect.y());
</span><span class="cx">
</span><del>- if (static_cast<unsigned>(imageRect.width() * imageRect.height() * 4) == pixelArrayLength) {
</del><ins>+ if ((imageRect.area() * 4) == pixelArrayLength) {
</ins><span class="cx"> for (int y = minBufferY; y < maxBufferY; ++y) {
</span><span class="cx"> int startX = -1;
</span><span class="cx"> for (int x = 0; x < imageRect.width(); ++x, pixelArrayOffset += 4) {
</span></span></pre></div>
<a id="branchessafari602branchSourceWebKit2ChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-602-branch/Source/WebKit2/ChangeLog (207952 => 207953)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-602-branch/Source/WebKit2/ChangeLog 2016-10-27 07:31:13 UTC (rev 207952)
+++ branches/safari-602-branch/Source/WebKit2/ChangeLog 2016-10-27 07:34:21 UTC (rev 207953)
</span><span class="lines">@@ -1,3 +1,29 @@
</span><ins>+2016-10-26 David Kilzer <ddkilzer@apple.com>
+
+ Merge r207708. rdar://problem/28962914
+
+ 2016-10-21 David Kilzer <ddkilzer@apple.com>
+
+ Bug 163762: IntSize::area() should used checked arithmetic
+ <https://webkit.org/b/163762>
+
+ Reviewed by Darin Adler.
+
+ * Shared/ShareableBitmap.cpp:
+ (WebKit::ShareableBitmap::create): Add overflow check and return
+ nullptr on overflow.
+ (WebKit::ShareableBitmap::createShareable): Ditto.
+ (WebKit::ShareableBitmap::create): Change debug assert for
+ adequate buffer size check into release check.
+ * Shared/ShareableBitmap.h:
+ (WebKit::ShareableBitmap::numBytesForSize): Change to return a
+ Checked<unsigned, RecordOverflow> value.
+ (WebKit::ShareableBitmap::sizeInBytes):
+ * Shared/cairo/ShareableBitmapCairo.cpp:
+ (WebKit::ShareableBitmap::numBytesForSize): Ditto.
+ * UIProcess/API/Cocoa/WKWebView.mm:
+ (-[WKWebView _takeViewSnapshot]): Call unsafeGet().
+
</ins><span class="cx"> 2016-10-26 Babak Shafiei <bshafiei@apple.com>
</span><span class="cx">
</span><span class="cx"> Merge r207171. rdar://problem/28857503
</span></span></pre></div>
<a id="branchessafari602branchSourceWebKit2SharedShareableBitmapcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-602-branch/Source/WebKit2/Shared/ShareableBitmap.cpp (207952 => 207953)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-602-branch/Source/WebKit2/Shared/ShareableBitmap.cpp 2016-10-27 07:31:13 UTC (rev 207952)
+++ branches/safari-602-branch/Source/WebKit2/Shared/ShareableBitmap.cpp 2016-10-27 07:34:21 UTC (rev 207953)
</span><span class="lines">@@ -66,10 +66,12 @@
</span><span class="cx">
</span><span class="cx"> RefPtr<ShareableBitmap> ShareableBitmap::create(const IntSize& size, Flags flags)
</span><span class="cx"> {
</span><del>- size_t numBytes = numBytesForSize(size);
-
</del><ins>+ auto numBytes = numBytesForSize(size);
+ if (numBytes.hasOverflowed())
+ return nullptr;
+
</ins><span class="cx"> void* data = 0;
</span><del>- if (!tryFastMalloc(numBytes).getValue(data))
</del><ins>+ if (!tryFastMalloc(numBytes.unsafeGet()).getValue(data))
</ins><span class="cx"> return nullptr;
</span><span class="cx">
</span><span class="cx"> return adoptRef(new ShareableBitmap(size, flags, data));
</span><span class="lines">@@ -77,9 +79,11 @@
</span><span class="cx">
</span><span class="cx"> RefPtr<ShareableBitmap> ShareableBitmap::createShareable(const IntSize& size, Flags flags)
</span><span class="cx"> {
</span><del>- size_t numBytes = numBytesForSize(size);
</del><ins>+ auto numBytes = numBytesForSize(size);
+ if (numBytes.hasOverflowed())
+ return nullptr;
</ins><span class="cx">
</span><del>- RefPtr<SharedMemory> sharedMemory = SharedMemory::allocate(numBytes);
</del><ins>+ RefPtr<SharedMemory> sharedMemory = SharedMemory::allocate(numBytes.unsafeGet());
</ins><span class="cx"> if (!sharedMemory)
</span><span class="cx"> return nullptr;
</span><span class="cx">
</span><span class="lines">@@ -90,9 +94,14 @@
</span><span class="cx"> {
</span><span class="cx"> ASSERT(sharedMemory);
</span><span class="cx">
</span><del>- size_t numBytes = numBytesForSize(size);
- ASSERT_UNUSED(numBytes, sharedMemory->size() >= numBytes);
-
</del><ins>+ auto numBytes = numBytesForSize(size);
+ if (numBytes.hasOverflowed())
+ return nullptr;
+ if (sharedMemory->size() < numBytes.unsafeGet()) {
+ ASSERT_NOT_REACHED();
+ return nullptr;
+ }
+
</ins><span class="cx"> return adoptRef(new ShareableBitmap(size, flags, sharedMemory));
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari602branchSourceWebKit2SharedShareableBitmaph"></a>
<div class="modfile"><h4>Modified: branches/safari-602-branch/Source/WebKit2/Shared/ShareableBitmap.h (207952 => 207953)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-602-branch/Source/WebKit2/Shared/ShareableBitmap.h 2016-10-27 07:31:13 UTC (rev 207952)
+++ branches/safari-602-branch/Source/WebKit2/Shared/ShareableBitmap.h 2016-10-27 07:34:21 UTC (rev 207953)
</span><span class="lines">@@ -125,9 +125,9 @@
</span><span class="cx"> ShareableBitmap(const WebCore::IntSize&, Flags, RefPtr<SharedMemory>);
</span><span class="cx">
</span><span class="cx"> #if USE(CAIRO)
</span><del>- static size_t numBytesForSize(const WebCore::IntSize&);
</del><ins>+ static Checked<unsigned, RecordOverflow> numBytesForSize(const WebCore::IntSize&);
</ins><span class="cx"> #else
</span><del>- static size_t numBytesForSize(const WebCore::IntSize& size) { return size.width() * size.height() * 4; }
</del><ins>+ static Checked<unsigned, RecordOverflow> numBytesForSize(const WebCore::IntSize& size) { return size.area<RecordOverflow>() * 4; }
</ins><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> #if USE(CG)
</span><span class="lines">@@ -141,7 +141,7 @@
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> void* data() const;
</span><del>- size_t sizeInBytes() const { return numBytesForSize(m_size); }
</del><ins>+ size_t sizeInBytes() const { return numBytesForSize(m_size).unsafeGet(); }
</ins><span class="cx">
</span><span class="cx"> WebCore::IntSize m_size;
</span><span class="cx"> Flags m_flags;
</span></span></pre></div>
<a id="branchessafari602branchSourceWebKit2SharedcairoShareableBitmapCairocpp"></a>
<div class="modfile"><h4>Modified: branches/safari-602-branch/Source/WebKit2/Shared/cairo/ShareableBitmapCairo.cpp (207952 => 207953)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-602-branch/Source/WebKit2/Shared/cairo/ShareableBitmapCairo.cpp 2016-10-27 07:31:13 UTC (rev 207952)
+++ branches/safari-602-branch/Source/WebKit2/Shared/cairo/ShareableBitmapCairo.cpp 2016-10-27 07:34:21 UTC (rev 207953)
</span><span class="lines">@@ -40,9 +40,9 @@
</span><span class="cx">
</span><span class="cx"> static const cairo_format_t cairoFormat = CAIRO_FORMAT_ARGB32;
</span><span class="cx">
</span><del>-size_t ShareableBitmap::numBytesForSize(const WebCore::IntSize& size)
</del><ins>+Checked<unsigned, RecordOverflow> ShareableBitmap::numBytesForSize(const WebCore::IntSize& size)
</ins><span class="cx"> {
</span><del>- return cairo_format_stride_for_width(cairoFormat, size.width()) * size.height();
</del><ins>+ return Checked<unsigned, RecordOverflow>(cairo_format_stride_for_width(cairoFormat, size.width())) * size.height();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> static inline RefPtr<cairo_surface_t> createSurfaceFromData(void* data, const WebCore::IntSize& size)
</span></span></pre></div>
<a id="branchessafari602branchSourceWebKit2UIProcessAPICocoaWKWebViewmm"></a>
<div class="modfile"><h4>Modified: branches/safari-602-branch/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm (207952 => 207953)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-602-branch/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm 2016-10-27 07:31:13 UTC (rev 207952)
+++ branches/safari-602-branch/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm 2016-10-27 07:34:21 UTC (rev 207953)
</span><span class="lines">@@ -1411,7 +1411,7 @@
</span><span class="cx">
</span><span class="cx"> CARenderServerCaptureLayerWithTransform(MACH_PORT_NULL, self.layer.context.contextId, (uint64_t)self.layer, slotID, 0, 0, &transform);
</span><span class="cx"> WebCore::IntSize imageSize = WebCore::expandedIntSize(WebCore::FloatSize(snapshotSize));
</span><del>- return WebKit::ViewSnapshot::create(slotID, imageSize, imageSize.width() * imageSize.height() * 4);
</del><ins>+ return WebKit::ViewSnapshot::create(slotID, imageSize, (imageSize.area() * 4).unsafeGet());
</ins><span class="cx"> #endif
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>