<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"

"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />

<title>[210193] releases/WebKitGTK/webkit-2.14/Source</title>

</head>

<body>

<style type="text/css"><!--

#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }

#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }

#msg dt:after { content:':';}

#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }

#msg dl a { font-weight: bold}

#msg dl a:link    { color:#fc3; }

#msg dl a:active  { color:#ff0; }

#msg dl a:visited { color:#cc6; }

h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }

#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }

#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }

#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }

#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }

#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }

#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }

#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }

#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }

#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }

#logmsg pre { background: #eee; padding: 1em; }

#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}

#logmsg dl { margin: 0; }

#logmsg dt { font-weight: bold; }

#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }

#logmsg dd:before { content:'\00bb';}

#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }

#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }

#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }

#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }

#logmsg table th.Corner { text-align: left; }

#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }

#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }

#patch { width: 100%; }

#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}

#patch .propset h4, #patch .binary h4 {margin:0;}

#patch pre {padding:0;line-height:1.2em;margin:0;}

#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}

#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}

#patch span {display:block;padding:0 10px;}

#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}

#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}

#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}

#patch .lines, .info {color:#888;background:#fff;}

--></style>

<div id="msg">

<dl class="meta">

<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/210193">210193</a></dd>

<dt>Author</dt> <dd>carlosgc@webkit.org</dd>

<dt>Date</dt> <dd>2016-12-28 02:28:40 -0800 (Wed, 28 Dec 2016)</dd>

</dl>

<h3>Log Message</h3>

<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/207708">r207708</a> - Bug 163762: IntSize::area() should used checked arithmetic

&lt;https://webkit.org/b/163762&gt;

Reviewed by Darin Adler.

Source/WebCore:

No new tests since no change in nominal behavior.

* platform/graphics/IntSize.h:

(WebCore::IntSize::area): Change to return a

Checked&lt;unsigned, T&gt; value. Use WTF:: namespace to avoid

including another header.

* platform/graphics/IntRect.h:

(WebCore::IntRect::area): Ditto.

The remaining changes are to use the Checked&lt;unsigned&gt; return

value of IntSize::area() and IntRect::area() correctly in

context, in addition to items noted below.

* html/HTMLPlugInImageElement.cpp:

(WebCore::HTMLPlugInImageElement::isTopLevelFullPagePlugin):

Declare contentWidth and contentHeight as float values to

prevent overflow when computing the area, and to make the

inequality comparison in the return statement uses the same type

for both sides.

* html/ImageData.cpp:

(WebCore::ImageData::ImageData):

* html/MediaElementSession.cpp:

(WebCore::isElementRectMostlyInMainFrame):

* platform/graphics/ImageBackingStore.h:

(WebCore::ImageBackingStore::setSize): Restructure logic to

compute area only once.

(WebCore::ImageBackingStore::clear):

* platform/graphics/ImageFrame.h:

(WebCore::ImageFrame::frameBytes):

* platform/graphics/ImageSource.cpp:

(WebCore::ImageSource::maximumSubsamplingLevel):

* platform/graphics/ca/LayerPool.cpp:

(WebCore::LayerPool::backingStoreBytesForSize):

* platform/graphics/cg/ImageDecoderCG.cpp:

(WebCore::ImageDecoder::frameBytesAtIndex):

* platform/graphics/filters/FEGaussianBlur.cpp:

(WebCore::FEGaussianBlur::platformApplySoftware):

* platform/graphics/filters/FilterEffect.cpp:

(WebCore::FilterEffect::asUnmultipliedImage):

(WebCore::FilterEffect::asPremultipliedImage):

(WebCore::FilterEffect::copyUnmultipliedImage):

(WebCore::FilterEffect::copyPremultipliedImage):

(WebCore::FilterEffect::createUnmultipliedImageResult):

(WebCore::FilterEffect::createPremultipliedImageResult):

* platform/graphics/win/ImageBufferDataDirect2D.cpp:

(WebCore::ImageBufferData::getData): Update overflow check,

rename local variable to numBytes, and compute numBytes once.

* platform/graphics/win/ImageDecoderDirect2D.cpp:

(WebCore::ImageDecoder::frameBytesAtIndex):

* platform/image-decoders/ImageDecoder.cpp:

(WebCore::ImageDecoder::frameBytesAtIndex):

* platform/ios/LegacyTileLayerPool.mm:

(WebCore::LegacyTileLayerPool::bytesBackingLayerWithPixelSize):

* rendering/RenderLayerCompositor.cpp:

(WebCore::RenderLayerCompositor::requiresCompositingForCanvas):

* rendering/shapes/Shape.cpp:

(WebCore::Shape::createRasterShape):

Source/WebKit2:

* Shared/ShareableBitmap.cpp:

(WebKit::ShareableBitmap::create): Add overflow check and return

nullptr on overflow.

(WebKit::ShareableBitmap::createShareable): Ditto.

(WebKit::ShareableBitmap::create): Change debug assert for

adequate buffer size check into release check.

* Shared/ShareableBitmap.h:

(WebKit::ShareableBitmap::numBytesForSize): Change to return a

Checked&lt;unsigned, RecordOverflow&gt; value.

(WebKit::ShareableBitmap::sizeInBytes):

* Shared/cairo/ShareableBitmapCairo.cpp:

(WebKit::ShareableBitmap::numBytesForSize): Ditto.

* UIProcess/API/Cocoa/WKWebView.mm:

(-[WKWebView _takeViewSnapshot]): Call unsafeGet().

Tools:

* TestWebKitAPI/Tests/WebCore/IntRect.cpp:

(TestWebKitAPI::TEST): Call unsafeGet().

* TestWebKitAPI/Tests/WebCore/IntSize.cpp:

(TestWebKitAPI::TEST): Ditto.</pre>

<h3>Modified Paths</h3>

<ul>

<li><a href="#releasesWebKitGTKwebkit214SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog</a></li>

<li><a href="#releasesWebKitGTKwebkit214SourceWebCorehtmlHTMLPlugInImageElementcpp">releases/WebKitGTK/webkit-2.14/Source/WebCore/html/HTMLPlugInImageElement.cpp</a></li>

<li><a href="#releasesWebKitGTKwebkit214SourceWebCorehtmlImageDatacpp">releases/WebKitGTK/webkit-2.14/Source/WebCore/html/ImageData.cpp</a></li>

<li><a href="#releasesWebKitGTKwebkit214SourceWebCoreplatformgraphicsBitmapImagecpp">releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/BitmapImage.cpp</a></li>

<li><a href="#releasesWebKitGTKwebkit214SourceWebCoreplatformgraphicsImageSourcecpp">releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/ImageSource.cpp</a></li>

<li><a href="#releasesWebKitGTKwebkit214SourceWebCoreplatformgraphicsIntRecth">releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/IntRect.h</a></li>

<li><a href="#releasesWebKitGTKwebkit214SourceWebCoreplatformgraphicsIntSizeh">releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/IntSize.h</a></li>

<li><a href="#releasesWebKitGTKwebkit214SourceWebCoreplatformgraphicscaLayerPoolcpp">releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/ca/LayerPool.cpp</a></li>

<li><a href="#releasesWebKitGTKwebkit214SourceWebCoreplatformgraphicscgImageDecoderCGcpp">releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/cg/ImageDecoderCG.cpp</a></li>

<li><a href="#releasesWebKitGTKwebkit214SourceWebCoreplatformgraphicsfiltersFEGaussianBlurcpp">releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/filters/FEGaussianBlur.cpp</a></li>

<li><a href="#releasesWebKitGTKwebkit214SourceWebCoreplatformgraphicsfiltersFilterEffectcpp">releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/filters/FilterEffect.cpp</a></li>

<li><a href="#releasesWebKitGTKwebkit214SourceWebCoreplatformimagedecodersImageDecodercpp">releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/image-decoders/ImageDecoder.cpp</a></li>

<li><a href="#releasesWebKitGTKwebkit214SourceWebCoreplatformiosLegacyTileLayerPoolmm">releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/ios/LegacyTileLayerPool.mm</a></li>

<li><a href="#releasesWebKitGTKwebkit214SourceWebCorerenderingRenderLayerCompositorcpp">releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/RenderLayerCompositor.cpp</a></li>

<li><a href="#releasesWebKitGTKwebkit214SourceWebCorerenderingshapesShapecpp">releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/shapes/Shape.cpp</a></li>

<li><a href="#releasesWebKitGTKwebkit214SourceWebKit2ChangeLog">releases/WebKitGTK/webkit-2.14/Source/WebKit2/ChangeLog</a></li>

<li><a href="#releasesWebKitGTKwebkit214SourceWebKit2SharedShareableBitmapcpp">releases/WebKitGTK/webkit-2.14/Source/WebKit2/Shared/ShareableBitmap.cpp</a></li>

<li><a href="#releasesWebKitGTKwebkit214SourceWebKit2SharedShareableBitmaph">releases/WebKitGTK/webkit-2.14/Source/WebKit2/Shared/ShareableBitmap.h</a></li>

<li><a href="#releasesWebKitGTKwebkit214SourceWebKit2SharedcairoShareableBitmapCairocpp">releases/WebKitGTK/webkit-2.14/Source/WebKit2/Shared/cairo/ShareableBitmapCairo.cpp</a></li>

<li><a href="#releasesWebKitGTKwebkit214SourceWebKit2UIProcessAPICocoaWKWebViewmm">releases/WebKitGTK/webkit-2.14/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm</a></li>

</ul>

</div>

<div id="patch">

<h3>Diff</h3>

<a id="releasesWebKitGTKwebkit214SourceWebCoreChangeLog"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog (210192 => 210193)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog        2016-12-28 09:59:45 UTC (rev 210192)

+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog        2016-12-28 10:28:40 UTC (rev 210193)

</span><span class="lines">@@ -1,3 +1,69 @@

</span><ins>+2016-10-21  David Kilzer  &lt;ddkilzer@apple.com&gt;

+

+        Bug 163762: IntSize::area() should used checked arithmetic

+        &lt;https://webkit.org/b/163762&gt;

+

+        Reviewed by Darin Adler.

+

+        No new tests since no change in nominal behavior.

+

+        * platform/graphics/IntSize.h:

+        (WebCore::IntSize::area): Change to return a

+        Checked&lt;unsigned, T&gt; value. Use WTF:: namespace to avoid

+        including another header.

+

+        * platform/graphics/IntRect.h:

+        (WebCore::IntRect::area): Ditto.

+

+        The remaining changes are to use the Checked&lt;unsigned&gt; return

+        value of IntSize::area() and IntRect::area() correctly in

+        context, in addition to items noted below.

+

+        * html/HTMLPlugInImageElement.cpp:

+        (WebCore::HTMLPlugInImageElement::isTopLevelFullPagePlugin):

+        Declare contentWidth and contentHeight as float values to

+        prevent overflow when computing the area, and to make the

+        inequality comparison in the return statement uses the same type

+        for both sides.

+        * html/ImageData.cpp:

+        (WebCore::ImageData::ImageData):

+        * html/MediaElementSession.cpp:

+        (WebCore::isElementRectMostlyInMainFrame):

+        * platform/graphics/ImageBackingStore.h:

+        (WebCore::ImageBackingStore::setSize): Restructure logic to

+        compute area only once.

+        (WebCore::ImageBackingStore::clear):

+        * platform/graphics/ImageFrame.h:

+        (WebCore::ImageFrame::frameBytes):

+        * platform/graphics/ImageSource.cpp:

+        (WebCore::ImageSource::maximumSubsamplingLevel):

+        * platform/graphics/ca/LayerPool.cpp:

+        (WebCore::LayerPool::backingStoreBytesForSize):

+        * platform/graphics/cg/ImageDecoderCG.cpp:

+        (WebCore::ImageDecoder::frameBytesAtIndex):

+        * platform/graphics/filters/FEGaussianBlur.cpp:

+        (WebCore::FEGaussianBlur::platformApplySoftware):

+        * platform/graphics/filters/FilterEffect.cpp:

+        (WebCore::FilterEffect::asUnmultipliedImage):

+        (WebCore::FilterEffect::asPremultipliedImage):

+        (WebCore::FilterEffect::copyUnmultipliedImage):

+        (WebCore::FilterEffect::copyPremultipliedImage):

+        (WebCore::FilterEffect::createUnmultipliedImageResult):

+        (WebCore::FilterEffect::createPremultipliedImageResult):

+        * platform/graphics/win/ImageBufferDataDirect2D.cpp:

+        (WebCore::ImageBufferData::getData): Update overflow check,

+        rename local variable to numBytes, and compute numBytes once.

+        * platform/graphics/win/ImageDecoderDirect2D.cpp:

+        (WebCore::ImageDecoder::frameBytesAtIndex):

+        * platform/image-decoders/ImageDecoder.cpp:

+        (WebCore::ImageDecoder::frameBytesAtIndex):

+        * platform/ios/LegacyTileLayerPool.mm:

+        (WebCore::LegacyTileLayerPool::bytesBackingLayerWithPixelSize):

+        * rendering/RenderLayerCompositor.cpp:

+        (WebCore::RenderLayerCompositor::requiresCompositingForCanvas):

+        * rendering/shapes/Shape.cpp:

+        (WebCore::Shape::createRasterShape):

+

</ins><span class="cx"> 2016-10-20  Dean Jackson  &lt;dino@apple.com&gt;

</span><span class="cx"> 

</span><span class="cx">         SVG should not paint selection within a mask

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit214SourceWebCorehtmlHTMLPlugInImageElementcpp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/html/HTMLPlugInImageElement.cpp (210192 => 210193)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/html/HTMLPlugInImageElement.cpp        2016-12-28 09:59:45 UTC (rev 210192)

+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/html/HTMLPlugInImageElement.cpp        2016-12-28 10:28:40 UTC (rev 210193)

</span><span class="lines">@@ -587,9 +587,9 @@

</span><span class="cx">     auto&amp; style = renderer.style();

</span><span class="cx">     IntSize visibleSize = frame.view()-&gt;visibleSize();

</span><span class="cx">     LayoutRect contentRect = renderer.contentBoxRect();

</span><del>-    int contentWidth = contentRect.width();

-    int contentHeight = contentRect.height();

-    return is100Percent(style.width()) &amp;&amp; is100Percent(style.height()) &amp;&amp; contentWidth * contentHeight &gt; visibleSize.area() * sizingFullPageAreaRatioThreshold;

</del><ins>+    float contentWidth = contentRect.width();

+    float contentHeight = contentRect.height();

+    return is100Percent(style.width()) &amp;&amp; is100Percent(style.height()) &amp;&amp; contentWidth * contentHeight &gt; visibleSize.area().unsafeGet() * sizingFullPageAreaRatioThreshold;

</ins><span class="cx"> }

</span><span class="cx">     

</span><span class="cx"> void HTMLPlugInImageElement::checkSnapshotStatus()

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit214SourceWebCorehtmlImageDatacpp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/html/ImageData.cpp (210192 => 210193)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/html/ImageData.cpp        2016-12-28 09:59:45 UTC (rev 210192)

+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/html/ImageData.cpp        2016-12-28 10:28:40 UTC (rev 210193)

</span><span class="lines">@@ -113,7 +113,7 @@

</span><span class="cx"> 

</span><span class="cx"> ImageData::ImageData(const IntSize&amp; size)

</span><span class="cx">     : m_size(size)

</span><del>-    , m_data(Uint8ClampedArray::createUninitialized(size.width() * size.height() * 4))

</del><ins>+    , m_data(Uint8ClampedArray::createUninitialized((size.area() * 4).unsafeGet()))

</ins><span class="cx"> {

</span><span class="cx">     ASSERT_WITH_SECURITY_IMPLICATION(m_data);

</span><span class="cx"> }

</span><span class="lines">@@ -122,7 +122,8 @@

</span><span class="cx">     : m_size(size)

</span><span class="cx">     , m_data(WTFMove(byteArray))

</span><span class="cx"> {

</span><del>-    ASSERT_WITH_SECURITY_IMPLICATION(static_cast&lt;unsigned&gt;(size.width() * size.height() * 4) &lt;= m_data-&gt;length());

</del><ins>+    ASSERT(m_data);

+    ASSERT_WITH_SECURITY_IMPLICATION(!m_data || (size.area() * 4).unsafeGet() &lt;= m_data-&gt;length());

</ins><span class="cx"> }

</span><span class="cx"> 

</span><span class="cx"> }

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit214SourceWebCoreplatformgraphicsBitmapImagecpp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/BitmapImage.cpp (210192 => 210193)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/BitmapImage.cpp        2016-12-28 09:59:45 UTC (rev 210192)

+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/BitmapImage.cpp        2016-12-28 10:28:40 UTC (rev 210193)

</span><span class="lines">@@ -71,7 +71,7 @@

</span><span class="cx">     // Since we don't have a decoder, we can't figure out the image orientation.

</span><span class="cx">     // Set m_sizeRespectingOrientation to be the same as m_size so it's not 0x0.

</span><span class="cx">     m_sizeRespectingOrientation = m_size = NativeImage::size(image);

</span><del>-    m_decodedSize = m_size.area() * 4;

</del><ins>+    m_decodedSize = (m_size.area() * 4).unsafeGet();

</ins><span class="cx">     

</span><span class="cx">     m_frames.grow(1);

</span><span class="cx">     m_frames[0].m_hasAlpha = NativeImage::hasAlpha(image);

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit214SourceWebCoreplatformgraphicsImageSourcecpp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/ImageSource.cpp (210192 => 210193)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/ImageSource.cpp        2016-12-28 09:59:45 UTC (rev 210192)

+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/ImageSource.cpp        2016-12-28 10:28:40 UTC (rev 210193)

</span><span class="lines">@@ -103,7 +103,7 @@

</span><span class="cx">     const SubsamplingLevel maxSubsamplingLevel = 3;

</span><span class="cx">     

</span><span class="cx">     for (SubsamplingLevel level = 0; level &lt; maxSubsamplingLevel; ++level) {

</span><del>-        if (frameSizeAtIndex(0, level).area() &lt; maximumImageAreaBeforeSubsampling)

</del><ins>+        if (frameSizeAtIndex(0, level).area().unsafeGet() &lt; maximumImageAreaBeforeSubsampling)

</ins><span class="cx">             return level;

</span><span class="cx">     }

</span><span class="cx">     

</span><span class="lines">@@ -206,7 +206,7 @@

</span><span class="cx"> 

</span><span class="cx"> unsigned ImageSource::frameBytesAtIndex(size_t index, SubsamplingLevel subsamplingLevel) const

</span><span class="cx"> {

</span><del>-    return frameSizeAtIndex(index, subsamplingLevel).area() * 4;

</del><ins>+    return (frameSizeAtIndex(index, subsamplingLevel).area() * 4).unsafeGet();

</ins><span class="cx"> }

</span><span class="cx"> 

</span><span class="cx"> float ImageSource::frameDurationAtIndex(size_t index)

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit214SourceWebCoreplatformgraphicsIntRecth"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/IntRect.h (210192 => 210193)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/IntRect.h        2016-12-28 09:59:45 UTC (rev 210192)

+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/IntRect.h        2016-12-28 10:28:40 UTC (rev 210193)

</span><span class="lines">@@ -85,9 +85,10 @@

</span><span class="cx">     int maxY() const { return y() + height(); }

</span><span class="cx">     int width() const { return m_size.width(); }

</span><span class="cx">     int height() const { return m_size.height(); }

</span><del>-    

-    unsigned area() const { return m_size.area(); }

</del><span class="cx"> 

</span><ins>+    template &lt;typename T = WTF::CrashOnOverflow&gt;

+    Checked&lt;unsigned, T&gt; area() const { return m_size.area&lt;T&gt;(); }

+

</ins><span class="cx">     void setX(int x) { m_location.setX(x); }

</span><span class="cx">     void setY(int y) { m_location.setY(y); }

</span><span class="cx">     void setWidth(int width) { m_size.setWidth(width); }

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit214SourceWebCoreplatformgraphicsIntSizeh"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/IntSize.h (210192 => 210193)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/IntSize.h        2016-12-28 09:59:45 UTC (rev 210192)

+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/IntSize.h        2016-12-28 10:28:40 UTC (rev 210193)

</span><span class="lines">@@ -125,9 +125,10 @@

</span><span class="cx"> 

</span><span class="cx">     IntSize constrainedBetween(const IntSize&amp; min, const IntSize&amp; max) const;

</span><span class="cx"> 

</span><del>-    unsigned area() const

</del><ins>+    template &lt;typename T = WTF::CrashOnOverflow&gt;

+    Checked&lt;unsigned, T&gt; area() const

</ins><span class="cx">     {

</span><del>-        return abs(m_width) * abs(m_height);

</del><ins>+        return Checked&lt;unsigned, T&gt;(abs(m_width)) * abs(m_height);

</ins><span class="cx">     }

</span><span class="cx"> 

</span><span class="cx">     int diagonalLengthSquared() const

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit214SourceWebCoreplatformgraphicscaLayerPoolcpp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/ca/LayerPool.cpp (210192 => 210193)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/ca/LayerPool.cpp        2016-12-28 09:59:45 UTC (rev 210192)

+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/ca/LayerPool.cpp        2016-12-28 10:28:40 UTC (rev 210193)

</span><span class="lines">@@ -56,7 +56,7 @@

</span><span class="cx"> 

</span><span class="cx"> unsigned LayerPool::backingStoreBytesForSize(const IntSize&amp; size)

</span><span class="cx"> {

</span><del>-    return size.width() * size.height() * 4;

</del><ins>+    return (size.area() * 4).unsafeGet();

</ins><span class="cx"> }

</span><span class="cx"> 

</span><span class="cx"> LayerPool::LayerList&amp; LayerPool::listOfLayersWithSize(const IntSize&amp; size, AccessType accessType)

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit214SourceWebCoreplatformgraphicscgImageDecoderCGcpp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/cg/ImageDecoderCG.cpp (210192 => 210193)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/cg/ImageDecoderCG.cpp        2016-12-28 09:59:45 UTC (rev 210192)

+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/cg/ImageDecoderCG.cpp        2016-12-28 10:28:40 UTC (rev 210193)

</span><span class="lines">@@ -335,7 +335,7 @@

</span><span class="cx"> unsigned ImageDecoder::frameBytesAtIndex(size_t index, SubsamplingLevel subsamplingLevel) const

</span><span class="cx"> {

</span><span class="cx">     IntSize frameSize = frameSizeAtIndex(index, subsamplingLevel);

</span><del>-    return frameSize.area() * 4;

</del><ins>+    return (frameSize.area() * 4).unsafeGet();

</ins><span class="cx"> }

</span><span class="cx"> 

</span><span class="cx"> NativeImagePtr ImageDecoder::createFrameImageAtIndex(size_t index, SubsamplingLevel subsamplingLevel) const

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit214SourceWebCoreplatformgraphicsfiltersFEGaussianBlurcpp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/filters/FEGaussianBlur.cpp (210192 => 210193)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/filters/FEGaussianBlur.cpp        2016-12-28 09:59:45 UTC (rev 210192)

+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/filters/FEGaussianBlur.cpp        2016-12-28 10:28:40 UTC (rev 210193)

</span><span class="lines">@@ -539,7 +539,7 @@

</span><span class="cx"> 

</span><span class="cx">     IntSize paintSize = absolutePaintRect().size();

</span><span class="cx">     paintSize.scale(filter().filterScale());

</span><del>-    RefPtr&lt;Uint8ClampedArray&gt; tmpImageData = Uint8ClampedArray::createUninitialized(paintSize.width() * paintSize.height() * 4);

</del><ins>+    RefPtr&lt;Uint8ClampedArray&gt; tmpImageData = Uint8ClampedArray::createUninitialized((paintSize.area() * 4).unsafeGet());

</ins><span class="cx">     if (!tmpImageData) {

</span><span class="cx">         WTFLogAlways(&quot;FEGaussianBlur::platformApplySoftware Unable to create buffer. Requested size was %d x %d\n&quot;, paintSize.width(), paintSize.height());

</span><span class="cx">         return;

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit214SourceWebCoreplatformgraphicsfiltersFilterEffectcpp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/filters/FilterEffect.cpp (210192 => 210193)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/filters/FilterEffect.cpp        2016-12-28 09:59:45 UTC (rev 210192)

+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/filters/FilterEffect.cpp        2016-12-28 10:28:40 UTC (rev 210193)

</span><span class="lines">@@ -237,7 +237,7 @@

</span><span class="cx">     IntSize scaledSize(rect.size());

</span><span class="cx">     ASSERT(!ImageBuffer::sizeNeedsClamping(scaledSize));

</span><span class="cx">     scaledSize.scale(m_filter.filterScale());

</span><del>-    auto imageData = Uint8ClampedArray::createUninitialized(scaledSize.width() * scaledSize.height() * 4);

</del><ins>+    auto imageData = Uint8ClampedArray::createUninitialized((scaledSize.area() * 4).unsafeGet());

</ins><span class="cx">     copyUnmultipliedImage(imageData.get(), rect);

</span><span class="cx">     return WTFMove(imageData);

</span><span class="cx"> }

</span><span class="lines">@@ -247,7 +247,7 @@

</span><span class="cx">     IntSize scaledSize(rect.size());

</span><span class="cx">     ASSERT(!ImageBuffer::sizeNeedsClamping(scaledSize));

</span><span class="cx">     scaledSize.scale(m_filter.filterScale());

</span><del>-    auto imageData = Uint8ClampedArray::createUninitialized(scaledSize.width() * scaledSize.height() * 4);

</del><ins>+    auto imageData = Uint8ClampedArray::createUninitialized((scaledSize.area() * 4).unsafeGet());

</ins><span class="cx">     copyPremultipliedImage(imageData.get(), rect);

</span><span class="cx">     return WTFMove(imageData);

</span><span class="cx"> }

</span><span class="lines">@@ -316,7 +316,7 @@

</span><span class="cx">             IntSize inputSize(m_absolutePaintRect.size());

</span><span class="cx">             ASSERT(!ImageBuffer::sizeNeedsClamping(inputSize));

</span><span class="cx">             inputSize.scale(m_filter.filterScale());

</span><del>-            m_unmultipliedImageResult = Uint8ClampedArray::createUninitialized(inputSize.width() * inputSize.height() * 4);

</del><ins>+            m_unmultipliedImageResult = Uint8ClampedArray::createUninitialized((inputSize.area() * 4).unsafeGet());

</ins><span class="cx">             if (!m_unmultipliedImageResult) {

</span><span class="cx">                 WTFLogAlways(&quot;FilterEffect::copyUnmultipliedImage Unable to create buffer. Requested size was %d x %d\n&quot;, inputSize.width(), inputSize.height());

</span><span class="cx">                 return;

</span><span class="lines">@@ -323,7 +323,7 @@

</span><span class="cx">             }

</span><span class="cx">             unsigned char* sourceComponent = m_premultipliedImageResult-&gt;data();

</span><span class="cx">             unsigned char* destinationComponent = m_unmultipliedImageResult-&gt;data();

</span><del>-            unsigned char* end = sourceComponent + (inputSize.width() * inputSize.height() * 4);

</del><ins>+            unsigned char* end = sourceComponent + (inputSize.area() * 4).unsafeGet();

</ins><span class="cx">             while (sourceComponent &lt; end) {

</span><span class="cx">                 int alpha = sourceComponent[3];

</span><span class="cx">                 if (alpha) {

</span><span class="lines">@@ -356,7 +356,7 @@

</span><span class="cx">             IntSize inputSize(m_absolutePaintRect.size());

</span><span class="cx">             ASSERT(!ImageBuffer::sizeNeedsClamping(inputSize));

</span><span class="cx">             inputSize.scale(m_filter.filterScale());

</span><del>-            m_premultipliedImageResult = Uint8ClampedArray::createUninitialized(inputSize.width() * inputSize.height() * 4);

</del><ins>+            m_premultipliedImageResult = Uint8ClampedArray::createUninitialized((inputSize.area() * 4).unsafeGet());

</ins><span class="cx">             if (!m_premultipliedImageResult) {

</span><span class="cx">                 WTFLogAlways(&quot;FilterEffect::copyPremultipliedImage Unable to create buffer. Requested size was %d x %d\n&quot;, inputSize.width(), inputSize.height());

</span><span class="cx">                 return;

</span><span class="lines">@@ -363,7 +363,7 @@

</span><span class="cx">             }

</span><span class="cx">             unsigned char* sourceComponent = m_unmultipliedImageResult-&gt;data();

</span><span class="cx">             unsigned char* destinationComponent = m_premultipliedImageResult-&gt;data();

</span><del>-            unsigned char* end = sourceComponent + (inputSize.width() * inputSize.height() * 4);

</del><ins>+            unsigned char* end = sourceComponent + (inputSize.area() * 4).unsafeGet();

</ins><span class="cx">             while (sourceComponent &lt; end) {

</span><span class="cx">                 int alpha = sourceComponent[3];

</span><span class="cx">                 destinationComponent[0] = static_cast&lt;int&gt;(sourceComponent[0]) * alpha / 255;

</span><span class="lines">@@ -403,7 +403,7 @@

</span><span class="cx">     IntSize resultSize(m_absolutePaintRect.size());

</span><span class="cx">     ASSERT(!ImageBuffer::sizeNeedsClamping(resultSize));

</span><span class="cx">     resultSize.scale(m_filter.filterScale());

</span><del>-    m_unmultipliedImageResult = Uint8ClampedArray::createUninitialized(resultSize.width() * resultSize.height() * 4);

</del><ins>+    m_unmultipliedImageResult = Uint8ClampedArray::createUninitialized((resultSize.area() * 4).unsafeGet());

</ins><span class="cx">     return m_unmultipliedImageResult.get();

</span><span class="cx"> }

</span><span class="cx"> 

</span><span class="lines">@@ -417,7 +417,7 @@

</span><span class="cx">     IntSize resultSize(m_absolutePaintRect.size());

</span><span class="cx">     ASSERT(!ImageBuffer::sizeNeedsClamping(resultSize));

</span><span class="cx">     resultSize.scale(m_filter.filterScale());

</span><del>-    m_premultipliedImageResult = Uint8ClampedArray::createUninitialized(resultSize.width() * resultSize.height() * 4);

</del><ins>+    m_premultipliedImageResult = Uint8ClampedArray::createUninitialized((resultSize.area() * 4).unsafeGet());

</ins><span class="cx">     return m_premultipliedImageResult.get();

</span><span class="cx"> }

</span><span class="cx"> 

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit214SourceWebCoreplatformimagedecodersImageDecodercpp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/image-decoders/ImageDecoder.cpp (210192 => 210193)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/image-decoders/ImageDecoder.cpp        2016-12-28 09:59:45 UTC (rev 210192)

+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/image-decoders/ImageDecoder.cpp        2016-12-28 10:28:40 UTC (rev 210193)

</span><span class="lines">@@ -291,7 +291,7 @@

</span><span class="cx">     if (m_frameBufferCache.size() &lt;= index)

</span><span class="cx">         return 0;

</span><span class="cx">     // FIXME: Use the dimension of the requested frame.

</span><del>-    return m_size.area() * sizeof(ImageFrame::PixelData);

</del><ins>+    return (m_size.area() * sizeof(ImageFrame::PixelData)).unsafeGet();

</ins><span class="cx"> }

</span><span class="cx"> 

</span><span class="cx"> float ImageDecoder::frameDurationAtIndex(size_t index)

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit214SourceWebCoreplatformiosLegacyTileLayerPoolmm"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/ios/LegacyTileLayerPool.mm (210192 => 210193)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/ios/LegacyTileLayerPool.mm        2016-12-28 09:59:45 UTC (rev 210192)

+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/ios/LegacyTileLayerPool.mm        2016-12-28 10:28:40 UTC (rev 210193)

</span><span class="lines">@@ -55,7 +55,7 @@

</span><span class="cx"> 

</span><span class="cx"> unsigned LegacyTileLayerPool::bytesBackingLayerWithPixelSize(const IntSize&amp; size)

</span><span class="cx"> {

</span><del>-    return size.width() * size.height() * 4;

</del><ins>+    return (size.area() * 4).unsafeGet();

</ins><span class="cx"> }

</span><span class="cx"> 

</span><span class="cx"> LegacyTileLayerPool::LayerList&amp; LegacyTileLayerPool::listOfLayersWithSize(const IntSize&amp; size, AccessType accessType)

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit214SourceWebCorerenderingRenderLayerCompositorcpp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/RenderLayerCompositor.cpp (210192 => 210193)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/RenderLayerCompositor.cpp        2016-12-28 09:59:45 UTC (rev 210192)

+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/RenderLayerCompositor.cpp        2016-12-28 10:28:40 UTC (rev 210193)

</span><span class="lines">@@ -2544,7 +2544,7 @@

</span><span class="cx">         bool isCanvasLargeEnoughToForceCompositing = true;

</span><span class="cx"> #else

</span><span class="cx">         HTMLCanvasElement* canvas = downcast&lt;HTMLCanvasElement&gt;(renderer.element());

</span><del>-        bool isCanvasLargeEnoughToForceCompositing = canvas-&gt;size().area() &gt;= canvasAreaThresholdRequiringCompositing;

</del><ins>+        bool isCanvasLargeEnoughToForceCompositing = canvas-&gt;size().area().unsafeGet() &gt;= canvasAreaThresholdRequiringCompositing;

</ins><span class="cx"> #endif

</span><span class="cx">         CanvasCompositingStrategy compositingStrategy = canvasCompositingStrategy(renderer);

</span><span class="cx">         return compositingStrategy == CanvasAsLayerContents || (compositingStrategy == CanvasPaintedToLayer &amp;&amp; isCanvasLargeEnoughToForceCompositing);

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit214SourceWebCorerenderingshapesShapecpp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/shapes/Shape.cpp (210192 => 210193)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/shapes/Shape.cpp        2016-12-28 09:59:45 UTC (rev 210192)

+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/shapes/Shape.cpp        2016-12-28 10:28:40 UTC (rev 210193)

</span><span class="lines">@@ -196,7 +196,7 @@

</span><span class="cx">         int minBufferY = std::max(0, marginRect.y() - imageRect.y());

</span><span class="cx">         int maxBufferY = std::min(imageRect.height(), marginRect.maxY() - imageRect.y());

</span><span class="cx"> 

</span><del>-        if (static_cast&lt;unsigned&gt;(imageRect.width() * imageRect.height() * 4) == pixelArrayLength) {

</del><ins>+        if ((imageRect.area() * 4).unsafeGet() == pixelArrayLength) {

</ins><span class="cx">             for (int y = minBufferY; y &lt; maxBufferY; ++y) {

</span><span class="cx">                 int startX = -1;

</span><span class="cx">                 for (int x = 0; x &lt; imageRect.width(); ++x, pixelArrayOffset += 4) {

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit214SourceWebKit2ChangeLog"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit2/ChangeLog (210192 => 210193)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebKit2/ChangeLog        2016-12-28 09:59:45 UTC (rev 210192)

+++ releases/WebKitGTK/webkit-2.14/Source/WebKit2/ChangeLog        2016-12-28 10:28:40 UTC (rev 210193)

</span><span class="lines">@@ -1,3 +1,25 @@

</span><ins>+2016-10-21  David Kilzer  &lt;ddkilzer@apple.com&gt;

+

+        Bug 163762: IntSize::area() should used checked arithmetic

+        &lt;https://webkit.org/b/163762&gt;

+

+        Reviewed by Darin Adler.

+

+        * Shared/ShareableBitmap.cpp:

+        (WebKit::ShareableBitmap::create): Add overflow check and return

+        nullptr on overflow.

+        (WebKit::ShareableBitmap::createShareable): Ditto.

+        (WebKit::ShareableBitmap::create): Change debug assert for

+        adequate buffer size check into release check.

+        * Shared/ShareableBitmap.h:

+        (WebKit::ShareableBitmap::numBytesForSize): Change to return a

+        Checked&lt;unsigned, RecordOverflow&gt; value.

+        (WebKit::ShareableBitmap::sizeInBytes):

+        * Shared/cairo/ShareableBitmapCairo.cpp:

+        (WebKit::ShareableBitmap::numBytesForSize): Ditto.

+        * UIProcess/API/Cocoa/WKWebView.mm:

+        (-[WKWebView _takeViewSnapshot]): Call unsafeGet().

+

</ins><span class="cx"> 2016-10-05  Daniel Bates  &lt;dabates@apple.com&gt;

</span><span class="cx"> 

</span><span class="cx">         Do not follow redirects when sending violation report

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit214SourceWebKit2SharedShareableBitmapcpp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit2/Shared/ShareableBitmap.cpp (210192 => 210193)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebKit2/Shared/ShareableBitmap.cpp        2016-12-28 09:59:45 UTC (rev 210192)

+++ releases/WebKitGTK/webkit-2.14/Source/WebKit2/Shared/ShareableBitmap.cpp        2016-12-28 10:28:40 UTC (rev 210193)

</span><span class="lines">@@ -66,10 +66,12 @@

</span><span class="cx"> 

</span><span class="cx"> RefPtr&lt;ShareableBitmap&gt; ShareableBitmap::create(const IntSize&amp; size, Flags flags)

</span><span class="cx"> {

</span><del>-    size_t numBytes = numBytesForSize(size);

-    

</del><ins>+    auto numBytes = numBytesForSize(size);

+    if (numBytes.hasOverflowed())

+        return nullptr;

+

</ins><span class="cx">     void* data = 0;

</span><del>-    if (!tryFastMalloc(numBytes).getValue(data))

</del><ins>+    if (!tryFastMalloc(numBytes.unsafeGet()).getValue(data))

</ins><span class="cx">         return nullptr;

</span><span class="cx"> 

</span><span class="cx">     return adoptRef(new ShareableBitmap(size, flags, data));

</span><span class="lines">@@ -77,9 +79,11 @@

</span><span class="cx"> 

</span><span class="cx"> RefPtr&lt;ShareableBitmap&gt; ShareableBitmap::createShareable(const IntSize&amp; size, Flags flags)

</span><span class="cx"> {

</span><del>-    size_t numBytes = numBytesForSize(size);

</del><ins>+    auto numBytes = numBytesForSize(size);

+    if (numBytes.hasOverflowed())

+        return nullptr;

</ins><span class="cx"> 

</span><del>-    RefPtr&lt;SharedMemory&gt; sharedMemory = SharedMemory::allocate(numBytes);

</del><ins>+    RefPtr&lt;SharedMemory&gt; sharedMemory = SharedMemory::allocate(numBytes.unsafeGet());

</ins><span class="cx">     if (!sharedMemory)

</span><span class="cx">         return nullptr;

</span><span class="cx"> 

</span><span class="lines">@@ -90,9 +94,14 @@

</span><span class="cx"> {

</span><span class="cx">     ASSERT(sharedMemory);

</span><span class="cx"> 

</span><del>-    size_t numBytes = numBytesForSize(size);

-    ASSERT_UNUSED(numBytes, sharedMemory-&gt;size() &gt;= numBytes);

-    

</del><ins>+    auto numBytes = numBytesForSize(size);

+    if (numBytes.hasOverflowed())

+        return nullptr;

+    if (sharedMemory-&gt;size() &lt; numBytes.unsafeGet()) {

+        ASSERT_NOT_REACHED();

+        return nullptr;

+    }

+

</ins><span class="cx">     return adoptRef(new ShareableBitmap(size, flags, sharedMemory));

</span><span class="cx"> }

</span><span class="cx"> 

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit214SourceWebKit2SharedShareableBitmaph"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit2/Shared/ShareableBitmap.h (210192 => 210193)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebKit2/Shared/ShareableBitmap.h        2016-12-28 09:59:45 UTC (rev 210192)

+++ releases/WebKitGTK/webkit-2.14/Source/WebKit2/Shared/ShareableBitmap.h        2016-12-28 10:28:40 UTC (rev 210193)

</span><span class="lines">@@ -125,9 +125,9 @@

</span><span class="cx">     ShareableBitmap(const WebCore::IntSize&amp;, Flags, RefPtr&lt;SharedMemory&gt;);

</span><span class="cx"> 

</span><span class="cx"> #if USE(CAIRO)

</span><del>-    static size_t numBytesForSize(const WebCore::IntSize&amp;);

</del><ins>+    static Checked&lt;unsigned, RecordOverflow&gt; numBytesForSize(const WebCore::IntSize&amp;);

</ins><span class="cx"> #else

</span><del>-    static size_t numBytesForSize(const WebCore::IntSize&amp; size) { return size.width() * size.height() * 4; }

</del><ins>+    static Checked&lt;unsigned, RecordOverflow&gt; numBytesForSize(const WebCore::IntSize&amp; size) { return size.area&lt;RecordOverflow&gt;() * 4; }

</ins><span class="cx"> #endif

</span><span class="cx"> 

</span><span class="cx"> #if USE(CG)

</span><span class="lines">@@ -141,7 +141,7 @@

</span><span class="cx"> #endif

</span><span class="cx"> 

</span><span class="cx">     void* data() const;

</span><del>-    size_t sizeInBytes() const { return numBytesForSize(m_size); }

</del><ins>+    size_t sizeInBytes() const { return numBytesForSize(m_size).unsafeGet(); }

</ins><span class="cx"> 

</span><span class="cx">     WebCore::IntSize m_size;

</span><span class="cx">     Flags m_flags;

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit214SourceWebKit2SharedcairoShareableBitmapCairocpp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit2/Shared/cairo/ShareableBitmapCairo.cpp (210192 => 210193)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebKit2/Shared/cairo/ShareableBitmapCairo.cpp        2016-12-28 09:59:45 UTC (rev 210192)

+++ releases/WebKitGTK/webkit-2.14/Source/WebKit2/Shared/cairo/ShareableBitmapCairo.cpp        2016-12-28 10:28:40 UTC (rev 210193)

</span><span class="lines">@@ -40,9 +40,9 @@

</span><span class="cx"> 

</span><span class="cx"> static const cairo_format_t cairoFormat = CAIRO_FORMAT_ARGB32;

</span><span class="cx"> 

</span><del>-size_t ShareableBitmap::numBytesForSize(const WebCore::IntSize&amp; size)

</del><ins>+Checked&lt;unsigned, RecordOverflow&gt; ShareableBitmap::numBytesForSize(const WebCore::IntSize&amp; size)

</ins><span class="cx"> {

</span><del>-    return cairo_format_stride_for_width(cairoFormat, size.width()) * size.height();

</del><ins>+    return Checked&lt;unsigned, RecordOverflow&gt;(cairo_format_stride_for_width(cairoFormat, size.width())) * size.height();

</ins><span class="cx"> }

</span><span class="cx"> 

</span><span class="cx"> static inline RefPtr&lt;cairo_surface_t&gt; createSurfaceFromData(void* data, const WebCore::IntSize&amp; size)

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit214SourceWebKit2UIProcessAPICocoaWKWebViewmm"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm (210192 => 210193)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm        2016-12-28 09:59:45 UTC (rev 210192)

+++ releases/WebKitGTK/webkit-2.14/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm        2016-12-28 10:28:40 UTC (rev 210193)

</span><span class="lines">@@ -1413,7 +1413,7 @@

</span><span class="cx"> 

</span><span class="cx">     CARenderServerCaptureLayerWithTransform(MACH_PORT_NULL, self.layer.context.contextId, (uint64_t)self.layer, slotID, 0, 0, &amp;transform);

</span><span class="cx">     WebCore::IntSize imageSize = WebCore::expandedIntSize(WebCore::FloatSize(snapshotSize));

</span><del>-    return WebKit::ViewSnapshot::create(slotID, imageSize, imageSize.width() * imageSize.height() * 4);

</del><ins>+    return WebKit::ViewSnapshot::create(slotID, imageSize, (imageSize.area() * 4).unsafeGet());

</ins><span class="cx"> #endif

</span><span class="cx"> }

</span><span class="cx"> 

</span></span></pre>

</div>

</div>

</body>

</html>