[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.15.1-1414-gc69ee75
senorblanco at chromium.org
senorblanco at chromium.org
Thu Oct 29 20:44:24 UTC 2009
The following commit has been merged in the webkit-1.1 branch:
commit 111c64269d9952895d35d34398d5257eacf69d50
Author: senorblanco at chromium.org <senorblanco at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Oct 14 15:02:42 2009 +0000
WebCore: Fix for NULL ptr deref in canvas's toDataURL().
https://bugs.webkit.org/show_bug.cgi?id=30254
Reviewed by Eric Seidel.
Test: fast/canvas/canvas-toDataURL-crash.html
* html/HTMLCanvasElement.cpp:
(WebCore::HTMLCanvasElement::toDataURL):
LayoutTests: New test for NULL ptr deref in canvas's toDataURL().
https://bugs.webkit.org/show_bug.cgi?id=30254
Reviewed by Eric Seidel.
* fast/canvas/canvas-toDataURL-crash-expected.txt: Added.
* fast/canvas/canvas-toDataURL-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@49561 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 5631c6d..1a015fa 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2009-10-09 Stephen White <senorblanco at chromium.org>
+
+ Reviewed by Eric Seidel.
+
+ New test for NULL ptr deref in canvas's toDataURL().
+ https://bugs.webkit.org/show_bug.cgi?id=30254
+
+ * fast/canvas/canvas-toDataURL-crash-expected.txt: Added.
+ * fast/canvas/canvas-toDataURL-crash.html: Added.
+
2009-10-13 Dimitri Glazkov <dglazkov at chromium.org>
No review, rolling out r49554, because it broke Win and Chromium builds.
diff --git a/LayoutTests/fast/canvas/canvas-toDataURL-crash-expected.txt b/LayoutTests/fast/canvas/canvas-toDataURL-crash-expected.txt
new file mode 100644
index 0000000..557a26c
--- /dev/null
+++ b/LayoutTests/fast/canvas/canvas-toDataURL-crash-expected.txt
@@ -0,0 +1,5 @@
+PASS
+
+Calling toDataURL() on a huge canvas shouldn't crash. If the text above is "PASS", the test passed.
+
+
diff --git a/LayoutTests/fast/canvas/canvas-toDataURL-crash.html b/LayoutTests/fast/canvas/canvas-toDataURL-crash.html
new file mode 100644
index 0000000..f058dec
--- /dev/null
+++ b/LayoutTests/fast/canvas/canvas-toDataURL-crash.html
@@ -0,0 +1,11 @@
+<p id="console"></p>
+<p>Calling toDataURL() on a huge canvas shouldn't crash. If the text above is "PASS", the test passed.</p>
+<canvas id="foo" width="65536" height="65536"></canvas>
+<script>
+var canvas = document.getElementById('foo');
+var url = canvas.toDataURL();
+var p = document.getElementById('console');
+p.innerHTML = "PASS";
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index dc572ea..35ed0ab 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2009-10-09 Stephen White <senorblanco at chromium.org>
+
+ Reviewed by Eric Seidel.
+
+ Fix for NULL ptr deref in canvas's toDataURL().
+ https://bugs.webkit.org/show_bug.cgi?id=30254
+
+ Test: fast/canvas/canvas-toDataURL-crash.html
+
+ * html/HTMLCanvasElement.cpp:
+ (WebCore::HTMLCanvasElement::toDataURL):
+
2009-10-14 Pavel Feldman <pfeldman at chromium.org>
Not reviewed, reverting r49558 since it broke profiler tests.
diff --git a/WebCore/html/HTMLCanvasElement.cpp b/WebCore/html/HTMLCanvasElement.cpp
index e3fe329..335b20f 100644
--- a/WebCore/html/HTMLCanvasElement.cpp
+++ b/WebCore/html/HTMLCanvasElement.cpp
@@ -138,7 +138,7 @@ String HTMLCanvasElement::toDataURL(const String& mimeType, ExceptionCode& ec)
return String();
}
- if (m_size.isEmpty())
+ if (m_size.isEmpty() || !buffer())
return String("data:,");
if (mimeType.isNull() || !MIMETypeRegistry::isSupportedImageMIMETypeForEncoding(mimeType))
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list