diff options
Diffstat (limited to 'Source/WebCore/html')
| -rw-r--r-- | Source/WebCore/html/HTMLMarqueeElement.cpp | 2 | ||||
| -rw-r--r-- | Source/WebCore/html/HTMLMarqueeElement.h | 3 | ||||
| -rw-r--r-- | Source/WebCore/html/ImageData.cpp | 3 | ||||
| -rw-r--r-- | Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp | 26 | ||||
| -rw-r--r-- | Source/WebCore/html/canvas/CanvasRenderingContext2D.h | 9 |
5 files changed, 33 insertions, 10 deletions
diff --git a/Source/WebCore/html/HTMLMarqueeElement.cpp b/Source/WebCore/html/HTMLMarqueeElement.cpp index 6bd6545af..4791ae9ae 100644 --- a/Source/WebCore/html/HTMLMarqueeElement.cpp +++ b/Source/WebCore/html/HTMLMarqueeElement.cpp @@ -55,7 +55,7 @@ int HTMLMarqueeElement::minimumDelay() const // WinIE uses 60ms as the minimum delay by default. return 60; } - return 0; + return 16; // Don't allow timers at < 16ms intervals to avoid CPU hogging: webkit.org/b/160609 } bool HTMLMarqueeElement::isPresentationAttribute(const QualifiedName& name) const diff --git a/Source/WebCore/html/HTMLMarqueeElement.h b/Source/WebCore/html/HTMLMarqueeElement.h index 394a163b5..a20926ecd 100644 --- a/Source/WebCore/html/HTMLMarqueeElement.h +++ b/Source/WebCore/html/HTMLMarqueeElement.h @@ -41,12 +41,15 @@ public: void start(); virtual void stop() override; + // Number of pixels to move on each scroll movement. Defaults to 6. int scrollAmount() const; void setScrollAmount(int, ExceptionCode&); + // Interval between each scroll movement, in milliseconds. Defaults to 60. int scrollDelay() const; void setScrollDelay(int, ExceptionCode&); + // Loop count. -1 means loop indefinitely. int loop() const; void setLoop(int, ExceptionCode&); diff --git a/Source/WebCore/html/ImageData.cpp b/Source/WebCore/html/ImageData.cpp index 27b57c372..907eb702c 100644 --- a/Source/WebCore/html/ImageData.cpp +++ b/Source/WebCore/html/ImageData.cpp @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Apple Inc. All rights reserved. + * Copyright (C) 2008-2016 Apple Inc. All rights reserved. * Copyright (C) 2014 Adobe Systems Incorporated. All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -115,6 +115,7 @@ ImageData::ImageData(const IntSize& size) : m_size(size) , m_data(Uint8ClampedArray::createUninitialized(size.width() * size.height() * 4)) { + ASSERT_WITH_SECURITY_IMPLICATION(m_data); } ImageData::ImageData(const IntSize& size, PassRefPtr<Uint8ClampedArray> byteArray) diff --git a/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp b/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp index 829e7b356..b87f68ee4 100644 --- a/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp +++ b/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp @@ -350,12 +350,25 @@ inline void CanvasRenderingContext2D::FontProxy::drawBidiText(GraphicsContext& c context.drawBidiText(m_font, run, point, action); } +void CanvasRenderingContext2D::realizeSaves() +{ + if (m_unrealizedSaveCount) + realizeSavesLoop(); + + if (m_unrealizedSaveCount) { + static NeverDestroyed<String> consoleMessage(ASCIILiteral("CanvasRenderingContext2D.save() has been called without a matching restore() too many times. Ignoring save().")); + canvas()->document().addConsoleMessage(MessageSource::Rendering, MessageLevel::Error, consoleMessage); + } +} + void CanvasRenderingContext2D::realizeSavesLoop() { ASSERT(m_unrealizedSaveCount); ASSERT(m_stateStack.size() >= 1); GraphicsContext* context = drawingContext(); do { + if (m_stateStack.size() > MaxSaveCount) + break; m_stateStack.append(state()); if (context) context->save(); @@ -1458,7 +1471,7 @@ void CanvasRenderingContext2D::drawImage(HTMLImageElement* imageElement, const F if (image->isSVGImage()) { image->setImageObserver(nullptr); - image->setContainerSize(normalizedSrcRect.size()); + image->setContainerSize(imageRect.size()); } if (rectContainsCanvas(normalizedDstRect)) { @@ -2090,8 +2103,17 @@ RefPtr<ImageData> CanvasRenderingContext2D::getImageData(ImageBuffer::Coordinate return createEmptyImageData(imageDataRect.size()); RefPtr<Uint8ClampedArray> byteArray = buffer->getUnmultipliedImageData(imageDataRect, coordinateSystem); - if (!byteArray) + if (!byteArray) { + StringBuilder consoleMessage; + consoleMessage.appendLiteral("Unable to get image data from canvas. Requested size was "); + consoleMessage.appendNumber(imageDataRect.width()); + consoleMessage.appendLiteral(" x "); + consoleMessage.appendNumber(imageDataRect.height()); + + canvas()->document().addConsoleMessage(MessageSource::Rendering, MessageLevel::Error, consoleMessage.toString()); + ec = INVALID_STATE_ERR; return nullptr; + } return ImageData::create(imageDataRect.size(), byteArray.release()); } diff --git a/Source/WebCore/html/canvas/CanvasRenderingContext2D.h b/Source/WebCore/html/canvas/CanvasRenderingContext2D.h index a334873dc..783e95d31 100644 --- a/Source/WebCore/html/canvas/CanvasRenderingContext2D.h +++ b/Source/WebCore/html/canvas/CanvasRenderingContext2D.h @@ -318,7 +318,7 @@ private: CanvasDidDrawApplyAll = 0xffffffff }; - State& modifiableState() { ASSERT(!m_unrealizedSaveCount); return m_stateStack.last(); } + State& modifiableState() { ASSERT(!m_unrealizedSaveCount || m_stateStack.size() >= MaxSaveCount); return m_stateStack.last(); } const State& state() const { return m_stateStack.last(); } void applyLineDash() const; @@ -334,11 +334,7 @@ private: GraphicsContext* drawingContext() const; void unwindStateStack(); - void realizeSaves() - { - if (m_unrealizedSaveCount) - realizeSavesLoop(); - } + void realizeSaves(); void realizeSavesLoop(); void applyStrokePattern(); @@ -394,6 +390,7 @@ private: virtual PlatformLayer* platformLayer() const override; #endif + static const unsigned MaxSaveCount = 1024 * 16; Vector<State, 1> m_stateStack; unsigned m_unrealizedSaveCount { 0 }; bool m_usesCSSCompatibilityParseMode; |