avoid integer overflow in new ImageData

Author: chearon

src/ImageData.cc

@@ -30,7 +30,7 @@ ImageData::ImageData(const Napi::CallbackInfo& info) : Napi::ObjectWrap<ImageDat
   Napi::TypedArray dataArray;
   uint32_t width;
   uint32_t height;
-  int length;
+  uint32_t length;
 
   if (info[0].IsNumber() && info[1].IsNumber()) {
     width = info[0].As<Napi::Number>().Uint32Value();
@@ -43,6 +43,12 @@ ImageData::ImageData(const Napi::CallbackInfo& info) : Napi::ObjectWrap<ImageDat
       Napi::RangeError::New(env, "The source height is zero.").ThrowAsJavaScriptException();
       return;
     }
+    if ((uint64_t)width * height > INT32_MAX / 4) {
+      // INT32_MAX is what Firefox limits ImageData to
+      std::string msg = "buffer exceeds " + std::to_string(INT32_MAX) + " bytes";
+      Napi::Error::New(env, msg).ThrowAsJavaScriptException();
+      return;
+    }
     length = width * height * 4; // ImageData(w, h) constructor assumes 4 BPP; documented.
 
     dataArray = Napi::Uint8Array::New(env, length, napi_uint8_clamped_array);

test/canvas.test.js

@@ -16,7 +16,8 @@ const {
   loadImage,
   registerFont,
   Canvas,
-  deregisterAllFonts
+  deregisterAllFonts,
+  ImageData
 } = require('../')
 
 function assertApprox(actual, expected, tol) {
@@ -999,6 +1000,12 @@ describe('Canvas', function () {
     })
   })
 
+  describe('ImageData', function () {
+    it('checks for overflow', function () {
+      assert.throws(() => new ImageData(0x80000001, 0x80000001))
+    })
+  })
+
   describe('Context2d#measureText()', function () {
     it('Context2d#measureText().width', function () {
       const canvas = createCanvas(20, 20)