f1

Author: chearon

src/CanvasRenderingContext2d.cc

@@ -1058,6 +1058,16 @@ Context2d::GetImageData(const Napi::CallbackInfo& info) {
     sh = -sh;
   }
 
+  int srcStride = canvas->stride();
+  int bpp = srcStride / width;
+  int64_t size = static_cast<int64_t>(sw) * sh * bpp;
+
+  if (size > INT32_MAX) {
+    std::string msg = "buffer exceeds " + std::to_string(INT32_MAX) + " bytes";
+    Napi::Error::New(env, msg).ThrowAsJavaScriptException();
+    return env.Undefined();
+  }
+
   // Width and height to actually copy
   int cw = sw;
   int ch = sh;
@@ -1081,9 +1091,6 @@ Context2d::GetImageData(const Napi::CallbackInfo& info) {
     sy = 0;
   }
 
-  int srcStride = canvas->stride();
-  int bpp = srcStride / width;
-  int size = sw * sh * bpp;
   int dstStride = sw * bpp;
 
   uint8_t *src = canvas->data();

test/canvas.test.js

@@ -1741,6 +1741,13 @@ describe('Canvas', function () {
       })
     })
 
+    it('limits sizes to CAIRO_MAX', function () {
+      const canvas = createCanvas(256, 1);
+      const ctx = canvas.getContext('2d', {pixelFormat: 'A8'});
+      // Integer overflow: 256 * 16777217 * 1(A8) = 0x100000100 → int32 = 256
+      assert.throws(() => ctx.getImageData(0, 0, 256, 16777217));
+    });
+
     describe('does not throw if rectangle is outside the canvas (#2024)', function () {
       it('on the left', function () {
         const ctx = createTestCanvas(true, { pixelFormat: 'A8' })