f3

Author: chearon

src/CanvasRenderingContext2d.cc

@@ -840,6 +840,11 @@ Context2d::PutImageData(const Napi::CallbackInfo& info) {
 
   int dstStride = canvas()->stride();
   int Bpp = dstStride / canvas()->getWidth();
+
+  if (imageData->width() > (uint32_t)INT32_MAX / Bpp) {
+    Napi::Error::New(env, "ImageData width too large").ThrowAsJavaScriptException();
+    return;
+  }
   int srcStride = Bpp * imageData->width();
 
   int sx = 0
@@ -851,11 +856,20 @@ Context2d::PutImageData(const Napi::CallbackInfo& info) {
     , rows
     , cols;
 
+  if (imageData->height() > INT32_MAX) {
+    Napi::Error::New(env, "ImageData height too large").ThrowAsJavaScriptException();
+    return;
+  }
+
+  int iw = imageData->width();
+  int ih = imageData->height();
+
+  // https://searchfox.org/firefox-main/rev/0900c19de62c07b977fe103b3816616b75d63b0a/dom/canvas/CanvasRenderingContext2D.cpp#6736
   switch (info.Length()) {
     // imageData, dx, dy
     case 3:
-      sw = imageData->width();
-      sh = imageData->height();
+      sw = iw;
+      sh = ih;
       break;
     // imageData, dx, dy, sx, sy, sw, sh
     case 7:
@@ -864,23 +878,62 @@ Context2d::PutImageData(const Napi::CallbackInfo& info) {
       sw = info[5].ToNumber().UnwrapOr(zero).Int32Value();
       sh = info[6].ToNumber().UnwrapOr(zero).Int32Value();
       // fix up negative height, width
-      if (sw < 0) sx += sw, sw = -sw;
-      if (sh < 0) sy += sh, sh = -sh;
-      // clamp the left edge
-      if (sx < 0) sw += sx, sx = 0;
-      if (sy < 0) sh += sy, sy = 0;
-      // clamp the right edge
-      if (sx + sw > imageData->width()) sw = imageData->width() - sx;
-      if (sy + sh > imageData->height()) sh = imageData->height() - sy;
-      // start destination at source offset
-      dx += sx;
-      dy += sy;
+      if (sw < 0) {
+        if (sw == INT32_MIN) {
+          Napi::Error::New(env, "dirty width invalid").ThrowAsJavaScriptException();
+          return;
+        }
+        int64_t result = (int64_t)sx + sw;
+        if (result < INT_MIN) {
+          Napi::Error::New(env, "dirty width invalid").ThrowAsJavaScriptException();
+          return;
+        } else {
+          sx = result;
+        }
+        sw = -sw;
+      }
+
+      if (sh < 0) {
+        if (sh == INT32_MIN) {
+          Napi::Error::New(env, "dirty height invalid").ThrowAsJavaScriptException();
+          return;
+        }
+        int64_t result = (int64_t)sy + sh;
+        if (result < INT_MIN) {
+          Napi::Error::New(env, "dirty height invalid").ThrowAsJavaScriptException();
+          return;
+        } else {
+          sy = result;
+        }
+        sh = -sh;
+      }
+      // fix up negative x, y
+      if (sx < 0) sw = std::max(0, sx + sw), sx = 0;
+      if (sy < 0) sh = std::max(0, sy + sh), sy = 0;
+      // clamp the right, bottom edges (sx + sw > iw reorganized for overflow)
+      if (sx > iw - sw) sw = std::max(0, iw - sx);
+      if (sy > ih - sh) sh = std::max(0, ih - sy);
       break;
     default:
       Napi::Error::New(env, "invalid arguments").ThrowAsJavaScriptException();
       return;
   }
 
+  // start destination at source offset
+  // eliminiating INT_MIN makes it safe to subtract dx, dy from sx, sy below
+  if (int64_t result = (int64_t)dx + sx; dx > INT_MIN && result <= INT_MAX) {
+    dx = result; // dx += sx
+  } else {
+    Napi::Error::New(env, "destination x invalid").ThrowAsJavaScriptException();
+    return;
+  }
+  if (int64_t result = (int64_t)dy + sy; dy > INT_MIN && result <= INT_MAX) {
+    dy = result; // dy += sy
+  } else {
+    Napi::Error::New(env, "destination y invalid").ThrowAsJavaScriptException();
+    return;
+  }
+
   // chop off outlying source data
   if (dx < 0) sw += dx, sx -= dx, dx = 0;
   if (dy < 0) sh += dy, sy -= dy, dy = 0;
@@ -894,8 +947,8 @@ Context2d::PutImageData(const Napi::CallbackInfo& info) {
 
   switch (canvas()->getFormat()) {
   case CAIRO_FORMAT_ARGB32: {
-    src += sy * srcStride + sx * 4;
-    dst += dstStride * dy + 4 * dx;
+    src += (ptrdiff_t)sy * srcStride + sx * 4;
+    dst += (ptrdiff_t)dstStride * dy + 4 * dx;
     for (int y = 0; y < rows; ++y) {
       uint8_t *dstRow = dst;
       uint8_t *srcRow = src;
@@ -933,8 +986,8 @@ Context2d::PutImageData(const Napi::CallbackInfo& info) {
     break;
   }
   case CAIRO_FORMAT_RGB24: {
-    src += sy * srcStride + sx * 4;
-    dst += dstStride * dy + 4 * dx;
+    src += (ptrdiff_t)sy * srcStride + sx * 4;
+    dst += (ptrdiff_t)dstStride * dy + 4 * dx;
     for (int y = 0; y < rows; ++y) {
       uint8_t *dstRow = dst;
       uint8_t *srcRow = src;
@@ -957,8 +1010,8 @@ Context2d::PutImageData(const Napi::CallbackInfo& info) {
     break;
   }
   case CAIRO_FORMAT_A8: {
-    src += sy * srcStride + sx;
-    dst += dstStride * dy + dx;
+    src += (ptrdiff_t)sy * srcStride + sx;
+    dst += (ptrdiff_t)dstStride * dy + dx;
     if (srcStride == dstStride && cols == dstStride) {
       // fast path: strides are the same and doing a full-width put
       memcpy(dst, src, cols * rows);
@@ -978,8 +1031,8 @@ Context2d::PutImageData(const Napi::CallbackInfo& info) {
     break;
   }
   case CAIRO_FORMAT_RGB16_565: {
-    src += sy * srcStride + sx * 2;
-    dst += dstStride * dy + 2 * dx;
+    src += (ptrdiff_t)sy * srcStride + sx * 2;
+    dst += (ptrdiff_t)dstStride * dy + 2 * dx;
     for (int y = 0; y < rows; ++y) {
       memcpy(dst, src, cols * 2);
       dst += dstStride;

src/ImageData.h

@@ -12,15 +12,15 @@ class ImageData : public Napi::ObjectWrap<ImageData> {
     Napi::Value GetWidth(const Napi::CallbackInfo& info);
     Napi::Value GetHeight(const Napi::CallbackInfo& info);
 
-    inline int width() { return _width; }
-    inline int height() { return _height; }
+    inline uint32_t width() { return _width; }
+    inline uint32_t height() { return _height; }
     inline uint8_t *data() { return _data; }
 
     Napi::Env env;
 
   private:
-    int _width;
-    int _height;
+    uint32_t _width;
+    uint32_t _height;
     uint8_t *_data;
 
 };