Bug 1067998 - Fix OOM crash in gfxAlphaBoxBlur::Init on large blur surface. r=Bas

2024-09-13 09:24:08 -07:00 · 2014-09-17 08:46:42 +01:00 · 2014-09-17 08:46:42 +01:00 · f61ab44b4a
commit f61ab44b4a
parent 95643dc7ab
3 changed files with 12 additions and 9 deletions
--- a/gfx/2d/Blur.cpp
+++ b/gfx/2d/Blur.cpp
@ -335,7 +335,7 @@ AlphaBoxBlur::AlphaBoxBlur(const Rect& aRect,
                           const Rect* aSkipRect)
 : mSpreadRadius(aSpreadRadius),
   mBlurRadius(aBlurRadius),
-   mSurfaceAllocationSize(-1)
+   mSurfaceAllocationSize(0)
 {
  Rect rect(aRect);
  rect.Inflate(Size(aBlurRadius + aSpreadRadius));
@ -400,7 +400,7 @@ AlphaBoxBlur::AlphaBoxBlur(const Rect& aRect,
    mSpreadRadius(),
    mBlurRadius(CalculateBlurRadius(Point(aSigmaX, aSigmaY))),
    mStride(aStride),
-    mSurfaceAllocationSize(-1)
+    mSurfaceAllocationSize(0)
 {
  IntRect intRect;
  if (aRect.ToIntRect(&intRect)) {
@ -445,7 +445,7 @@ AlphaBoxBlur::GetDirtyRect()
  return nullptr;
 }

-int32_t
+size_t
 AlphaBoxBlur::GetSurfaceAllocationSize() const
 {
  return mSurfaceAllocationSize;
--- a/gfx/2d/Blur.h
+++ b/gfx/2d/Blur.h
@ -94,12 +94,12 @@ public:

  /**
   * Return the minimum buffer size that should be given to Blur() method.  If
-   * negative, the class is not properly setup for blurring.  Note that this
+   * zero, the class is not properly setup for blurring.  Note that this
   * includes the extra three bytes on top of the stride*width, where something
   * like gfxImageSurface::GetDataSize() would report without it, even if it 
   * happens to have the extra bytes.
   */
-  int32_t GetSurfaceAllocationSize() const;
+  size_t GetSurfaceAllocationSize() const;

  /**
   * Perform the blur in-place on the surface backed by specified 8-bit
@ -162,7 +162,7 @@ private:
  /**
   * The minimum size of the buffer needed for the Blur() operation.
   */
-  int32_t mSurfaceAllocationSize;
+  size_t mSurfaceAllocationSize;

  /**
   * Whether mDirtyRect contains valid data.
--- a/gfx/thebes/gfxBlur.cpp
+++ b/gfx/thebes/gfxBlur.cpp
@ -52,15 +52,18 @@ gfxAlphaBoxBlur::Init(const gfxRect& aRect,
    }

    mBlur = MakeUnique<AlphaBoxBlur>(rect, spreadRadius, blurRadius, dirtyRect.get(), skipRect.get());
-    int32_t blurDataSize = mBlur->GetSurfaceAllocationSize();
-    if (blurDataSize <= 0)
+    size_t blurDataSize = mBlur->GetSurfaceAllocationSize();
+    if (blurDataSize == 0)
        return nullptr;

    IntSize size = mBlur->GetSize();

    // Make an alpha-only surface to draw on. We will play with the data after
    // everything is drawn to create a blur effect.
-    mData = new unsigned char[blurDataSize];
+    mData = new (std::nothrow) unsigned char[blurDataSize];
+    if (!mData) {
+        return nullptr;
+    }
    memset(mData, 0, blurDataSize);

    mozilla::RefPtr<DrawTarget> dt =