[MozSec] Bug 1767365 - Clip image data transfers.

author: Lee Salzman <lsalzman@mozilla.com> 2022-06-06 16:09:50 -0500
committer: Matt A. Tobin <email@mattatobin.com> 2022-06-06 16:10:02 -0500
commit: 9c5eadaba1024495f9f59d98fd9dab820ba5868d (patch)
tree: dbb7edf7c4b4056b927492fd2371322a02381847 /dom/canvas
parent: 8c7dfe6831c8bf03f839bc44b6fd26602d987e06 (diff)
download: aura-central-9c5eadaba1024495f9f59d98fd9dab820ba5868d.tar.gz
1 files changed, 21 insertions, 10 deletions
diff --git a/dom/canvas/CanvasRenderingContext2D.cpp b/dom/canvas/CanvasRenderingContext2D.cpp
index 7d00b2cb2..8cb14a1f3 100644
--- a/dom/canvas/CanvasRenderingContext2D.cpp
+++ b/dom/canvas/CanvasRenderingContext2D.cpp
@@ -5745,6 +5745,18 @@ inline uint8_t PoisonValue(uint8_t v)
   return v + rand() %3 -1;
 }
 
+static IntRect ClipImageDataTransfer(IntRect& aSrc,
+                                     const IntPoint& aDestOffset,
+                                     const IntSize& aDestBounds)
+{
+  IntRect dest = aSrc;
+  dest.SafeMoveBy(aDestOffset);
+  dest = IntRect(IntPoint(0, 0), aDestBounds).SafeIntersect(dest);
+
+  aSrc = aSrc.SafeIntersect(dest - aDestOffset);
+  return aSrc + aDestOffset;
+}
+
 nsresult
 CanvasRenderingContext2D::GetImageDataArray(JSContext* aCx,
                                             int32_t aX,
@@ -5785,9 +5797,11 @@ CanvasRenderingContext2D::GetImageDataArray(JSContext* aCx,
     return NS_OK;
   }
 
-  IntRect srcRect(0, 0, mWidth, mHeight);
-  IntRect destRect(aX, aY, aWidth, aHeight);
-  IntRect srcReadRect = srcRect.Intersect(destRect);
+  IntRect dstWriteRect(0, 0, aWidth, aHeight);
+  IntRect srcReadRect = ClipImageDataTransfer(dstWriteRect,
+                                              IntPoint(aX, aY),
+                                              IntSize(mWidth, mHeight));
+
   RefPtr<DataSourceSurface> readback;
   DataSourceSurface::MappedSurface rawData;
   if (!srcReadRect.IsEmpty()) {
@@ -5815,9 +5829,6 @@ CanvasRenderingContext2D::GetImageDataArray(JSContext* aCx,
     }
   }
 
-  IntRect dstWriteRect = srcReadRect;
-  dstWriteRect.MoveBy(-aX, -aY);
-
   JS::AutoCheckCannotGC nogc;
   bool isShared;
   uint8_t* data = JS_GetUint8ClampedArrayData(darray, &isShared, nogc);
@@ -6018,10 +6029,10 @@ CanvasRenderingContext2D::PutImageData_explicit(int32_t aX, int32_t aY, uint32_t
     dirtyRect = imageDataRect;
   }
 
-  dirtyRect.MoveBy(IntPoint(aX, aY));
-  dirtyRect = IntRect(0, 0, mWidth, mHeight).Intersect(dirtyRect);
-
-  if (dirtyRect.Width() <= 0 || dirtyRect.Height() <= 0) {
+  IntRect srcRect = dirtyRect;
+  dirtyRect = ClipImageDataTransfer(srcRect, IntPoint(aX, aY),
+                                    IntSize(mWidth, mHeight));
+  if (dirtyRect.IsEmpty()) {
     return NS_OK;
   }
author	Lee Salzman <lsalzman@mozilla.com>	2022-06-06 16:09:50 -0500
committer	Matt A. Tobin <email@mattatobin.com>	2022-06-06 16:10:02 -0500
commit	9c5eadaba1024495f9f59d98fd9dab820ba5868d (patch)
tree	dbb7edf7c4b4056b927492fd2371322a02381847 /dom/canvas
parent	8c7dfe6831c8bf03f839bc44b6fd26602d987e06 (diff)
download	aura-central-9c5eadaba1024495f9f59d98fd9dab820ba5868d.tar.gz