Cherry-pick 252432.896@safari-7614-branch (91df735). rdar://98583503

djg · aperezdc · commit 2ee4be61cb23 · 2023-01-31T14:13:43.000+02:00
[WebGL] Harden texImageImpl byte length calculation rdar://98583503 Reviewed by Kimmo Kinnunen and Ryan Haddad. The calculation of the image size has been validated earlier but out of an abundance of caution, use checked arithmetic on size_t to perform calculation, returning a GL error on overflow. * Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp: (WebCore::WebGLRenderingContextBase::texImageImpl): Calculate imagePixelsByteLength with checked arithmetic to catch integer overflow. Canonical link: https://commits.webkit.org/252432.896@safari-7614-branch
diff --git a/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp b/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp
@@ -5350,12 +5350,18 @@ void WebGLRenderingContextBase::texImageImpl(TexImageFunctionID functionID, GCGL
     GraphicsContextGL::DataFormat sourceDataFormat = imageExtractor.imageSourceFormat();
     GraphicsContextGL::AlphaOp alphaOp = imageExtractor.imageAlphaOp();
     const void* imagePixelData = imageExtractor.imagePixelData();
+    CheckedSize imagePixelByteLength(imageExtractor.imageWidth());
+    imagePixelByteLength *= imageExtractor.imageHeight();
+    imagePixelByteLength *= 4u;
+    GCGLsizei byteLength = 0;
+    if (imagePixelByteLength.hasOverflowed() || !convertSafely(imagePixelByteLength, byteLength)) {
+        synthesizeGLError(GraphicsContextGL::INVALID_OPERATION, functionName, "image too large");
+        return;
+    }
 
     bool needConversion = true;
-    GCGLsizei byteLength = 0;
     if (type == GraphicsContextGL::UNSIGNED_BYTE && sourceDataFormat == GraphicsContextGL::DataFormat::RGBA8 && format == GraphicsContextGL::RGBA && alphaOp == GraphicsContextGL::AlphaOp::DoNothing && !flipY && !selectingSubRectangle && depth == 1) {
         needConversion = false;
-        byteLength = imageExtractor.imageWidth() * imageExtractor.imageHeight() * 4;
     } else {
         if (!m_context->packImageData(image, imagePixelData, format, type, flipY, alphaOp, sourceDataFormat, imageExtractor.imageWidth(), imageExtractor.imageHeight(), adjustedSourceImageRect, depth, imageExtractor.imageSourceUnpackAlignment(), unpackImageHeight, data)) {
             synthesizeGLError(GraphicsContextGL::INVALID_VALUE, functionName, "packImage error");
