mirror of
https://github.com/classilla/tenfourfox.git
synced 2024-10-21 11:24:51 +00:00
#453: bounds-check CoreGraphics paths because Facebook sucks
This commit is contained in:
parent
c7563bbaf7
commit
4d24850e28
@ -142,99 +142,6 @@ static void inline this_CGContextSetBlendMode(CGContextRef cg, CompositionOp op)
|
|||||||
(CGBlendMode)(pcm - kPrivateCGBlendModesStartHere));
|
(CGBlendMode)(pcm - kPrivateCGBlendModesStartHere));
|
||||||
}
|
}
|
||||||
|
|
||||||
// marked for DEATH
|
|
||||||
PrivateCGCompositeMode ToOldBlendMode(CompositionOp op)
|
|
||||||
{
|
|
||||||
PrivateCGCompositeMode mode = kPrivateCGCompositeSourceOver;
|
|
||||||
switch (op) {
|
|
||||||
case CompositionOp::OP_OVER:
|
|
||||||
mode = kPrivateCGBlendModeNormal; // ??? kPrivateCGCompositeSourceOver;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_ADD:
|
|
||||||
mode = kPrivateCGCompositePlusLighter;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_ATOP:
|
|
||||||
mode = kPrivateCGCompositeSourceAtop;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_OUT:
|
|
||||||
mode = kPrivateCGCompositeSourceOut;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_IN:
|
|
||||||
mode = kPrivateCGCompositeSourceIn;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_SOURCE:
|
|
||||||
mode = kPrivateCGCompositeCopy;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_DEST_IN:
|
|
||||||
mode = kPrivateCGCompositeDestinationIn;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_DEST_OUT:
|
|
||||||
mode = kPrivateCGCompositeDestinationOut;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_DEST_OVER:
|
|
||||||
mode = kPrivateCGCompositeDestinationOver;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_DEST_ATOP:
|
|
||||||
mode = kPrivateCGCompositeSourceAtop;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_XOR:
|
|
||||||
mode = kPrivateCGCompositeXOR;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_MULTIPLY:
|
|
||||||
mode = kPrivateCGBlendModeMultiply;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_SCREEN:
|
|
||||||
mode = kPrivateCGBlendModeScreen;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_OVERLAY:
|
|
||||||
mode = kPrivateCGBlendModeOverlay;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_DARKEN:
|
|
||||||
mode = kPrivateCGBlendModeDarken;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_LIGHTEN:
|
|
||||||
mode = kPrivateCGBlendModeLighten;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_COLOR_DODGE:
|
|
||||||
mode = kPrivateCGBlendModeColorDodge;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_COLOR_BURN:
|
|
||||||
mode = kPrivateCGBlendModeColorBurn;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_HARD_LIGHT:
|
|
||||||
mode = kPrivateCGBlendModeHardLight;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_SOFT_LIGHT:
|
|
||||||
mode = kPrivateCGBlendModeSoftLight;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_DIFFERENCE:
|
|
||||||
mode = kPrivateCGBlendModeDifference;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_EXCLUSION:
|
|
||||||
mode = kPrivateCGBlendModeExclusion;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_HUE:
|
|
||||||
mode = kPrivateCGBlendModeHue;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_SATURATION:
|
|
||||||
mode = kPrivateCGBlendModeSaturation;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_COLOR:
|
|
||||||
mode = kPrivateCGBlendModeColor;
|
|
||||||
break;
|
|
||||||
case CompositionOp::OP_LUMINOSITY:
|
|
||||||
mode = kPrivateCGBlendModeLuminosity;
|
|
||||||
break;
|
|
||||||
/*
|
|
||||||
case OP_CLEAR:
|
|
||||||
mode = kPrivateCGCompositeClear;
|
|
||||||
break;*/
|
|
||||||
default:
|
|
||||||
mode = kPrivateCGBlendModeNormal; // ??? kPrivateCGCompositeSourceOver;
|
|
||||||
}
|
|
||||||
return mode;
|
|
||||||
}
|
|
||||||
|
|
||||||
#else
|
#else
|
||||||
|
|
||||||
static void inline this_CGContextSetBlendMode(CGContextRef cg, CGBlendMode m) {
|
static void inline this_CGContextSetBlendMode(CGContextRef cg, CGBlendMode m) {
|
||||||
@ -348,6 +255,25 @@ InterpolationQualityFromFilter(Filter aFilter)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TenFourFox issue 453
|
||||||
|
// There is no bounds-checking on CoreGraphics paths.
|
||||||
|
// Also, Facebook can suck me.
|
||||||
|
static inline bool this_CGContextAddPath(CGContextRef aContext, CGPathRef aPath)
|
||||||
|
{
|
||||||
|
// Empty paths are always acceptable (and shouldn't be added anyway).
|
||||||
|
if (CGPathIsEmpty(aPath)) return true;
|
||||||
|
|
||||||
|
// Non-empty paths need to be bounds-checked.
|
||||||
|
CGRect r = CGPathGetBoundingBox(aPath);
|
||||||
|
if (MOZ_UNLIKELY(CGRectIsNull(r))) return true; // should have been caught above?
|
||||||
|
if (MOZ_UNLIKELY(r.origin.x >= INT_MAX || r.origin.x <= INT_MIN)) return false;
|
||||||
|
if (MOZ_UNLIKELY(r.origin.y >= INT_MAX || r.origin.y <= INT_MIN)) return false;
|
||||||
|
if (MOZ_UNLIKELY(r.size.height >= INT_MAX)) return false;
|
||||||
|
if (MOZ_UNLIKELY(r.size.width >= INT_MAX)) return false;
|
||||||
|
|
||||||
|
CGContextAddPath(aContext, aPath);
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
DrawTargetCG::DrawTargetCG()
|
DrawTargetCG::DrawTargetCG()
|
||||||
: mColorSpace(nullptr)
|
: mColorSpace(nullptr)
|
||||||
@ -1643,7 +1569,12 @@ DrawTargetCG::Stroke(const Path *aPath, const Pattern &aPattern, const StrokeOpt
|
|||||||
|
|
||||||
//assert(aPath->GetBackendType() == BackendType::COREGRAPHICS);
|
//assert(aPath->GetBackendType() == BackendType::COREGRAPHICS);
|
||||||
const PathCG *cgPath = static_cast<const PathCG*>(aPath);
|
const PathCG *cgPath = static_cast<const PathCG*>(aPath);
|
||||||
CGContextAddPath(cg, cgPath->GetPath());
|
if (MOZ_UNLIKELY(!this_CGContextAddPath(cg, cgPath->GetPath()))) {
|
||||||
|
fprintf(stderr, "Warning: TenFourFox DrawTargetCG::Stroke received an illegal path coordinate.\n");
|
||||||
|
fixer.Fix(this);
|
||||||
|
CGContextRestoreGState(mCg);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
SetStrokeOptions(cg, aStrokeOptions);
|
SetStrokeOptions(cg, aStrokeOptions);
|
||||||
|
|
||||||
@ -1700,7 +1631,12 @@ DrawTargetCG::Fill(const Path *aPath, const Pattern &aPattern, const DrawOptions
|
|||||||
CGContextClipToRect(mCg, CGRectZero);
|
CGContextClipToRect(mCg, CGRectZero);
|
||||||
extents = CGRectZero;
|
extents = CGRectZero;
|
||||||
} else {
|
} else {
|
||||||
CGContextAddPath(cg, cgPath->GetPath());
|
if (MOZ_UNLIKELY(!this_CGContextAddPath(cg, cgPath->GetPath()))) {
|
||||||
|
fprintf(stderr, "Warning: TenFourFox DrawTargetCG::Fill received an illegal path coordinate.\n");
|
||||||
|
fixer.Fix(this);
|
||||||
|
CGContextRestoreGState(mCg);
|
||||||
|
return;
|
||||||
|
}
|
||||||
extents = CGContextGetPathBoundingBox(cg);
|
extents = CGContextGetPathBoundingBox(cg);
|
||||||
if (cgPath->GetFillRule() == FillRule::FILL_EVEN_ODD)
|
if (cgPath->GetFillRule() == FillRule::FILL_EVEN_ODD)
|
||||||
CGContextEOClip(mCg);
|
CGContextEOClip(mCg);
|
||||||
@ -1710,7 +1646,12 @@ DrawTargetCG::Fill(const Path *aPath, const Pattern &aPattern, const DrawOptions
|
|||||||
|
|
||||||
DrawGradient(mColorSpace, cg, aPattern, extents);
|
DrawGradient(mColorSpace, cg, aPattern, extents);
|
||||||
} else {
|
} else {
|
||||||
CGContextAddPath(cg, cgPath->GetPath());
|
if (MOZ_UNLIKELY(!this_CGContextAddPath(cg, cgPath->GetPath()))) {
|
||||||
|
fprintf(stderr, "Warning: TenFourFox DrawTargetCG::Fill received an illegal path coordinate.\n");
|
||||||
|
fixer.Fix(this);
|
||||||
|
CGContextRestoreGState(mCg);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
SetFillFromPattern(cg, mColorSpace, aPattern);
|
SetFillFromPattern(cg, mColorSpace, aPattern);
|
||||||
|
|
||||||
@ -2050,10 +1991,10 @@ DrawTargetCG::Init(BackendType aType,
|
|||||||
{
|
{
|
||||||
// XXX: we should come up with some consistent semantics for dealing
|
// XXX: we should come up with some consistent semantics for dealing
|
||||||
// with zero area drawtargets
|
// with zero area drawtargets
|
||||||
if (aSize.width <= 0 ||
|
if (MOZ_UNLIKELY(aSize.width <= 0 ||
|
||||||
aSize.height <= 0 ||
|
aSize.height <= 0 ||
|
||||||
size_t(aSize.width) > GetMaxSurfaceSize() ||
|
size_t(aSize.width) > GetMaxSurfaceSize() ||
|
||||||
size_t(aSize.height) > GetMaxSurfaceSize())
|
size_t(aSize.height) > GetMaxSurfaceSize()))
|
||||||
{
|
{
|
||||||
gfxWarning() << "Failed to Init() DrawTargetCG because of bad size.";
|
gfxWarning() << "Failed to Init() DrawTargetCG because of bad size.";
|
||||||
mColorSpace = nullptr;
|
mColorSpace = nullptr;
|
||||||
@ -2128,7 +2069,7 @@ DrawTargetCG::Init(BackendType aType,
|
|||||||
}
|
}
|
||||||
|
|
||||||
//assert(mCg);
|
//assert(mCg);
|
||||||
if (!mCg) {
|
if (MOZ_UNLIKELY(!mCg)) {
|
||||||
gfxCriticalError() << "Failed to create CG context" << mSize << ", " << aStride;
|
gfxCriticalError() << "Failed to create CG context" << mSize << ", " << aStride;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
@ -2242,7 +2183,7 @@ DrawTargetCG::Init(CGContextRef cgContext, const IntSize &aSize)
|
|||||||
CGContextRetain(mCg);
|
CGContextRetain(mCg);
|
||||||
|
|
||||||
//assert(mCg);
|
//assert(mCg);
|
||||||
if (!mCg) {
|
if (MOZ_UNLIKELY(!mCg)) {
|
||||||
gfxCriticalError() << "Invalid CG context at Init " << aSize;
|
gfxCriticalError() << "Invalid CG context at Init " << aSize;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
@ -2384,7 +2325,10 @@ DrawTargetCG::PushClip(const Path *aPath)
|
|||||||
* while we add the path. XXX: this could be improved if we keep
|
* while we add the path. XXX: this could be improved if we keep
|
||||||
* the CTM as resident state on the DrawTarget. */
|
* the CTM as resident state on the DrawTarget. */
|
||||||
CGContextSaveGState(mCg);
|
CGContextSaveGState(mCg);
|
||||||
CGContextAddPath(mCg, cgPath->GetPath());
|
if (MOZ_UNLIKELY(!this_CGContextAddPath(mCg, cgPath->GetPath()))) {
|
||||||
|
fprintf(stderr, "Warning: TenFourFox DrawTargetCG::PushClip received an illegal coordinate.\n");
|
||||||
|
return;
|
||||||
|
}
|
||||||
CGContextRestoreGState(mCg);
|
CGContextRestoreGState(mCg);
|
||||||
|
|
||||||
if (cgPath->GetFillRule() == FillRule::FILL_EVEN_ODD)
|
if (cgPath->GetFillRule() == FillRule::FILL_EVEN_ODD)
|
||||||
|
Loading…
Reference in New Issue
Block a user