Open
Bug 1298548
Opened 8 years ago
Updated 2 years ago
Prevent overflow in logical size / cost calculations related to the ImageLib surface cache
Categories
(Core :: Graphics: ImageLib, defect)
Core
Graphics: ImageLib
Tracking
()
NEW
People
(Reporter: seth, Unassigned)
References
(Blocks 1 open bug)
Details
Attachments
(2 files)
1.70 KB,
patch
|
dholbert
:
review+
|
Details | Diff | Splinter Review |
5.56 KB,
patch
|
dholbert
:
review+
|
Details | Diff | Splinter Review |
To compute the "cost" of storing a cache entry in the ImageLib surface cache, we use a heuristic that generally involves computing the area of a surface. That in turn involves multiplying a width by a height. When this computation overflows, the cost value can wrap around to something very small, which could lead us to allocate much more memory for surfaces than we're supposed to. We can fix this by performing the calculations via CheckedInt.
Reporter | ||
Comment 1•8 years ago
|
||
CanHold() just redirects to ComputeCost(), so the fix goes there. We perform the math using CheckedInt32 because IntSize uses int32_t as the underlying type. We then convert to CheckedInt<Cost> and return the value if it's valid.
Attachment #8785490 -
Flags: review?(dholbert)
Reporter | ||
Comment 2•8 years ago
|
||
This part makes the same alteration to the various LogicalSizeInBytes() implementations. We should probably consolidate all this code, but it's not completely trivial so I decided to leave that for future work rather than delay getting this bug fixed.
Attachment #8785491 -
Flags: review?(dholbert)
Comment 3•8 years ago
|
||
Comment on attachment 8785490 [details] [diff] [review] (Part 1) - Use CheckedInt to prevent overflow in SurfaceCache::CanHold(). Review of attachment 8785490 [details] [diff] [review]: ----------------------------------------------------------------- r=me
Attachment #8785490 -
Flags: review?(dholbert) → review+
Comment 4•8 years ago
|
||
Comment on attachment 8785491 [details] [diff] [review] (Part 2) - Use CheckedInt to prevent overflow in ISurfaceProvider::LogicalSizeInBytes() implementations. Review of attachment 8785491 [details] [diff] [review]: ----------------------------------------------------------------- r=me, one nit: ::: image/ISurfaceProvider.cpp @@ +67,5 @@ > > size_t > SimpleSurfaceProvider::LogicalSizeInBytes() const > { > + const IntSize size = mSurface->GetSize(); You're removing the "gfx::" prefix for brevity here (you're replacing gfx::IntSize with just IntSize), BUT this file has no "using" decl to provide the gfx namespace. (The other files in this patch do have that, but this one does not.) Please add... using namespace mozilla::gfx; ...to the top of this file, to provide that & to avoid introducing a unified-build compilation-error timebomb. :)
Attachment #8785491 -
Flags: review?(dholbert) → review+
Comment 5•2 years ago
|
||
The bug assignee didn't login in Bugzilla in the last 7 months.
:aosmond, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee: seth.bugzilla → nobody
Flags: needinfo?(aosmond)
Updated•2 years ago
|
Severity: normal → S4
Flags: needinfo?(aosmond)
You need to log in
before you can comment on or make changes to this bug.
Description
•