From 96cfdebced9ce884320510b11e64fd6e23913965 Mon Sep 17 00:00:00 2001 From: Halil Durak Date: Thu, 19 Feb 2026 12:02:50 +0300 Subject: [PATCH] `ImageData#constructor`: check bounds of dimensions + don't overflow size Also adds a related `too-large` test. --- src/browser/tests/image_data.html | 8 ++++---- src/browser/webapi/ImageData.zig | 11 +++++++++-- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/src/browser/tests/image_data.html b/src/browser/tests/image_data.html index ccaef668..3cf3282e 100644 --- a/src/browser/tests/image_data.html +++ b/src/browser/tests/image_data.html @@ -59,10 +59,6 @@ } - + + diff --git a/src/browser/webapi/ImageData.zig b/src/browser/webapi/ImageData.zig index 05fcae6c..c9ced5f1 100644 --- a/src/browser/webapi/ImageData.zig +++ b/src/browser/webapi/ImageData.zig @@ -58,7 +58,10 @@ pub fn constructor( maybe_settings: ?ConstructorSettings, page: *Page, ) !*ImageData { - if (width == 0 or height == 0) { + // Though arguments are unsigned long, these are capped to max. i32 on Chrome. + // https://github.com/chromium/chromium/blob/main/third_party/blink/renderer/core/html/canvas/image_data.cc#L61 + const max_i32 = std.math.maxInt(i32); + if (width == 0 or width > max_i32 or height == 0 or height > max_i32) { return error.IndexSizeError; } @@ -70,7 +73,11 @@ pub fn constructor( return error.TypeError; } - const size = width * height * 4; + var size, var overflown = @mulWithOverflow(width, height); + if (overflown == 1) return error.IndexSizeError; + size, overflown = @mulWithOverflow(size, 4); + if (overflown == 1) return error.IndexSizeError; + return page._factory.create(ImageData{ ._width = width, ._height = height,