Bug 24209

Summary: HTMLCanvasElement::createImageBuffer() does not check return of ImageBuffer::create!
Product: WebKit Reporter: Eric Seidel (no email) <eric>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: zwarich
Priority: P1 Keywords: NeedsReduction
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
stack trace of crash none

Eric Seidel (no email)
Reported 2009-02-26 14:49:29 PST
HTMLCanvasElement::createImageBuffer() does not check return of ImageBuffer::create! (And thus crashes). This is crashing an internal Google tool. Sadly, I don't have a reduction for you, but the crash is pretty easy to see from the code: void HTMLCanvasElement::createImageBuffer() const { ASSERT(!m_imageBuffer); m_createdImageBuffer = true; FloatSize unscaledSize(width(), height()); IntSize size = convertLogicalToDevice(unscaledSize); if (!size.width() || !size.height()) return; m_imageBuffer.set(ImageBuffer::create(size, false).release()); // THIS RETURNS NULL SOMETIMES m_imageBuffer->context()->scale(FloatSize(size.width() / unscaledSize.width(), size.height() / unscaledSize.height())); // CRASH! m_imageBuffer->context()->setShadowsIgnoreTransforms(true); }
Attachments
stack trace of crash (40.16 KB, text/plain)
2009-02-26 14:50 PST, Eric Seidel (no email) 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2009-02-26 14:50:51 PST
Created attachment 28041 [details] stack trace of crash
Cameron Zwarich (cpst)
Comment 2 2009-02-27 13:25:56 PST
Eric, isn't this just a duplicate of bug 23212?
Eric Seidel (no email)
Comment 3 2009-02-27 14:27:11 PST
*** This bug has been marked as a duplicate of 23212 ***
Note You need to log in before you can comment on or make changes to this bug.