250543 – ImageData() should return a DOMException if index or size is too big

Bug 250543 - ImageData() should return a DOMException if index or size is too big

Summary: ImageData() should return a DOMException if index or size is too big

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Canvas (show other bugs)
Version:	Safari Technology Preview
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	BrowserCompat, InRadar, WPTImpact

Depends on:
Blocks:

Reported:	2023-01-12 21:24 PST by Karl Dubost
Modified:	2023-08-26 08:16 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Karl Dubost 2023-01-12 21:24:19 PST

new ImageData(1 << 31, 1 << 31);

returns in Safari TP160

rangeerror: Cannot allocate a buffer of this size

while it returns 

Firefox: Uncaught DOMException: Index or size is negative or greater than the allowed amount
Chrome:  Uncaught DOMException: Failed to construct 'ImageData': The requested image size exceeds the supported range.


See https://searchfox.org/wubkat/rev/12fc92585a259a29b2522e7e902492be45a57b6a/Source/WebCore/html/ImageData.cpp#87-123


This is expected to pass 
http://wpt.live/html/canvas/element/pixel-manipulation/2d.imageData.object.ctor.basics.html
https://wpt.fyi/results/html/canvas/element/pixel-manipulation/2d.imageData.object.ctor.basics.html

Comment 1 Radar WebKit Bug Importer 2023-01-19 21:25:17 PST

<rdar://problem/104461776>

Comment 2 Anne van Kesteren 2023-08-26 08:16:53 PDT

I think this is a bug in Chromium and Gecko. https://html.spec.whatwg.org/#initialize-an-imagedata-object quite clearly states to reuse the RangeError exception for OOM.

I guess 1 << 31 somehow ends up being treated as a positive integer due to IDL? That's the one thing I'm not totally clear on.