Prevent segfaults caused by creating a too large canvas (#1151)

* Fix warning

* Detect bad allocations

* Fix zero-width canvas edge case

* Add test

* Update changelog

* Fix compiler error

* Improve error handling

* Update tests

* Fix tests for node 4

* Add new line

Author: Hakerh400

CHANGELOG.md

@@ -29,6 +29,7 @@ project adheres to [Semantic Versioning](http://semver.org/).
  * Prevent JPEG errors from crashing process (#1124)
  * Improve handling of invalid arguments (#1129)
  * Fix repeating patterns when drawing a canvas to itself (#1136)
+ * Prevent segfaults caused by creating a too large canvas
 
 ### Added
  * Prebuilds (#992)

src/Canvas.cc

@@ -116,6 +116,11 @@ NAN_METHOD(Canvas::New) {
     backend = new ImageBackend(0, 0);
   }
 
+  if (!backend->isSurfaceValid()) {
+    delete backend;
+    return Nan::ThrowError(backend->getError());
+  }
+
   Canvas* canvas = new Canvas(backend);
   canvas->Wrap(info.This());
 

src/CanvasRenderingContext2d.cc

@@ -675,6 +675,7 @@ NAN_METHOD(Context2d::New) {
   }
 
   Context2d *context = new Context2d(canvas);
+
   context->Wrap(info.This());
   info.GetReturnValue().Set(info.This());
 }
@@ -825,7 +826,7 @@ NAN_METHOD(Context2d::PutImageData) {
       dst += dstStride;
       src += srcStride;
     }
-	  break;
+    break;
   }
   case CAIRO_FORMAT_RGB24: {
     src += sy * srcStride + sx * 4;
@@ -923,6 +924,14 @@ NAN_METHOD(Context2d::GetImageData) {
   if (!sh)
     return Nan::ThrowError("IndexSizeError: The source height is 0.");
 
+  int width = canvas->getWidth();
+  int height = canvas->getHeight();
+
+  if (!width)
+    return Nan::ThrowTypeError("Canvas width is 0");
+  if (!height)
+    return Nan::ThrowTypeError("Canvas height is 0");
+
   // WebKit and Firefox have this behavior:
   // Flip the coordinates so the origin is top/left-most:
   if (sw < 0) {
@@ -934,8 +943,6 @@ NAN_METHOD(Context2d::GetImageData) {
     sh = -sh;
   }
 
-  int width  = canvas->getWidth();
-  int height = canvas->getHeight();
   if (sx + sw > width) sw = width - sx;
   if (sy + sh > height) sh = height - sy;
 
@@ -955,7 +962,7 @@ NAN_METHOD(Context2d::GetImageData) {
   }
 
   int srcStride = canvas->stride();
-  int bpp = srcStride / canvas->getWidth();
+  int bpp = srcStride / width;
   int size = sw * sh * bpp;
   int dstStride = sw * bpp;
 
@@ -1211,8 +1218,8 @@ NAN_METHOD(Context2d::DrawImage) {
   }
 
   bool sameCanvas = surface == context->canvas()->surface();
-  cairo_surface_t *surfTemp;
-  cairo_t *ctxTemp;
+  cairo_surface_t *surfTemp = NULL;
+  cairo_t *ctxTemp = NULL;
 
   if (sameCanvas) {
     int width = context->canvas()->getWidth();

src/backend/Backend.cc

@@ -2,88 +2,105 @@
 
 
 Backend::Backend(string name, int width, int height)
-	: name(name)
-	, width(width)
-	, height(height)
-	, surface(NULL)
-	, canvas(NULL)
-	, _closure(NULL)
+  : name(name)
+  , width(width)
+  , height(height)
+  , surface(NULL)
+  , canvas(NULL)
+  , _closure(NULL)
 {}
 
 Backend::~Backend()
 {
-	this->destroySurface();
+  this->destroySurface();
 }
 
 
 void Backend::setCanvas(Canvas* _canvas)
 {
-	this->canvas = _canvas;
+  this->canvas = _canvas;
 }
 
 
 cairo_surface_t* Backend::recreateSurface()
 {
-	this->destroySurface();
+  this->destroySurface();
 
-	return this->createSurface();
+  return this->createSurface();
 }
 
 cairo_surface_t* Backend::getSurface() {
-	if (!surface) createSurface();
-	return surface;
+  if (!surface) createSurface();
+  return surface;
 }
 
 void Backend::destroySurface()
 {
-	if(this->surface)
-	{
-		cairo_surface_destroy(this->surface);
-		this->surface = NULL;
-	}
+  if(this->surface)
+  {
+    cairo_surface_destroy(this->surface);
+    this->surface = NULL;
+  }
 }
 
 
 string Backend::getName()
 {
-	return name;
+  return name;
 }
 
 int Backend::getWidth()
 {
-	return this->width;
+  return this->width;
 }
 void Backend::setWidth(int width_)
 {
-	this->width = width_;
-	this->recreateSurface();
+  this->width = width_;
+  this->recreateSurface();
 }
 
 int Backend::getHeight()
 {
-	return this->height;
+  return this->height;
 }
 void Backend::setHeight(int height_)
 {
-	this->height = height_;
-	this->recreateSurface();
+  this->height = height_;
+  this->recreateSurface();
+}
+
+bool Backend::isSurfaceValid(){
+  bool hadSurface = surface != NULL;
+  bool isValid = true;
+
+  cairo_status_t status = cairo_surface_status(getSurface());
+
+  if (status != CAIRO_STATUS_SUCCESS) {
+    error = cairo_status_to_string(status);
+    isValid = false;
+  }
+
+  if (!hadSurface)
+    destroySurface();
+
+  return isValid;
 }
 
 
 BackendOperationNotAvailable::BackendOperationNotAvailable(Backend* backend,
-	string operation_name)
-	: backend(backend)
-	, operation_name(operation_name)
+  string operation_name)
+  : backend(backend)
+  , operation_name(operation_name)
 {};
 
 BackendOperationNotAvailable::~BackendOperationNotAvailable() throw() {};
 
 const char* BackendOperationNotAvailable::what() const throw()
 {
-	std::ostringstream o;
+  std::ostringstream o;
 
-	o << "operation " << this->operation_name;
-	o << " not supported by backend " + backend->getName();
+  o << "operation " << this->operation_name;
+  o << " not supported by backend " + backend->getName();
 
-	return o.str().c_str();
+  return o.str().c_str();
 };

src/backend/Backend.h

@@ -17,6 +17,7 @@ class Backend : public Nan::ObjectWrap
 {
   private:
     const string name;
+    const char* error = NULL;
 
   protected:
     int width;
@@ -58,6 +59,9 @@ class Backend : public Nan::ObjectWrap
       return CAIRO_FORMAT_INVALID;
 #endif
     }
+
+    bool isSurfaceValid();
+    inline const char* getError(){ return error; }
 };
 
 

src/backend/ImageBackend.cc

@@ -37,12 +37,12 @@ int32_t ImageBackend::approxBytesPerPixel() {
 
 cairo_surface_t* ImageBackend::createSurface()
 {
-	assert(!this->surface);
-	this->surface = cairo_image_surface_create(this->format, width, height);
-	assert(this->surface);
-	Nan::AdjustExternalMemory(approxBytesPerPixel() * width * height);
+  assert(!this->surface);
+  this->surface = cairo_image_surface_create(this->format, width, height);
+  assert(this->surface);
+  Nan::AdjustExternalMemory(approxBytesPerPixel() * width * height);
 
-	return this->surface;
+  return this->surface;
 }
 
 cairo_surface_t* ImageBackend::recreateSurface()

test/canvas.test.js

@@ -257,6 +257,42 @@ describe('Canvas', function () {
     assert.ok('object' == typeof ctx);
     assert.equal(canvas, ctx.canvas, 'context.canvas is not canvas');
     assert.equal(ctx, canvas.context, 'canvas.context is not context');
+
+    const MAX_IMAGE_SIZE = 32767;
+
+    [
+      [0, 0, 1],
+      [1, 0, 1],
+      [MAX_IMAGE_SIZE, 0, 1],
+      [MAX_IMAGE_SIZE + 1, 0, 3],
+      [MAX_IMAGE_SIZE, MAX_IMAGE_SIZE, null],
+      [MAX_IMAGE_SIZE + 1, MAX_IMAGE_SIZE, 3],
+      [MAX_IMAGE_SIZE + 1, MAX_IMAGE_SIZE + 1, 3],
+      [Math.pow(2, 30), 0, 3],
+      [Math.pow(2, 30), 1, 3],
+      [Math.pow(2, 32), 0, 1],
+      [Math.pow(2, 32), 1, 1],
+    ].forEach(params => {
+      var width = params[0];
+      var height = params[1];
+      var errorLevel = params[2];
+
+      var level = 3;
+
+      try {
+        var canvas = createCanvas(width, height);
+        level--;
+
+        var ctx = canvas.getContext('2d');
+        level--;
+
+        ctx.getImageData(0, 0, 1, 1);
+        level--;
+      } catch (err) {}
+
+      if (errorLevel !== null)
+        assert.strictEqual(level, errorLevel);
+    });
   });
 
   it('Canvas#getContext("2d", {pixelFormat: string})', function () {