-
oliver authored
Reviewed by Maciej. WebCore: Fix for rdar://problem/4849948 -- JSCanvasRenderingContext2D::drawImage crashes when given invalid arguments. JSCanvasRenderingContext2D frequently casts from JSValue* to JSObject* and then checks isObject *after* the cast. JSObject::isObject is unsafe if applied to a JSImmediate value (null, undefined, etc). This patch corrects the logic in a number of places by performing the isObject check before casting to JSObject. * bindings/js/JSCanvasRenderingContext2DCustom.cpp: (WebCore::JSCanvasRenderingContext2D::drawImage): (WebCore::JSCanvasRenderingContext2D::drawImageFromRect): (WebCore::JSCanvasRenderingContext2D::createPattern): LayoutTests: Layout tests for rdar://problem/4849948 Make sure we don't crash when passing invalid args to Canvas::drawImage * fast/canvas/drawImage-with-invalid-args-expected.checksum: Added. * fast/canvas/drawImage-with-invalid-args-expected.png: Added. * fast/canvas/drawImage-with-invalid-args-expected.txt: Added. * fast/canvas/drawImage-with-invalid-args.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@20746 268f45cc-cd09-0410-ab3c-d52691b4dbfc
624f871e