Merge remote-tracking branch 'origin/5.4' into 5.5

Change-Id: If6bc4592dc0539dc8b95c712bb90f5be4acf9475
author: Frederik Gladhorn <frederik.gladhorn@theqtcompany.com> 2015-02-25 10:16:35 +0100
committer: Frederik Gladhorn <frederik.gladhorn@theqtcompany.com> 2015-02-25 10:16:45 +0100
commit: 5d5b80aa50ba3a3082819ec0c1f60cdaca82bbde (patch)
tree: aa3189d2c05123c1e079b4652c78665eda7ef957
parent: aced58b77e9c91c98ac2ed60a2219d87fdc6c074 (diff)
parent: 7d0214d14e1e4770db61f51ee0511c0fafa2bf61 (diff)
download: qtwebkit-5d5b80aa50ba3a3082819ec0c1f60cdaca82bbde.tar.gz
3 files changed, 8 insertions, 2 deletions
diff --git a/Source/WebCore/platform/graphics/gstreamer/ImageGStreamerQt.cpp b/Source/WebCore/platform/graphics/gstreamer/ImageGStreamerQt.cpp
index ece3c3f27..58db02696 100644
--- a/Source/WebCore/platform/graphics/gstreamer/ImageGStreamerQt.cpp
+++ b/Source/WebCore/platform/graphics/gstreamer/ImageGStreamerQt.cpp
@@ -45,6 +45,10 @@ ImageGStreamer::ImageGStreamer(GstBuffer* buffer, GstCaps* caps)
 #ifdef GST_API_VERSION_1
     gst_buffer_map(buffer, &m_mapInfo, GST_MAP_READ);
     uchar* bufferData = reinterpret_cast<uchar*>(m_mapInfo.data);
+    if (size.width() * size.height() * 4 > m_mapInfo.maxsize) {
+        qWarning("Ignoring dangerously invalid frame emitted by GStreamer.");
+        return;
+    }
 #else
     uchar* bufferData = reinterpret_cast<uchar*>(GST_BUFFER_DATA(buffer));
 #endif
diff --git a/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp b/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp
index 83c896c39..5007cf86e 100644
--- a/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp
+++ b/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp
@@ -440,13 +440,13 @@ void MediaPlayerPrivateGStreamerBase::paint(GraphicsContext* context, const IntR
     }
 
     RefPtr<ImageGStreamer> gstImage = ImageGStreamer::createImage(m_buffer, caps.get());
-    if (!gstImage) {
+    if (!gstImage || !gstImage->image().get()) {
         g_mutex_unlock(m_bufferMutex);
         return;
     }
 
     context->drawImage(reinterpret_cast<Image*>(gstImage->image().get()), ColorSpaceSRGB,
-        rect, gstImage->rect(), CompositeCopy, DoNotRespectImageOrientation, false);
+        rect, gstImage->rect(), CompositeCopy, DoNotRespectImageOrientation, true);
     g_mutex_unlock(m_bufferMutex);
 }
 
diff --git a/Source/WebCore/platform/graphics/qt/ImageBufferDataQt.cpp b/Source/WebCore/platform/graphics/qt/ImageBufferDataQt.cpp
index e197a02aa..43c6758e6 100644
--- a/Source/WebCore/platform/graphics/qt/ImageBufferDataQt.cpp
+++ b/Source/WebCore/platform/graphics/qt/ImageBufferDataQt.cpp
@@ -202,6 +202,7 @@ void ImageBufferDataPrivateAccelerated::draw(GraphicsContext* destContext, Color
                                              const FloatRect& srcRect, CompositeOperator op, BlendMode blendMode,
                                              bool useLowQualityScale, bool /*ownContext*/)
 {
+#if !defined(QT_NO_DYNAMIC_CAST)
     if (destContext->isAcceleratedContext()) {
         invalidateState();
 
@@ -240,6 +241,7 @@ void ImageBufferDataPrivateAccelerated::draw(GraphicsContext* destContext, Color
             return;
         }
     }
+#endif
     RefPtr<Image> image = StillImage::create(QPixmap::fromImage(toQImage()));
     destContext->drawImage(image.get(), styleColorSpace, destRect, srcRect, op, blendMode,
                            DoNotRespectImageOrientation, useLowQualityScale);
author	Frederik Gladhorn <frederik.gladhorn@theqtcompany.com>	2015-02-25 10:16:35 +0100
committer	Frederik Gladhorn <frederik.gladhorn@theqtcompany.com>	2015-02-25 10:16:45 +0100
commit	5d5b80aa50ba3a3082819ec0c1f60cdaca82bbde (patch)
tree	aa3189d2c05123c1e079b4652c78665eda7ef957
parent	aced58b77e9c91c98ac2ed60a2219d87fdc6c074 (diff)
parent	7d0214d14e1e4770db61f51ee0511c0fafa2bf61 (diff)
download	qtwebkit-5d5b80aa50ba3a3082819ec0c1f60cdaca82bbde.tar.gz