avoid integer overflow in ensureSurface

chearon · chearon · commit 4dc62340faee · 2026-03-10T22:26:59.000-04:00
width * height * approxBytesPerPixel was too big

Zig found via ubsan
diff --git a/src/Canvas.cc b/src/Canvas.cc
@@ -32,6 +32,8 @@
   "with at least a family (string) and optionally weight (string/number) " \
   "and style (string)."
 
+#define CAIRO_MAX_SIZE 32767
+
 using namespace std;
 
 std::vector<FontFace> Canvas::font_face_list;
@@ -87,6 +89,11 @@ Canvas::Canvas(const Napi::CallbackInfo& info) : Napi::ObjectWrap<Canvas>(info),
   _surface = nullptr;
   _closure = nullptr;
   format = CAIRO_FORMAT_ARGB32;
+  this->width = 0;
+  this->height = 0;
+
+  int32_t width;
+  int32_t height;
 
   if (info[0].IsNumber()) {
     width = info[0].As<Napi::Number>().Int32Value();
@@ -112,6 +119,21 @@ Canvas::Canvas(const Napi::CallbackInfo& info) : Napi::ObjectWrap<Canvas>(info),
     type = CANVAS_TYPE_IMAGE;
   }
 
+  if (width > CAIRO_MAX_SIZE || width < 0) {
+    std::string msg = "Canvas width must be between 0 and " + std::to_string(CAIRO_MAX_SIZE);
+    Napi::Error::New(env, msg).ThrowAsJavaScriptException();
+    return;
+  }
+
+  if (height > CAIRO_MAX_SIZE || height < 0) {
+    std::string msg = "Canvas height must be between 0 and " + std::to_string(CAIRO_MAX_SIZE);
+    Napi::Error::New(env, msg).ThrowAsJavaScriptException();
+    return;
+  }
+
+  this->width = width;
+  this->height = height;
+
   cairo_status_t status = cairo_surface_status(ensureSurface());
 
   if (status != CAIRO_STATUS_SUCCESS) {
@@ -164,8 +186,11 @@ Canvas::GetWidth(const Napi::CallbackInfo& info) {
 void
 Canvas::SetWidth(const Napi::CallbackInfo& info, const Napi::Value& value) {
   if (value.IsNumber()) {
-    int width = value.As<Napi::Number>().Uint32Value();
-    resurface(info.This().As<Napi::Object>(), width, this->height);
+    int32_t width = value.As<Napi::Number>().Int32Value();
+    if (width >= 0 && width <= CAIRO_MAX_SIZE) {
+      this->width = width;
+      resurface(info.This().As<Napi::Object>(), width, this->height);
+    }
   }
 }
 
@@ -185,8 +210,11 @@ Canvas::GetHeight(const Napi::CallbackInfo& info) {
 void
 Canvas::SetHeight(const Napi::CallbackInfo& info, const Napi::Value& value) {
   if (value.IsNumber()) {
-    int height = value.As<Napi::Number>().Uint32Value();
-    resurface(info.This().As<Napi::Object>(), this->width, height);
+    int32_t height = value.As<Napi::Number>().Uint32Value();
+    if (height >= 0 && height <= CAIRO_MAX_SIZE) {
+      this->height = height;
+      resurface(info.This().As<Napi::Object>(), this->width, height);
+    }
   }
 }
 
diff --git a/test/canvas.test.js b/test/canvas.test.js
@@ -416,6 +416,11 @@ describe('Canvas', function () {
     assert.equal(canvas.width, 50)
     assert.equal(canvas.height, 70)
 
+    canvas.width = 60_000;
+    canvas.height = 60_000;
+    assert.equal(canvas.width, 50)
+    assert.equal(canvas.height, 70)
+
     context.font = '20px arial'
     assert.equal(context.font, '20px arial')
     canvas.width |= 0
