pixels: Add limitation to max image total bytes length (#37172)

Limit the maximum image allocation size to 2GB to minimize the
possibility of out of memory errors on some `ImageBitmap`, `ImageData`,
`Canvas`, and `OffscreenCanvas` operations such as construction,
`toBlob`, and `toDataURL`. Other browsers have similar limits:
 - Chromium: 2^32-1 (~4GB)
- Firefox: 2^31-1 (~2GB)

Testing: Improvements to the following tests:
-
`html/canvas/element/pixel-manipulation/2d.imageData.object.ctor.basics.html`
assert_throws_dom("INDEX_SIZE_ERR", function() { new ImageData(1 << 31,
1 << 31); });
-
`html/canvas/element/manual/imagebitmap/createImageBitmap-invalid-args.html`
   makeOversizedCanvas + makeOversizedOffscreenCanvas

Signed-off-by: Andrei Volykhin <andrei.volykhin@gmail.com>

components/script/dom/globalscope.rs

@@ -2982,10 +2982,13 @@ impl GlobalScope {
                     return p;
                 }
 
-                if let Some(snapshot) = canvas.get_image_data() {
-                    let image_bitmap = ImageBitmap::new(self, snapshot, can_gc);
-                    image_bitmap.set_origin_clean(canvas.origin_is_clean());
-                    p.resolve_native(&(image_bitmap), can_gc);
+                match canvas.get_image_data() {
+                    Some(snapshot) => {
+                        let image_bitmap = ImageBitmap::new(self, snapshot, can_gc);
+                        image_bitmap.set_origin_clean(canvas.origin_is_clean());
+                        p.resolve_native(&(image_bitmap), can_gc);
+                    },
+                    None => p.reject_error(Error::InvalidState, can_gc),
                 }
                 p
             },
@@ -2996,10 +2999,13 @@ impl GlobalScope {
                     return p;
                 }
 
-                if let Some(snapshot) = canvas.get_image_data() {
-                    let image_bitmap = ImageBitmap::new(self, snapshot, can_gc);
-                    image_bitmap.set_origin_clean(canvas.origin_is_clean());
-                    p.resolve_native(&(image_bitmap), can_gc);
+                match canvas.get_image_data() {
+                    Some(snapshot) => {
+                        let image_bitmap = ImageBitmap::new(self, snapshot, can_gc);
+                        image_bitmap.set_origin_clean(canvas.origin_is_clean());
+                        p.resolve_native(&(image_bitmap), can_gc);
+                    },
+                    None => p.reject_error(Error::InvalidState, can_gc),
                 }
                 p
             },

components/script/dom/htmlcanvaselement.rs

@@ -362,7 +362,13 @@ impl HTMLCanvasElement {
             Some(context) => context.get_image_data(),
             None => {
                 let size = self.get_size();
-                if size.width == 0 || size.height == 0 {
+                if size.is_empty() ||
+                    pixels::compute_rgba8_byte_length_if_within_limit(
+                        size.width as usize,
+                        size.height as usize,
+                    )
+                    .is_none()
+                {
                     None
                 } else {
                     Some(Snapshot::cleared(size.cast()))

components/script/dom/imagedata.rs

@@ -41,14 +41,11 @@ impl ImageData {
         mut data: Option<Vec<u8>>,
         can_gc: CanGc,
     ) -> Fallible<DomRoot<ImageData>> {
-        // The color components of each pixel must be stored in four sequential
-        // elements in the order of red, green, blue, and then alpha.
-        let len = 4u32
-            .checked_mul(width)
-            .and_then(|v| v.checked_mul(height))
-            .ok_or(Error::Range(
-                "The requested image size exceeds the supported range".to_owned(),
-            ))?;
+        let len =
+            pixels::compute_rgba8_byte_length_if_within_limit(width as usize, height as usize)
+                .ok_or(Error::Range(
+                    "The requested image size exceeds the supported range".to_owned(),
+                ))?;
 
         unsafe {
             let cx = GlobalScope::get_cx();
@@ -129,18 +126,16 @@ impl ImageData {
             return Err(Error::IndexSize);
         }
 
-        // The color components of each pixel must be stored in four sequential
-        // elements in the order of red, green, blue, and then alpha.
-        // Please note when a too-large ImageData is created using a constructor
-        // historically throwns an IndexSizeError, instead of RangeError.
-        let len = 4u32
-            .checked_mul(width)
-            .and_then(|v| v.checked_mul(height))
-            .ok_or(Error::IndexSize)?;
+        // When a constructor is called for an ImageData that is too large, other browsers throw
+        // IndexSizeError rather than RangeError here, so we do the same.
+        let len =
+            pixels::compute_rgba8_byte_length_if_within_limit(width as usize, height as usize)
+                .ok_or(Error::IndexSize)?;
 
         let cx = GlobalScope::get_cx();
 
-        let heap_typed_array = create_heap_buffer_source_with_length::<ClampedU8>(cx, len, can_gc)?;
+        let heap_typed_array =
+            create_heap_buffer_source_with_length::<ClampedU8>(cx, len as u32, can_gc)?;
 
         let imagedata = Box::new(ImageData {
             reflector_: Reflector::new(),

components/script/dom/offscreencanvas.rs

@@ -92,7 +92,13 @@ impl OffscreenCanvas {
             Some(context) => context.get_image_data(),
             None => {
                 let size = self.get_size();
-                if size.width == 0 || size.height == 0 {
+                if size.is_empty() ||
+                    pixels::compute_rgba8_byte_length_if_within_limit(
+                        size.width as usize,
+                        size.height as usize,
+                    )
+                    .is_none()
+                {
                     None
                 } else {
                     Some(Snapshot::cleared(size))