4 files changed, 59 insertions, 10 deletions
diff --git a/dom/canvas/WebGLContextBuffers.cpp b/dom/canvas/WebGLContextBuffers.cpp
index af506c01c..f53f9d7d7 100644
--- a/dom/canvas/WebGLContextBuffers.cpp
+++ b/dom/canvas/WebGLContextBuffers.cpp
@@ -9,6 +9,8 @@
 #include "WebGLBuffer.h"
 #include "WebGLVertexArray.h"
 
+#include "mozilla/CheckedInt.h"
+
 namespace mozilla {
 
 WebGLRefPtr<WebGLBuffer>*
@@ -345,6 +347,16 @@ WebGLContext::BufferData(GLenum target, WebGLsizeiptr size, GLenum usage)
 
     ////
 
+    const auto checkedSize = CheckedInt<size_t>(size);
+    if (!checkedSize.isValid())
+      return ErrorOutOfMemory("%s: Size too large for platform.", funcName);
+     
+#if defined(XP_MACOSX)
+    if (gl->WorkAroundDriverBugs() && size > 1200000000) {
+      return ErrorOutOfMemory("Allocations larger than 1200000000 fail on MacOS.");
+    }
+#endif
+
     const UniqueBuffer zeroBuffer(calloc(size, 1));
     if (!zeroBuffer)
         return ErrorOutOfMemory("%s: Failed to allocate zeros.", funcName);
diff --git a/dom/canvas/WebGLShader.cpp b/dom/canvas/WebGLShader.cpp
index 37380f1e0..69ca03fc4 100644
--- a/dom/canvas/WebGLShader.cpp
+++ b/dom/canvas/WebGLShader.cpp
@@ -168,16 +168,6 @@ WebGLShader::ShaderSource(const nsAString& source)
     // 7-bit ASCII range, so we can skip the NS_IsAscii() check.
     const NS_LossyConvertUTF16toASCII sourceCString(cleanSource);
 
-    if (mContext->gl->WorkAroundDriverBugs()) {
-        const size_t maxSourceLength = 0x3ffff;
-        if (sourceCString.Length() > maxSourceLength) {
-            mContext->ErrorInvalidValue("shaderSource: Source has more than %d"
-                                        " characters. (Driver workaround)",
-                                        maxSourceLength);
-            return;
-        }
-    }
-
     if (PR_GetEnv("MOZ_WEBGL_DUMP_SHADERS")) {
         printf_stderr("////////////////////////////////////////\n");
         printf_stderr("// MOZ_WEBGL_DUMP_SHADERS:\n");
diff --git a/dom/canvas/test/reftest/filters/liveness-document-open.html b/dom/canvas/test/reftest/filters/liveness-document-open.html
new file mode 100644
index 000000000..b3d76e550
--- /dev/null
+++ b/dom/canvas/test/reftest/filters/liveness-document-open.html
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<title>canvas filters: remove referenced filter element through document.open()</title>
+
+<body onload="loaded()">
+
+<canvas id="canvas" width="10" height="10"></canvas>
+
+<svg height="0">
+  <filter id="filter">
+    <feFlood flood-color="red"/>
+  </filter>
+</svg>
+
+<script>
+
+function loaded() {
+  var ctx = document.getElementById('canvas').getContext('2d');
+
+  ctx.filter = 'url(#filter)';
+  ctx.fillRect(0, 0, 10, 10); // do a draw first to work around bug 1287316
+
+  document.open();
+
+  // The document.open() call removed #filter from the document. So the filter
+  // reference should now be invalid, and the rect should be drawn without a
+  // filter applied, resulting in black.
+  ctx.fillRect(0, 0, 10, 10);
+
+  try {
+    var data = ctx.getImageData(0, 0, 1, 1).data;
+    if (data[0] == 0 && data[1] == 0 && data[2] == 0 && data[3] == 255) {
+      // Successfully painted black.
+      document.write('PASS');
+    } else {
+      // Painted something else, like red.
+      document.write('FAIL');
+    }
+  } catch (e) {
+    document.write('getImageData failed');
+  }
+  document.close();
+}
+
+</script>
diff --git a/dom/canvas/test/reftest/filters/reftest.list b/dom/canvas/test/reftest/filters/reftest.list
index 983030715..f5d671e4d 100644
--- a/dom/canvas/test/reftest/filters/reftest.list
+++ b/dom/canvas/test/reftest/filters/reftest.list
@@ -6,6 +6,7 @@ default-preferences pref(canvas.filters.enabled,true)
 fuzzy-if(azureSkia,1,1500) == global-alpha.html global-alpha-ref.html
 == global-composite-operation.html global-composite-operation-ref.html
 == liveness.html ref.html
+== liveness-document-open.html data:text/html,PASS
 == multiple-drop-shadows.html shadow-ref.html
 == shadow.html shadow-ref.html
 == subregion-fill-paint.html subregion-ref.html