[GTK+] Crash in WebCore::ImageFrame::ImageFrame()
authormagomez@igalia.com <magomez@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 18 Apr 2017 11:54:23 +0000 (11:54 +0000)
committermagomez@igalia.com <magomez@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 18 Apr 2017 11:54:23 +0000 (11:54 +0000)
https://bugs.webkit.org/show_bug.cgi?id=170332

Reviewed by Carlos Garcia Campos.

Source/WebCore:

When decoding a PNG image, don't reset the number of frames to 1 when there's a decoding error. Doing
so causes a crash if the number of frames we reported before is bigger than 1.

Test: fast/images/bad-png-missing-fdat.html

* platform/image-decoders/png/PNGImageDecoder.cpp:
(WebCore::PNGImageDecoder::fallbackNotAnimated):

LayoutTests:

Added a test to ensure that the browser doesn't crash when loading a PNG image which
reports a wrong number of frames.

* fast/images/bad-png-missing-fdat-expected.txt: Added.
* fast/images/bad-png-missing-fdat.html: Added.
* fast/images/resources/bad-png-missing-fdAT.png: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@215458 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/images/bad-png-missing-fdat-expected.txt [new file with mode: 0644]
LayoutTests/fast/images/bad-png-missing-fdat.html [new file with mode: 0644]
LayoutTests/fast/images/resources/bad-png-missing-fdAT.png [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/platform/image-decoders/png/PNGImageDecoder.cpp

index d8638ee..01a894a 100644 (file)
@@ -1,3 +1,17 @@
+2017-04-18  Miguel Gomez  <magomez@igalia.com>
+
+        [GTK+] Crash in WebCore::ImageFrame::ImageFrame()
+        https://bugs.webkit.org/show_bug.cgi?id=170332
+
+        Reviewed by Carlos Garcia Campos.
+
+        Added a test to ensure that the browser doesn't crash when loading a PNG image which
+        reports a wrong number of frames.
+
+        * fast/images/bad-png-missing-fdat-expected.txt: Added.
+        * fast/images/bad-png-missing-fdat.html: Added.
+        * fast/images/resources/bad-png-missing-fdAT.png: Added.
+
 2017-04-18  Manuel Rego Casasnovas  <rego@igalia.com>
 
         [selectors4] Import W3C Test Suite
diff --git a/LayoutTests/fast/images/bad-png-missing-fdat-expected.txt b/LayoutTests/fast/images/bad-png-missing-fdat-expected.txt
new file mode 100644 (file)
index 0000000..3d9ad2f
--- /dev/null
@@ -0,0 +1,4 @@
+The following PNG is buggy and reports a wrong number of frames. If the test succeeds this should not crash.
+
+
+PASS
diff --git a/LayoutTests/fast/images/bad-png-missing-fdat.html b/LayoutTests/fast/images/bad-png-missing-fdat.html
new file mode 100644 (file)
index 0000000..1bed4f7
--- /dev/null
@@ -0,0 +1,25 @@
+<html>
+  <head>
+    <script>
+      if (window.testRunner) {
+        testRunner.waitUntilDone();
+        testRunner.dumpAsText();
+      }
+
+      function testPassed()
+      {
+        document.getElementById("result").innerText = "PASS";
+        if (window.testRunner)
+          testRunner.notifyDone();
+      }
+    </script>
+
+   </head>
+   <body>
+     <!-- The image reports 2 frames, but it has data for one only. Ensure that the browser doesn't
+          crash when dealing with this situation.-->
+     <p>The following PNG is buggy and reports a wrong number of frames. If the test succeeds this should not crash.</p>
+     <img src="resources/bad-png-missing-fdAT.png" onload="testPassed()">
+     <p id="result">FAIL</p>
+   </body>
+ </html>
diff --git a/LayoutTests/fast/images/resources/bad-png-missing-fdAT.png b/LayoutTests/fast/images/resources/bad-png-missing-fdAT.png
new file mode 100644 (file)
index 0000000..af42766
Binary files /dev/null and b/LayoutTests/fast/images/resources/bad-png-missing-fdAT.png differ
index 95a41d6..aa99f65 100644 (file)
@@ -1,3 +1,18 @@
+2017-04-18  Miguel Gomez  <magomez@igalia.com>
+
+        [GTK+] Crash in WebCore::ImageFrame::ImageFrame()
+        https://bugs.webkit.org/show_bug.cgi?id=170332
+
+        Reviewed by Carlos Garcia Campos.
+
+        When decoding a PNG image, don't reset the number of frames to 1 when there's a decoding error. Doing
+        so causes a crash if the number of frames we reported before is bigger than 1.
+
+        Test: fast/images/bad-png-missing-fdat.html
+
+        * platform/image-decoders/png/PNGImageDecoder.cpp:
+        (WebCore::PNGImageDecoder::fallbackNotAnimated):
+
 2017-04-18  Carlos Garcia Campos  <cgarcia@igalia.com>
 
         [GLIB] Define priorities also for async network IO tasks
index 38f4d6c..9604a50 100644 (file)
@@ -943,10 +943,8 @@ int PNGImageDecoder::processingFinish()
 void PNGImageDecoder::fallbackNotAnimated()
 {
     m_isAnimated = false;
-    m_frameCount = 1;
     m_playCount = 0;
     m_currentFrame = 0;
-    m_frameBufferCache.resize(1);
 }
 #endif