2007-11-09 Peter Kasting <zerodpx@gmail.com>
authormrowe@apple.com <mrowe@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 9 Nov 2007 12:51:03 +0000 (12:51 +0000)
committermrowe@apple.com <mrowe@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 9 Nov 2007 12:51:03 +0000 (12:51 +0000)
        Reviewed by Mark Rowe.

        http://bugs.webkit.org/show_bug.cgi?id=15909
        Malformed GIFs should not result in memory corruption.

        * platform/image-decoders/gif/GIFImageDecoder.cpp:
        (WebCore::GIFImageDecoder::haveDecodedRow):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@27642 268f45cc-cd09-0410-ab3c-d52691b4dbfc

WebCore/ChangeLog
WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp

index 836e7ae..f951088 100644 (file)
@@ -1,3 +1,13 @@
+2007-11-09  Peter Kasting  <zerodpx@gmail.com>
+
+        Reviewed by Mark Rowe.
+
+        http://bugs.webkit.org/show_bug.cgi?id=15909
+        Malformed GIFs should not result in memory corruption.
+
+        * platform/image-decoders/gif/GIFImageDecoder.cpp:
+        (WebCore::GIFImageDecoder::haveDecodedRow):
+
 2007-11-09  Steve Falkenburg  <sfalken@apple.com>
 
         Initialize WindowFeatures struct before using it.
index 45b8bd3..b7ea6b2 100644 (file)
@@ -299,7 +299,7 @@ void GIFImageDecoder::haveDecodedRow(unsigned frameIndex,
         initFrameBuffer(buffer, previousBuffer, compositeWithPreviousFrame);
 
     // Do nothing for bogus data.
-    if (rowBuffer == 0 || static_cast<int>(rowNumber) >= m_size.height())
+    if (rowBuffer == 0 || static_cast<int>(m_reader->frameYOffset() + rowNumber) >= m_size.height())
       return;
 
     unsigned colorMapSize;