Reviewed by Darin.
Fix for <rdar://problem/
5585334> numfuzz: integer overflows opening
malformed SVG file in WebCore::ImageBuffer::create. Add protection
against a potential overflow.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@27704
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2007-11-11 Oliver Hunt <oliver@apple.com>
+
+ Reviewed by Darin.
+
+ Fix for <rdar://problem/5585334> numfuzz: integer overflows opening
+ malformed SVG file in WebCore::ImageBuffer::create. Add protection
+ against a potential overflow.
+
+ * platform/graphics/cg/ImageBufferCG.cpp:
+
2007-11-11 Antti Koivisto <antti@apple.com>
Reviewed by Darin.
auto_ptr<ImageBuffer> ImageBuffer::create(const IntSize& size, bool grayScale)
{
+ if (size.width() <= 0 || size.height() <= 0)
+ return auto_ptr<ImageBuffer>();
unsigned int bytesPerRow = size.width();
- if (!grayScale)
+ if (!grayScale) {
+ // Protect against overflow
+ if (bytesPerRow > 0x3FFFFFFF)
+ return auto_ptr<ImageBuffer>();
bytesPerRow *= 4;
-
+ }
+
void* imageBuffer = fastCalloc(size.height(), bytesPerRow);
if (!imageBuffer)
return auto_ptr<ImageBuffer>();
git://git.webkit.org / WebKit-https.git / commitdiff