Fix for <rdar://problem/5585334>
authoroliver <oliver@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 12 Nov 2007 04:48:08 +0000 (04:48 +0000)
committeroliver <oliver@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 12 Nov 2007 04:48:08 +0000 (04:48 +0000)
Reviewed by Darin.

Fix for <rdar://problem/5585334> numfuzz: integer overflows opening
malformed SVG file in WebCore::ImageBuffer::create. Add protection
against a potential overflow.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@27704 268f45cc-cd09-0410-ab3c-d52691b4dbfc

WebCore/ChangeLog
WebCore/platform/graphics/cg/ImageBufferCG.cpp

index 7c6511dcd0f3e2bf185cdfb1c32c54903513b2cc..0e417ca779fb8d99fd566d554161c780f21b464a 100644 (file)
@@ -1,3 +1,13 @@
+2007-11-11  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Darin.
+
+        Fix for <rdar://problem/5585334> numfuzz: integer overflows opening
+        malformed SVG file in WebCore::ImageBuffer::create. Add protection
+        against a potential overflow.
+
+        * platform/graphics/cg/ImageBufferCG.cpp:
+
 2007-11-11  Antti Koivisto  <antti@apple.com>
 
         Reviewed by Darin.
index 8e35dcb9b7e165d4942dca02a2ee3ad61e892dc6..34fe6cde712c2ff66fa5d81cdeafb3427e41c644 100644 (file)
@@ -37,10 +37,16 @@ namespace WebCore {
 
 auto_ptr<ImageBuffer> ImageBuffer::create(const IntSize& size, bool grayScale)
 {
+    if (size.width() <= 0 || size.height() <= 0)
+        return auto_ptr<ImageBuffer>();        
     unsigned int bytesPerRow = size.width();
-    if (!grayScale)
+    if (!grayScale) {
+        // Protect against overflow
+        if (bytesPerRow > 0x3FFFFFFF)
+            return auto_ptr<ImageBuffer>();            
         bytesPerRow *= 4;
-    
+    }
+
     void* imageBuffer = fastCalloc(size.height(), bytesPerRow);
     if (!imageBuffer)
         return auto_ptr<ImageBuffer>();