2007-11-01 Peter Kasting <zerodpx@gmail.com>
authormrowe@apple.com <mrowe@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 1 Nov 2007 09:29:47 +0000 (09:29 +0000)
committermrowe@apple.com <mrowe@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 1 Nov 2007 09:29:47 +0000 (09:29 +0000)
        Reviewed by Dave Hyatt.

        http://bugs.webkit.org/show_bug.cgi?id=15778
        Malformed GIFs should not result in memory corruption.

        * platform/image-decoders/gif/GIFImageDecoder.cpp:
        (WebCore::GIFImageDecoder::haveDecodedRow):
        * platform/image-decoders/gif/GIFImageReader.cpp:
        (GIFImageReader::output_row):
        (GIFImageReader::read):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@27346 268f45cc-cd09-0410-ab3c-d52691b4dbfc

WebCore/ChangeLog
WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp
WebCore/platform/image-decoders/gif/GIFImageReader.cpp

index 77290bee3962f23aa1e3b92d0c5bd34535c96338..a24c9005138c0755e09141bf7b7b6153e9b3404c 100644 (file)
@@ -1,3 +1,16 @@
+2007-11-01  Peter Kasting  <zerodpx@gmail.com>
+
+        Reviewed by Dave Hyatt.
+
+        http://bugs.webkit.org/show_bug.cgi?id=15778
+        Malformed GIFs should not result in memory corruption.
+
+        * platform/image-decoders/gif/GIFImageDecoder.cpp:
+        (WebCore::GIFImageDecoder::haveDecodedRow):
+        * platform/image-decoders/gif/GIFImageReader.cpp:
+        (GIFImageReader::output_row):
+        (GIFImageReader::read):
+
 2007-10-31  Adam Roben  <aroben@apple.com>
 
         Fix a crash when parsing a cubic-bezier function
index f6eb606edb024575f566eadb6135b3c2318568e5..45b8bd3c8d487eca7c1364abd240db8c63ef9bd0 100644 (file)
@@ -298,7 +298,8 @@ void GIFImageDecoder::haveDecodedRow(unsigned frameIndex,
     if (buffer.status() == RGBA32Buffer::FrameEmpty)
         initFrameBuffer(buffer, previousBuffer, compositeWithPreviousFrame);
 
-    if (rowBuffer == 0)
+    // Do nothing for bogus data.
+    if (rowBuffer == 0 || static_cast<int>(rowNumber) >= m_size.height())
       return;
 
     unsigned colorMapSize;
index 2cff6d05509c92831fe5bc8e6b8a450dcbf6abce..e9aaaae6b3c602d7ff47ea1e02db9b9ebbfd2569 100644 (file)
@@ -110,7 +110,7 @@ void GIFImageReader::output_row()
 {
   GIFFrameReader* gs = frame_reader;
 
-  int width, drow_start, drow_end;
+  int drow_start, drow_end;
 
   drow_start = drow_end = gs->irow;
 
@@ -158,19 +158,10 @@ void GIFImageReader::output_row()
   if ((unsigned)drow_start >= gs->height)
     return;
 
-  /* Check for scanline below edge of logical screen */
-  if ((gs->y_offset + gs->irow) < screen_height) {
-    /* Clip if right edge of image exceeds limits */
-    if ((gs->x_offset + gs->width) > screen_width)
-      width = screen_width - gs->x_offset;
-    else
-      width = gs->width;
-
-    // CALLBACK: Let the client know we have decoded a row.
-    if (width > 0 && clientptr && frame_reader)
-      clientptr->haveDecodedRow(images_count - 1, frame_reader->rowbuf, frame_reader->rowend,
-                                drow_start, drow_end - drow_start + 1);
-  }
+  // CALLBACK: Let the client know we have decoded a row.
+  if (clientptr && frame_reader)
+    clientptr->haveDecodedRow(images_count - 1, frame_reader->rowbuf, frame_reader->rowend,
+                              drow_start, drow_end - drow_start + 1);
 
   gs->rowp = gs->rowbuf;
 
@@ -782,26 +773,18 @@ bool GIFImageReader::read(const unsigned char *buf, unsigned len,
           /* XXX Deviant! */
 
           delete []frame_reader->rowbuf;
-          frame_reader->rowbuf = new unsigned char[width];
-
-          if (!frame_reader->rowbuf) {
-            state = gif_oom;
-            break;
-          }
-
           screen_width = width;
-          if (screen_height < frame_reader->height)
-            screen_height = frame_reader->height;
-        }
-        else {
-          if (!frame_reader->rowbuf)
-            frame_reader->rowbuf = new unsigned char[screen_width];
+          frame_reader->rowbuf = new unsigned char[screen_width];
+        } else if (!frame_reader->rowbuf) {
+          frame_reader->rowbuf = new unsigned char[screen_width];
         }
 
         if (!frame_reader->rowbuf) {
           state = gif_oom;
           break;
         }
+        if (screen_height < height)
+          screen_height = height;
 
         if (q[8] & 0x40) {
           frame_reader->interlaced = true;