2007-11-01 Peter Kasting <zerodpx@gmail.com>

author mrowe@apple.com <mrowe@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>

Thu, 1 Nov 2007 09:29:47 +0000 (09:29 +0000)

committer mrowe@apple.com <mrowe@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>

Thu, 1 Nov 2007 09:29:47 +0000 (09:29 +0000)
author mrowe@apple.com <mrowe@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 1 Nov 2007 09:29:47 +0000 (09:29 +0000)
committer mrowe@apple.com <mrowe@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 1 Nov 2007 09:29:47 +0000 (09:29 +0000)
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog

index 77290bee3962f23aa1e3b92d0c5bd34535c96338..a24c9005138c0755e09141bf7b7b6153e9b3404c 100644 (file)
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,16 @@
+2007-11-01  Peter Kasting  <zerodpx@gmail.com>
+
+        Reviewed by Dave Hyatt.
+
+        http://bugs.webkit.org/show_bug.cgi?id=15778
+        Malformed GIFs should not result in memory corruption.
+
+        * platform/image-decoders/gif/GIFImageDecoder.cpp:
+        (WebCore::GIFImageDecoder::haveDecodedRow):
+        * platform/image-decoders/gif/GIFImageReader.cpp:
+        (GIFImageReader::output_row):
+        (GIFImageReader::read):
+
  2007-10-31  Adam Roben  <aroben@apple.com>
  
          Fix a crash when parsing a cubic-bezier function
diff --git a/WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp b/WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp

index f6eb606edb024575f566eadb6135b3c2318568e5..45b8bd3c8d487eca7c1364abd240db8c63ef9bd0 100644 (file)
--- a/WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp
+++ b/WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp
@@ -298,7 +298,8 @@ void GIFImageDecoder::haveDecodedRow(unsigned frameIndex,
      if (buffer.status() == RGBA32Buffer::FrameEmpty)
          initFrameBuffer(buffer, previousBuffer, compositeWithPreviousFrame);
  
-    if (rowBuffer == 0)
+    // Do nothing for bogus data.
+    if (rowBuffer == 0 || static_cast<int>(rowNumber) >= m_size.height())
        return;
  
      unsigned colorMapSize;
diff --git a/WebCore/platform/image-decoders/gif/GIFImageReader.cpp b/WebCore/platform/image-decoders/gif/GIFImageReader.cpp

index 2cff6d05509c92831fe5bc8e6b8a450dcbf6abce..e9aaaae6b3c602d7ff47ea1e02db9b9ebbfd2569 100644 (file)
--- a/WebCore/platform/image-decoders/gif/GIFImageReader.cpp
+++ b/WebCore/platform/image-decoders/gif/GIFImageReader.cpp
@@ -110,7 +110,7 @@ void GIFImageReader::output_row()
  {
    GIFFrameReader* gs = frame_reader;
  
-  int width, drow_start, drow_end;
+  int drow_start, drow_end;
  
    drow_start = drow_end = gs->irow;
  
@@ -158,19 +158,10 @@ void GIFImageReader::output_row()
    if ((unsigned)drow_start >= gs->height)
      return;
  
-  /* Check for scanline below edge of logical screen */
-  if ((gs->y_offset + gs->irow) < screen_height) {
-    /* Clip if right edge of image exceeds limits */
-    if ((gs->x_offset + gs->width) > screen_width)
-      width = screen_width - gs->x_offset;
-    else
-      width = gs->width;
-
-    // CALLBACK: Let the client know we have decoded a row.
-    if (width > 0 && clientptr && frame_reader)
-      clientptr->haveDecodedRow(images_count - 1, frame_reader->rowbuf, frame_reader->rowend,
-                                drow_start, drow_end - drow_start + 1);
-  }
+  // CALLBACK: Let the client know we have decoded a row.
+  if (clientptr && frame_reader)
+    clientptr->haveDecodedRow(images_count - 1, frame_reader->rowbuf, frame_reader->rowend,
+                              drow_start, drow_end - drow_start + 1);
  
    gs->rowp = gs->rowbuf;
  
@@ -782,26 +773,18 @@ bool GIFImageReader::read(const unsigned char *buf, unsigned len,
            /* XXX Deviant! */
  
            delete []frame_reader->rowbuf;
-          frame_reader->rowbuf = new unsigned char[width];
-
-          if (!frame_reader->rowbuf) {
-            state = gif_oom;
-            break;
-          }
-
            screen_width = width;
-          if (screen_height < frame_reader->height)
-            screen_height = frame_reader->height;
-        }
-        else {
-          if (!frame_reader->rowbuf)
-            frame_reader->rowbuf = new unsigned char[screen_width];
+          frame_reader->rowbuf = new unsigned char[screen_width];
+        } else if (!frame_reader->rowbuf) {
+          frame_reader->rowbuf = new unsigned char[screen_width];
          }
  
          if (!frame_reader->rowbuf) {
            state = gif_oom;
            break;
          }
+        if (screen_height < height)
+          screen_height = height;
  
          if (q[8] & 0x40) {
            frame_reader->interlaced = true;
author	mrowe@apple.com <mrowe@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Thu, 1 Nov 2007 09:29:47 +0000 (09:29 +0000)
committer	mrowe@apple.com <mrowe@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Thu, 1 Nov 2007 09:29:47 +0000 (09:29 +0000)
WebCore/ChangeLog		patch \| blob \| history
WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp		patch \| blob \| history
WebCore/platform/image-decoders/gif/GIFImageReader.cpp		patch \| blob \| history