diff options
| author | pkasting@chromium.org <pkasting@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-12-16 21:59:48 +0000 |
|---|---|---|
| committer | pkasting@chromium.org <pkasting@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-12-16 21:59:48 +0000 |
| commit | 1f78297bae7908bb02dbfc1ddbdc4b945b3b2e63 (patch) | |
| tree | 37fdff73a7c1856ba650b83005335d10fba682e6 /webkit/port | |
| parent | d54f53a6034082c5600c0cf0432edae1c5bc2b39 (diff) | |
| download | chromium_src-1f78297bae7908bb02dbfc1ddbdc4b945b3b2e63.zip chromium_src-1f78297bae7908bb02dbfc1ddbdc4b945b3b2e63.tar.gz chromium_src-1f78297bae7908bb02dbfc1ddbdc4b945b3b2e63.tar.bz2 | |
Fix memory corruption in the GIF decoder if a GIF specified a frame with no pixel data. When creating the subsequent frame, we'd try and copy this frame's data, assuming it was sized properly, when in fact we'd allocated no space; then writing pixel data into this buffer overwrote whatever was sitting in memory.
Basically, we need to ensure that every frame gets properly initialized (sized, allocated, and data copied or cleared as appropriate) before we move to the next frame. Since we can't rely on haveDecodedRow() getting called for all frames, we now also initialize as needed in frameComplete().
BUG=5573
Review URL: http://codereview.chromium.org/14168
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@7103 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'webkit/port')
| -rw-r--r-- | webkit/port/platform/image-decoders/gif/GIFImageDecoder.cpp | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/webkit/port/platform/image-decoders/gif/GIFImageDecoder.cpp b/webkit/port/platform/image-decoders/gif/GIFImageDecoder.cpp index 6bc4133..2589fa3 100644 --- a/webkit/port/platform/image-decoders/gif/GIFImageDecoder.cpp +++ b/webkit/port/platform/image-decoders/gif/GIFImageDecoder.cpp @@ -345,10 +345,8 @@ void GIFImageDecoder::haveDecodedRow(unsigned frameIndex, { // Initialize the frame if necessary. RGBA32Buffer& buffer = m_frameBufferCache[frameIndex]; - if (buffer.status() == RGBA32Buffer::FrameEmpty) { - if (!initFrameBuffer(frameIndex)) - return; - } + if ((buffer.status() == RGBA32Buffer::FrameEmpty) && !initFrameBuffer(frameIndex)) + return; // Do nothing for bogus data. if (rowBuffer == 0 || static_cast<int>(m_reader->frameYOffset() + rowNumber) >= size().height()) @@ -414,7 +412,12 @@ void GIFImageDecoder::haveDecodedRow(unsigned frameIndex, void GIFImageDecoder::frameComplete(unsigned frameIndex, unsigned frameDuration, RGBA32Buffer::FrameDisposalMethod disposalMethod) { + // Initialize the frame if necessary. Some GIFs insert do-nothing frames, + // in which case we never reach haveDecodedRow() before getting here. RGBA32Buffer& buffer = m_frameBufferCache[frameIndex]; + if ((buffer.status() == RGBA32Buffer::FrameEmpty) && !initFrameBuffer(frameIndex)) + return; + buffer.setStatus(RGBA32Buffer::FrameComplete); buffer.setDuration(frameDuration); buffer.setDisposalMethod(disposalMethod); |