Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(92)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 14168: Fix memory corruption in the GIF decoder if a GIF specified a frame with no p... (Closed)

Created:
12 years ago by Peter Kasting
Modified:
9 years, 7 months ago
CC:
chromium-reviews_googlegroups.com
Visibility:
Public.

Description

Fix memory corruption in the GIF decoder if a GIF specified a frame with no pixel data. When creating the subsequent frame, we'd try and copy this frame's data, assuming it was sized properly, when in fact we'd allocated no space; then writing pixel data into this buffer overwrote whatever was sitting in memory. Basically, we need to ensure that every frame gets properly initialized (sized, allocated, and data copied or cleared as appropriate) before we move to the next frame. Since we can't rely on haveDecodedRow() getting called for all frames, we now also initialize as needed in frameComplete(). BUG=5573 Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=7103

Patch Set 1 #

Total comments: 3
Unified diffs Side-by-side diffs Delta from patch set Stats (+7 lines, -4 lines) Patch
M webkit/port/platform/image-decoders/gif/GIFImageDecoder.cpp View 2 chunks +7 lines, -4 lines 3 comments Download

Messages

Total messages: 4 (0 generated)
Peter Kasting
12 years ago (2008-12-16 21:18:42 UTC) #1
brettw
LGTM http://codereview.chromium.org/14168/diff/1/2 File webkit/port/platform/image-decoders/gif/GIFImageDecoder.cpp (right): http://codereview.chromium.org/14168/diff/1/2#newcode416 Line 416: // so we never reach haveDecodedRow() before ...
12 years ago (2008-12-16 21:21:56 UTC) #2
Mohamed Mansour (USE mhm)
http://codereview.chromium.org/14168/diff/1/2 File webkit/port/platform/image-decoders/gif/GIFImageDecoder.cpp (right): http://codereview.chromium.org/14168/diff/1/2#newcode418 Line 418: if ((buffer.status() == RGBA32Buffer::FrameEmpty) && !initFrameBuffer(frameIndex)) my turn ...
12 years ago (2008-12-16 21:39:23 UTC) #3
Peter Kasting
12 years ago (2008-12-16 21:42:17 UTC) #4 
http://codereview.chromium.org/14168/diff/1/2
File webkit/port/platform/image-decoders/gif/GIFImageDecoder.cpp (right):

http://codereview.chromium.org/14168/diff/1/2#newcode418
Line 418: if ((buffer.status() == RGBA32Buffer::FrameEmpty) &&
!initFrameBuffer(frameIndex))
On 2008/12/16 21:39:23, Mohamed Mansour wrote:
> nit: let second parameter go in the next line since it is > 80 chars

No, this is WebKit code and WebKit style.  Google style is 80-column limit,
WebKit style is to have arbitrary-length lines.

Powered by Google App Engine
This is Rietveld 408576698