Chromium Code Reviews Chromium Code Reviews
Issue 14168:
Fix memory corruption in the GIF decoder if a GIF specified a frame with no p... (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2006 Apple Computer, Inc. All rights reserved. | 2 * Copyright (C) 2006 Apple Computer, Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
| 6 * are met: | 6 * are met: |
| 7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
| 8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
| 9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
| 10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
| (...skipping 327 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 338 | 338 |
| 339 void GIFImageDecoder::haveDecodedRow(unsigned frameIndex, | 339 void GIFImageDecoder::haveDecodedRow(unsigned frameIndex, |
| 340 unsigned char* rowBuffer, // Pointer to s ingle scanline temporary buffer | 340 unsigned char* rowBuffer, // Pointer to s ingle scanline temporary buffer |
| 341 unsigned char* rowEnd, | 341 unsigned char* rowEnd, |
| 342 unsigned rowNumber, // The row index | 342 unsigned rowNumber, // The row index |
| 343 unsigned repeatCount, // How many times to repeat the row | 343 unsigned repeatCount, // How many times to repeat the row |
| 344 bool writeTransparentPixels) | 344 bool writeTransparentPixels) |
| 345 { | 345 { |
| 346 // Initialize the frame if necessary. | 346 // Initialize the frame if necessary. |
| 347 RGBA32Buffer& buffer = m_frameBufferCache[frameIndex]; | 347 RGBA32Buffer& buffer = m_frameBufferCache[frameIndex]; |
| 348 if (buffer.status() == RGBA32Buffer::FrameEmpty) { | 348 if ((buffer.status() == RGBA32Buffer::FrameEmpty) && !initFrameBuffer(frameI ndex)) |
| 349 if (!initFrameBuffer(frameIndex)) | 349 return; |
| 350 return; | |
| 351 } | |
| 352 | 350 |
| 353 // Do nothing for bogus data. | 351 // Do nothing for bogus data. |
| 354 if (rowBuffer == 0 || static_cast<int>(m_reader->frameYOffset() + rowNumber) >= size().height()) | 352 if (rowBuffer == 0 || static_cast<int>(m_reader->frameYOffset() + rowNumber) >= size().height()) |
| 355 return; | 353 return; |
| 356 | 354 |
| 357 unsigned colorMapSize; | 355 unsigned colorMapSize; |
| 358 unsigned char* colorMap; | 356 unsigned char* colorMap; |
| 359 m_reader->getColorMap(colorMap, colorMapSize); | 357 m_reader->getColorMap(colorMap, colorMapSize); |
| 360 if (!colorMap) | 358 if (!colorMap) |
| 361 return; | 359 return; |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 407 if (currDst + num > end) // Protect against a buffer overrun from a bogus repeatCount. | 405 if (currDst + num > end) // Protect against a buffer overrun from a bogus repeatCount. |
| 408 break; | 406 break; |
| 409 memcpy(currDst, dst, data_size); | 407 memcpy(currDst, dst, data_size); |
| 410 currDst += width; | 408 currDst += width; |
| 411 } | 409 } |
| 412 } | 410 } |
| 413 } | 411 } |
| 414 | 412 |
| 415 void GIFImageDecoder::frameComplete(unsigned frameIndex, unsigned frameDuration, RGBA32Buffer::FrameDisposalMethod disposalMethod) | 413 void GIFImageDecoder::frameComplete(unsigned frameIndex, unsigned frameDuration, RGBA32Buffer::FrameDisposalMethod disposalMethod) |
| 416 { | 414 { |
| 415 // Initialize the frame if necessary. Some GIFs insert do-nothing frames, | |
| 416 // so we never reach haveDecodedRow() before getting here. | |
|
brettw
2008/12/16 21:21:56
"so we never" -> "in which case we never" (seems l
| |
| 417 RGBA32Buffer& buffer = m_frameBufferCache[frameIndex]; | 417 RGBA32Buffer& buffer = m_frameBufferCache[frameIndex]; |
| 418 if ((buffer.status() == RGBA32Buffer::FrameEmpty) && !initFrameBuffer(frameI ndex)) | |
|
Mohamed Mansour (USE mhm)
2008/12/16 21:39:23
my turn :)
nit: let second parameter go in the nex
Peter Kasting
2008/12/16 21:42:17
No, this is WebKit code and WebKit style. Google
| |
| 419 return; | |
| 420 | |
| 418 buffer.setStatus(RGBA32Buffer::FrameComplete); | 421 buffer.setStatus(RGBA32Buffer::FrameComplete); |
| 419 buffer.setDuration(frameDuration); | 422 buffer.setDuration(frameDuration); |
| 420 buffer.setDisposalMethod(disposalMethod); | 423 buffer.setDisposalMethod(disposalMethod); |
| 421 | 424 |
| 422 if (!m_currentBufferSawAlpha) { | 425 if (!m_currentBufferSawAlpha) { |
| 423 // The whole frame was non-transparent, so it's possible that the entire | 426 // The whole frame was non-transparent, so it's possible that the entire |
| 424 // resulting buffer was non-transparent, and we can setHasAlpha(false). | 427 // resulting buffer was non-transparent, and we can setHasAlpha(false). |
| 425 if (buffer.rect().contains(IntRect(IntPoint(0, 0), size()))) { | 428 if (buffer.rect().contains(IntRect(IntPoint(0, 0), size()))) { |
| 426 buffer.setHasAlpha(false); | 429 buffer.setHasAlpha(false); |
| 427 } else if (frameIndex > 0) { | 430 } else if (frameIndex > 0) { |
| (...skipping 30 matching lines...) Expand all Loading... | |
| 458 | 461 |
| 459 void GIFImageDecoder::gifComplete() | 462 void GIFImageDecoder::gifComplete() |
| 460 { | 463 { |
| 461 if (m_reader) | 464 if (m_reader) |
| 462 m_repetitionCount = m_reader->repetitionCount(); | 465 m_repetitionCount = m_reader->repetitionCount(); |
| 463 delete m_reader; | 466 delete m_reader; |
| 464 m_reader = 0; | 467 m_reader = 0; |
| 465 } | 468 } |
| 466 | 469 |
| 467 } | 470 } |
| OLD | NEW |
