Chromium Code Reviews Chromium Code Reviews
Issue 14168:
Fix memory corruption in the GIF decoder if a GIF specified a frame with no p... (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/| Index: webkit/port/platform/image-decoders/gif/GIFImageDecoder.cpp |
| =================================================================== |
| --- webkit/port/platform/image-decoders/gif/GIFImageDecoder.cpp (revision 7061) |
| +++ webkit/port/platform/image-decoders/gif/GIFImageDecoder.cpp (working copy) |
| @@ -345,10 +345,8 @@ |
| { |
| // Initialize the frame if necessary. |
| RGBA32Buffer& buffer = m_frameBufferCache[frameIndex]; |
| - if (buffer.status() == RGBA32Buffer::FrameEmpty) { |
| - if (!initFrameBuffer(frameIndex)) |
| - return; |
| - } |
| + if ((buffer.status() == RGBA32Buffer::FrameEmpty) && !initFrameBuffer(frameIndex)) |
| + return; |
| // Do nothing for bogus data. |
| if (rowBuffer == 0 || static_cast<int>(m_reader->frameYOffset() + rowNumber) >= size().height()) |
| @@ -414,7 +412,12 @@ |
| void GIFImageDecoder::frameComplete(unsigned frameIndex, unsigned frameDuration, RGBA32Buffer::FrameDisposalMethod disposalMethod) |
| { |
| + // Initialize the frame if necessary. Some GIFs insert do-nothing frames, |
| + // so we never reach haveDecodedRow() before getting here. |
|
brettw
2008/12/16 21:21:56
"so we never" -> "in which case we never" (seems l
|
| RGBA32Buffer& buffer = m_frameBufferCache[frameIndex]; |
| + if ((buffer.status() == RGBA32Buffer::FrameEmpty) && !initFrameBuffer(frameIndex)) |
|
Mohamed Mansour (USE mhm)
2008/12/16 21:39:23
my turn :)
nit: let second parameter go in the nex
Peter Kasting
2008/12/16 21:42:17
No, this is WebKit code and WebKit style. Google
|
| + return; |
| + |
| buffer.setStatus(RGBA32Buffer::FrameComplete); |
| buffer.setDuration(frameDuration); |
| buffer.setDisposalMethod(disposalMethod); |
