| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2006 Apple Computer, Inc. | 2 * Copyright (C) 2006 Apple Computer, Inc. |
| 3 * | 3 * |
| 4 * Portions are Copyright (C) 2001-6 mozilla.org | 4 * Portions are Copyright (C) 2001-6 mozilla.org |
| 5 * | 5 * |
| 6 * Other contributors: | 6 * Other contributors: |
| 7 * Stuart Parmenter <stuart@mozilla.com> | 7 * Stuart Parmenter <stuart@mozilla.com> |
| 8 * | 8 * |
| 9 * Copyright (C) 2007-2009 Torch Mobile, Inc. | 9 * Copyright (C) 2007-2009 Torch Mobile, Inc. |
| 10 * | 10 * |
| (...skipping 169 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 180 { | 180 { |
| 181 // The JPEG decoder looks at EXIF metadata. | 181 // The JPEG decoder looks at EXIF metadata. |
| 182 // FIXME: Possibly implement XMP and IPTC support. | 182 // FIXME: Possibly implement XMP and IPTC support. |
| 183 const unsigned orientationTag = 0x112; | 183 const unsigned orientationTag = 0x112; |
| 184 const unsigned shortType = 3; | 184 const unsigned shortType = 3; |
| 185 for (jpeg_saved_marker_ptr marker = info->marker_list; marker; marker = mark
er->next) { | 185 for (jpeg_saved_marker_ptr marker = info->marker_list; marker; marker = mark
er->next) { |
| 186 bool isBigEndian; | 186 bool isBigEndian; |
| 187 unsigned ifdOffset; | 187 unsigned ifdOffset; |
| 188 if (!checkExifHeader(marker, isBigEndian, ifdOffset)) | 188 if (!checkExifHeader(marker, isBigEndian, ifdOffset)) |
| 189 continue; | 189 continue; |
| 190 ifdOffset += 6; // Account for 'Exif\0<fill byte>' header. | 190 const unsigned offsetToTiffData = 6; // Account for 'Exif\0<fill byte>'
header. |
| 191 if (marker->data_length < offsetToTiffData || ifdOffset >= marker->data_
length - offsetToTiffData) |
| 192 continue; |
| 193 ifdOffset += offsetToTiffData; |
| 191 | 194 |
| 192 // The jpeg exif container format contains a tiff block for metadata. | 195 // The jpeg exif container format contains a tiff block for metadata. |
| 193 // A tiff image file directory (ifd) consists of a uint16_t describing | 196 // A tiff image file directory (ifd) consists of a uint16_t describing |
| 194 // the number of ifd entries, followed by that many entries. | 197 // the number of ifd entries, followed by that many entries. |
| 195 // When touching this code, it's useful to look at the tiff spec: | 198 // When touching this code, it's useful to look at the tiff spec: |
| 196 // http://partners.adobe.com/public/developer/en/tiff/TIFF6.pdf | 199 // http://partners.adobe.com/public/developer/en/tiff/TIFF6.pdf |
| 197 JOCTET* ifd = marker->data + ifdOffset; | 200 JOCTET* ifd = marker->data + ifdOffset; |
| 198 JOCTET* end = marker->data + marker->data_length; | 201 JOCTET* end = marker->data + marker->data_length; |
| 199 if (end - ifd < 2) | 202 if (end - ifd < 2) |
| 200 continue; | 203 continue; |
| (...skipping 554 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 755 // has failed. | 758 // has failed. |
| 756 if (!m_reader->decode(*m_data, onlySize) && isAllDataReceived()) | 759 if (!m_reader->decode(*m_data, onlySize) && isAllDataReceived()) |
| 757 setFailed(); | 760 setFailed(); |
| 758 // If we're done decoding the image, we don't need the JPEGImageReader | 761 // If we're done decoding the image, we don't need the JPEGImageReader |
| 759 // anymore. (If we failed, |m_reader| has already been cleared.) | 762 // anymore. (If we failed, |m_reader| has already been cleared.) |
| 760 else if (!m_frameBufferCache.isEmpty() && (m_frameBufferCache[0].status() ==
ImageFrame::FrameComplete)) | 763 else if (!m_frameBufferCache.isEmpty() && (m_frameBufferCache[0].status() ==
ImageFrame::FrameComplete)) |
| 761 m_reader.clear(); | 764 m_reader.clear(); |
| 762 } | 765 } |
| 763 | 766 |
| 764 } | 767 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 11361023:
Merge 132961 (merge bug: http://crbug.com/158840) - Fix potential overflow in jpeg exif reader. Fou… (Closed)
Base URL: http://svn.webkit.org/repository/webkit/branches/chromium/1312/