Fix ImageDecoder::frameIsCompleteAtIndex - fully received instead of decoded.

third_party/WebKit/Source/platform/image-decoders/ico/ICOImageDecoder.cpp

 /*
  * Copyright (c) 2008, 2009, Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 65 matching lines @@
     return (index && (index < m_dirEntries.size())) ? m_dirEntries[index].m_size : size();
 }
 
 bool ICOImageDecoder::setSize(unsigned width, unsigned height)
 {
     // The size calculated inside the BMPImageReader had better match the one in
     // the icon directory.
     return m_frameSize.isEmpty() ? ImageDecoder::setSize(width, height) : ((IntSize(width, height) == m_frameSize) || setFailed());
 }
 
+bool ICOImageDecoder::frameIsFullyReceivedAtIndex(size_t index) const
+{
+    ASSERT(haveUpdatedFrameCount());
+    if (index >= m_dirEntries.size())
+        return ImageDecoder::frameIsFullyReceivedAtIndex(index);
+    const IconDirectoryEntry& dirEntry = m_dirEntries[index];
+    return ((dirEntry.m_imageOffset + dirEntry.m_byteSize) <= m_data->size()) || ImageDecoder::frameIsFullyReceivedAtIndex(index);
+}
+
 bool ICOImageDecoder::setFailed()
 {
     m_bmpReaders.clear();
     m_pngDecoders.clear();
     return ImageDecoder::setFailed();
 }
 
 bool ICOImageDecoder::hotSpot(IntPoint& hotSpot) const
 {
     // When unspecified, the default frame is always frame 0. This is consistent with
     // BitmapImage where currentFrame() starts at 0 and only increases when animation is
     // requested.
     return hotSpotAtIndex(0, hotSpot);
 }
 
 bool ICOImageDecoder::hotSpotAtIndex(size_t index, IntPoint& hotSpot) const
 {
     if (index >= m_dirEntries.size() || m_fileType != CURSOR)
         return false;
 
     hotSpot = m_dirEntries[index].m_hotSpot;
     return true;
 }
 
-
 // static
 bool ICOImageDecoder::compareEntries(const IconDirectoryEntry& a, const IconDirectoryEntry& b)
 {
     // Larger icons are better.  After that, higher bit-depth icons are better.
     const int aEntryArea = a.m_size.width() * a.m_size.height();
     const int bEntryArea = b.m_size.width() * b.m_size.height();
     return (aEntryArea == bEntryArea) ? (a.m_bitCount > b.m_bitCount) : (aEntryArea > bEntryArea);
 }
 
 size_t ICOImageDecoder::decodeFrameCount()
 {
     decodeSize();
+
+    for (size_t i = 0; i < m_dirEntries.size(); ++i) {
+        const IconDirectoryEntry& dirEntry = m_dirEntries[i];
+        if ((dirEntry.m_imageOffset + dirEntry.m_byteSize) > m_data->size())

[aleksandar.stojiljkovic, 2016/06/06 14:26:39]

frameCount should include only fully received frames. The last frame could be
partially received.

+            return i + 1;
+    }
     return m_dirEntries.size();
 }
 
 void ICOImageDecoder::setDataForPNGDecoderAtIndex(size_t index)
 {
     if (!m_pngDecoders[index])
         return;
 
     m_pngDecoders[index]->setData(m_data.get(), isAllDataReceived());
 }
 
 void ICOImageDecoder::decode(size_t index, bool onlySize)
 {
     if (failed())
         return;
 
     // Defensively clear the FastSharedBufferReader's cache, as another caller
     // may have called SharedBuffer::mergeSegmentsIntoBuffer().
     m_fastReader.clearCache();
 
     // If we couldn't decode the image but we've received all the data, decoding
     // has failed.
     if ((!decodeDirectory() || (!onlySize && !decodeAtIndex(index))) && isAllDataReceived()) {
         setFailed();
     // If we're done decoding this frame, we don't need the BMPImageReader or
     // PNGImageDecoder anymore.  (If we failed, these have already been
     // cleared.)
-    } else if ((m_frameBufferCache.size() > index) && (m_frameBufferCache[index].getStatus() == ImageFrame::FrameComplete)) {
+    } else if (frameIsCompleteAtIndex(index)) {
         m_bmpReaders[index].clear();
         m_pngDecoders[index].clear();
     }
 }
 
 bool ICOImageDecoder::decodeDirectory()
 {
     // Read and process directory.
     if ((m_decodedOffset < sizeOfDirectory) && !processDirectory())
         return false;
 
     // Read and process directory entries.
     return (m_decodedOffset >= (sizeOfDirectory + (m_dirEntries.size() * sizeOfDirEntry))) || processDirectoryEntries();
 }
 
 bool ICOImageDecoder::decodeAtIndex(size_t index)
 {
     ASSERT_WITH_SECURITY_IMPLICATION(index < m_dirEntries.size());
     const IconDirectoryEntry& dirEntry = m_dirEntries[index];
     const ImageType imageType = imageTypeAtIndex(index);
     if (imageType == Unknown)
         return false; // Not enough data to determine image type yet.
 
+    ASSERT(m_frameBufferCache.size() == decodeFrameCount());

[aleksandar.stojiljkovic, 2016/06/06 14:26:39]

this assert is copied from previous code but is not very useful (it is just
verifying that decodeAtIndex) is not called without decodeFrameCount.
decodeFrameCount gets called from frameBufferAtIndex which calls
decodeFrameCount.

     if (imageType == BMP) {
         if (!m_bmpReaders[index]) {
-            // We need to have already sized m_frameBufferCache before this, and
-            // we must not resize it again later (see caution in frameCount()).
-            ASSERT(m_frameBufferCache.size() == m_dirEntries.size());
             m_bmpReaders[index] = adoptPtr(new BMPImageReader(this, dirEntry.m_imageOffset, 0, true));
             m_bmpReaders[index]->setData(m_data.get());
-            m_bmpReaders[index]->setBuffer(&m_frameBufferCache[index]);
         }
+        // Update the pointer to the buffer as it could change after
+        // m_frameBufferCache.resize().
+        m_bmpReaders[index]->setBuffer(&m_frameBufferCache[index]);
         m_frameSize = dirEntry.m_size;
         bool result = m_bmpReaders[index]->decodeBMP(false);
         m_frameSize = IntSize();
         return result;
     }
 
     if (!m_pngDecoders[index]) {
         AlphaOption alphaOption = m_premultiplyAlpha ? AlphaPremultiplied : AlphaNotPremultiplied;
         GammaAndColorProfileOption colorOptions = m_ignoreGammaAndColorProfile ? GammaAndColorProfileIgnored : GammaAndColorProfileApplied;
         m_pngDecoders[index] = adoptPtr(new PNGImageDecoder(alphaOption, colorOptions, m_maxDecodedBytes, dirEntry.m_imageOffset));
@@ skipping 73 matching lines @@
         height = 256;
     IconDirectoryEntry entry;
     entry.m_size = IntSize(width, height);
     if (m_fileType == CURSOR) {
         entry.m_bitCount = 0;
         entry.m_hotSpot = IntPoint(readUint16(4), readUint16(6));
     } else {
         entry.m_bitCount = readUint16(6);
         entry.m_hotSpot = IntPoint();
     }
+    entry.m_byteSize = readUint32(8);
     entry.m_imageOffset = readUint32(12);
 
     // Some icons don't have a bit depth, only a color count.  Convert the
     // color count to the minimum necessary bit depth.  It doesn't matter if
     // this isn't quite what the bitmap info header says later, as we only use
     // this value to determine which icon entry is best.
     if (!entry.m_bitCount) {
         int colorCount = readUint8(2);
         if (!colorCount)
             colorCount = 256;  // Vague in the spec, needed by real-world icons.
@@ skipping 12 matching lines @@
     ASSERT_WITH_SECURITY_IMPLICATION(index < m_dirEntries.size());
     const uint32_t imageOffset = m_dirEntries[index].m_imageOffset;
     if ((imageOffset > m_data->size()) || ((m_data->size() - imageOffset) < 4))
         return Unknown;
     char buffer[4];
     const char* data = m_fastReader.getConsecutiveData(imageOffset, 4, buffer);
     return strncmp(data, "\x89PNG", 4) ? BMP : PNG;
 }
 
 } // namespace blink