ICO: Skip checking declared entry bounds when file is completelly received.

third_party/WebKit/Source/platform/image-decoders/ico/ICOImageDecoder.cpp

Index: third_party/WebKit/Source/platform/image-decoders/ico/ICOImageDecoder.cpp
diff --git a/third_party/WebKit/Source/platform/image-decoders/ico/ICOImageDecoder.cpp b/third_party/WebKit/Source/platform/image-decoders/ico/ICOImageDecoder.cpp
index 96011a494b66d24a3969a23cce41b6059af0f494..0259da01d707653a8beebee1b8a3a2abcaccd939 100644
--- a/third_party/WebKit/Source/platform/image-decoders/ico/ICOImageDecoder.cpp
+++ b/third_party/WebKit/Source/platform/image-decoders/ico/ICOImageDecoder.cpp
@@ -131,6 +131,11 @@ size_t ICOImageDecoder::decodeFrameCount() {
   if (failed())
     return m_frameBufferCache.size();
 
+  // Skip checking entries offset and byte size when file is fully received.
+  // See crbug.com/653075.

[Peter Kasting, 2016/10/05 19:03:27]

Nit: I'd like this comment to say more about why we're doing this rather than
kicking to an external bug, so it's clear to a reader (it wasn't clear to me
without looking around more).  How about refactoring like this:

  // If the file is incomplete, return the length of the sequence of completely
  // received frames.  We don't do this when the file is fully received, since
  // some ICOs have entries whose claimed offset + size extends past the end of
  // the file, and we still want to display these if they don't trigger decoding
  // failures elsewhere.
  if (!isAllDataReceived()) {
    for (size_t i = 0; i < m_dirEntries.size(); ++i) {
      const IconDirectoryEntry& dirEntry = m_dirEntries[i];
      if ((dirEntry.m_imageOffset + dirEntry.m_byteSize) > m_data->size())
        return i;
    }
  }

  return m_dirEntries.size();

+  if (isAllDataReceived())
+    return m_dirEntries.size();
+
   // Length of sequence of completely received frames.
   for (size_t i = 0; i < m_dirEntries.size(); ++i) {
     const IconDirectoryEntry& dirEntry = m_dirEntries[i];