Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(287)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/platform/image-decoders/ico/ICOImageDecoder.cpp

Issue 2754003008: Prevent crash in ICO caused by bad/truncated PNG (Closed)
Patch Set: No conditional with side effect Created 3 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/WebKit/LayoutTests/images/resources/png-in-ico.ico ('k') | third_party/WebKit/Source/platform/image-decoders/ico/ICOImageDecoderTest.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (c) 2008, 2009, Google Inc. All rights reserved. 2 * Copyright (c) 2008, 2009, Google Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are 5 * modification, are permitted provided that the following conditions are
6 * met: 6 * met:
7 * 7 *
8 * * Redistributions of source code must retain the above copyright 8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer. 9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above 10 * * Redistributions in binary form must reproduce the above
(...skipping 200 matching lines...) Expand 10 before | Expand all | Expand 10 after
211 if (!m_pngDecoders[index]) { 211 if (!m_pngDecoders[index]) {
212 AlphaOption alphaOption = 212 AlphaOption alphaOption =
213 m_premultiplyAlpha ? AlphaPremultiplied : AlphaNotPremultiplied; 213 m_premultiplyAlpha ? AlphaPremultiplied : AlphaNotPremultiplied;
214 m_pngDecoders[index] = WTF::wrapUnique( 214 m_pngDecoders[index] = WTF::wrapUnique(
215 new PNGImageDecoder(alphaOption, m_colorBehavior, m_maxDecodedBytes, 215 new PNGImageDecoder(alphaOption, m_colorBehavior, m_maxDecodedBytes,
216 dirEntry.m_imageOffset)); 216 dirEntry.m_imageOffset));
217 setDataForPNGDecoderAtIndex(index); 217 setDataForPNGDecoderAtIndex(index);
218 } 218 }
219 // Fail if the size the PNGImageDecoder calculated does not match the size 219 // Fail if the size the PNGImageDecoder calculated does not match the size
220 // in the directory. 220 // in the directory.
221 if (m_pngDecoders[index]->isSizeAvailable() && 221 auto* pngDecoder = m_pngDecoders[index].get();
222 (m_pngDecoders[index]->size() != dirEntry.m_size)) 222 if (pngDecoder->isSizeAvailable() && pngDecoder->size() != dirEntry.m_size)
223 return setFailed(); 223 return setFailed();
224 m_frameBufferCache[index] = *m_pngDecoders[index]->frameBufferAtIndex(0); 224 const auto* frame = pngDecoder->frameBufferAtIndex(0);
225 m_frameBufferCache[index].setPremultiplyAlpha(m_premultiplyAlpha); 225 if (frame)
226 return !m_pngDecoders[index]->failed() || setFailed(); 226 m_frameBufferCache[index] = *frame;
227 return !pngDecoder->failed() || setFailed();
227 } 228 }
228 229
229 bool ICOImageDecoder::processDirectory() { 230 bool ICOImageDecoder::processDirectory() {
230 // Read directory. 231 // Read directory.
231 DCHECK(!m_decodedOffset); 232 DCHECK(!m_decodedOffset);
232 if (m_data->size() < sizeOfDirectory) 233 if (m_data->size() < sizeOfDirectory)
233 return false; 234 return false;
234 const uint16_t fileType = readUint16(2); 235 const uint16_t fileType = readUint16(2);
235 m_dirEntriesCount = readUint16(4); 236 m_dirEntriesCount = readUint16(4);
236 m_decodedOffset = sizeOfDirectory; 237 m_decodedOffset = sizeOfDirectory;
(...skipping 88 matching lines...) Expand 10 before | Expand all | Expand 10 after
325 SECURITY_DCHECK(index < m_dirEntries.size()); 326 SECURITY_DCHECK(index < m_dirEntries.size());
326 const uint32_t imageOffset = m_dirEntries[index].m_imageOffset; 327 const uint32_t imageOffset = m_dirEntries[index].m_imageOffset;
327 if ((imageOffset > m_data->size()) || ((m_data->size() - imageOffset) < 4)) 328 if ((imageOffset > m_data->size()) || ((m_data->size() - imageOffset) < 4))
328 return Unknown; 329 return Unknown;
329 char buffer[4]; 330 char buffer[4];
330 const char* data = m_fastReader.getConsecutiveData(imageOffset, 4, buffer); 331 const char* data = m_fastReader.getConsecutiveData(imageOffset, 4, buffer);
331 return strncmp(data, "\x89PNG", 4) ? BMP : PNG; 332 return strncmp(data, "\x89PNG", 4) ? BMP : PNG;
332 } 333 }
333 334
334 } // namespace blink 335 } // namespace blink
OLDNEW
« no previous file with comments | « third_party/WebKit/LayoutTests/images/resources/png-in-ico.ico ('k') | third_party/WebKit/Source/platform/image-decoders/ico/ICOImageDecoderTest.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698