Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(53)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/images/SkImageDecoder_libpng.cpp

Issue 423473003: Fix image decoder memory overwrite bug. (Closed) Base URL: https://skia.googlesource.com/skia.git@master
Patch Set: Created 6 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright 2006 The Android Open Source Project 2 * Copyright 2006 The Android Open Source Project
3 * 3 *
4 * Use of this source code is governed by a BSD-style license that can be 4 * Use of this source code is governed by a BSD-style license that can be
5 * found in the LICENSE file. 5 * found in the LICENSE file.
6 */ 6 */
7 7
8 #include "SkImageDecoder.h" 8 #include "SkImageDecoder.h"
9 #include "SkImageEncoder.h" 9 #include "SkImageEncoder.h"
10 #include "SkColor.h" 10 #include "SkColor.h"
(...skipping 893 matching lines...) Expand 10 before | Expand all | Expand 10 after
904 const int height = decodedBitmap.height(); 904 const int height = decodedBitmap.height();
905 905
906 if (number_passes > 1) { 906 if (number_passes > 1) {
907 SkAutoMalloc storage(origWidth * origHeight * srcBytesPerPixel); 907 SkAutoMalloc storage(origWidth * origHeight * srcBytesPerPixel);
908 uint8_t* base = (uint8_t*)storage.get(); 908 uint8_t* base = (uint8_t*)storage.get();
909 size_t rb = origWidth * srcBytesPerPixel; 909 size_t rb = origWidth * srcBytesPerPixel;
910 910
911 for (int i = 0; i < number_passes; i++) { 911 for (int i = 0; i < number_passes; i++) {
912 png_configure_decoder(png_ptr, &actualTop, i); 912 png_configure_decoder(png_ptr, &actualTop, i);
913 for (int j = 0; j < rect.fTop - actualTop; j++) { 913 for (int j = 0; j < rect.fTop - actualTop; j++) {
914 uint8_t* bmRow = (uint8_t*)decodedBitmap.getPixels(); 914 png_read_rows(png_ptr, &base, png_bytepp_NULL, 1);
915 png_read_rows(png_ptr, &bmRow, png_bytepp_NULL, 1);
916 } 915 }
917 uint8_t* row = base; 916 uint8_t* row = base;
918 for (int32_t y = 0; y < rect.height(); y++) { 917 for (int32_t y = 0; y < rect.height(); y++) {
919 uint8_t* bmRow = row; 918 uint8_t* bmRow = row;
920 png_read_rows(png_ptr, &bmRow, png_bytepp_NULL, 1); 919 png_read_rows(png_ptr, &bmRow, png_bytepp_NULL, 1);
921 row += rb; 920 row += rb;
922 } 921 }
923 } 922 }
924 // now sample it 923 // now sample it
925 base += sampler.srcY0() * rb; 924 base += sampler.srcY0() * rb;
926 for (int y = 0; y < height; y++) { 925 for (int y = 0; y < height; y++) {
927 reallyHasAlpha |= sampler.next(base); 926 reallyHasAlpha |= sampler.next(base);
928 base += sampler.srcDY() * rb; 927 base += sampler.srcDY() * rb;
929 } 928 }
930 } else { 929 } else {
931 SkAutoMalloc storage(origWidth * srcBytesPerPixel); 930 SkAutoMalloc storage(origWidth * srcBytesPerPixel);
932 uint8_t* srcRow = (uint8_t*)storage.get(); 931 uint8_t* srcRow = (uint8_t*)storage.get();
933 932
934 png_configure_decoder(png_ptr, &actualTop, 0); 933 png_configure_decoder(png_ptr, &actualTop, 0);
935 skip_src_rows(png_ptr, srcRow, sampler.srcY0()); 934 skip_src_rows(png_ptr, srcRow, sampler.srcY0());
936 935
937 for (int i = 0; i < rect.fTop - actualTop; i++) { 936 for (int i = 0; i < rect.fTop - actualTop; i++) {
938 uint8_t* bmRow = (uint8_t*)decodedBitmap.getPixels(); 937 png_read_rows(png_ptr, &srcRow, png_bytepp_NULL, 1);
939 png_read_rows(png_ptr, &bmRow, png_bytepp_NULL, 1);
940 } 938 }
941 for (int y = 0; y < height; y++) { 939 for (int y = 0; y < height; y++) {
942 uint8_t* tmp = srcRow; 940 uint8_t* tmp = srcRow;
943 png_read_rows(png_ptr, &tmp, png_bytepp_NULL, 1); 941 png_read_rows(png_ptr, &tmp, png_bytepp_NULL, 1);
944 reallyHasAlpha |= sampler.next(srcRow); 942 reallyHasAlpha |= sampler.next(srcRow);
945 if (y < height - 1) { 943 if (y < height - 1) {
946 skip_src_rows(png_ptr, srcRow, sampler.srcDY() - 1); 944 skip_src_rows(png_ptr, srcRow, sampler.srcDY() - 1);
947 } 945 }
948 } 946 }
949 } 947 }
(...skipping 330 matching lines...) Expand 10 before | Expand all | Expand 10 after
1280 return SkImageDecoder::kUnknown_Format; 1278 return SkImageDecoder::kUnknown_Format;
1281 } 1279 }
1282 1280
1283 SkImageEncoder* sk_libpng_efactory(SkImageEncoder::Type t) { 1281 SkImageEncoder* sk_libpng_efactory(SkImageEncoder::Type t) {
1284 return (SkImageEncoder::kPNG_Type == t) ? SkNEW(SkPNGImageEncoder) : NULL; 1282 return (SkImageEncoder::kPNG_Type == t) ? SkNEW(SkPNGImageEncoder) : NULL;
1285 } 1283 }
1286 1284
1287 static SkImageDecoder_DecodeReg gDReg(sk_libpng_dfactory); 1285 static SkImageDecoder_DecodeReg gDReg(sk_libpng_dfactory);
1288 static SkImageDecoder_FormatReg gFormatReg(get_format_png); 1286 static SkImageDecoder_FormatReg gFormatReg(get_format_png);
1289 static SkImageEncoder_EncodeReg gEReg(sk_libpng_efactory); 1287 static SkImageEncoder_EncodeReg gEReg(sk_libpng_efactory);
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698