Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(3473)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: src/images/SkImageDecoder_libjpeg.cpp

Issue 936133003: Fixing possible out of bound memory access (Closed) Base URL: https://skia.googlesource.com/skia.git@master
Patch Set: Created 5 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/images/SkImageDecoder_libjpeg.cpp
diff --git a/src/images/SkImageDecoder_libjpeg.cpp b/src/images/SkImageDecoder_libjpeg.cpp
index 3c93e6177ddf0773a42bcdc4b935c4317d62f1e6..d32e2a21c91bea0fe06e472a5e6cce22518f41c5 100644
--- a/src/images/SkImageDecoder_libjpeg.cpp
+++ b/src/images/SkImageDecoder_libjpeg.cpp
@@ -798,11 +798,11 @@ static bool output_raw_data(jpeg_decompress_struct& cinfo, void* planes[3], size
size_t rowBytesV = rowBytes[2];
int yScanlinesToRead = DCTSIZE * v;
- SkAutoMalloc lastRowStorage(yWidth * 8);
+ SkAutoMalloc lastRowStorage(rowBytesY * 4);
JSAMPROW yLastRow = (JSAMPROW)lastRowStorage.get();
- JSAMPROW uLastRow = yLastRow + 2 * yWidth;
- JSAMPROW vLastRow = uLastRow + 2 * yWidth;
- JSAMPROW dummyRow = vLastRow + 2 * yWidth;
+ JSAMPROW uLastRow = yLastRow + rowBytesY;
+ JSAMPROW vLastRow = uLastRow + rowBytesY;
+ JSAMPROW dummyRow = vLastRow + rowBytesY;
while (cinfo.output_scanline < cinfo.output_height) {
// Request 8 or 16 scanlines: returns 0 or more scanlines.
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698