Changeset 61816 in webkit


Ignore:
Timestamp:
Jun 24, 2010, 8:06:48 PM (15 years ago)
Author:
jschuh@chromium.org
Message:

2010-06-24 Cris Neckar <cdn@chromium.org>

Reviewed by Darin Fisher.

[Chromium] Out of bounds write in WebCore::PNGImageDecoder::rowAvailable
https://bugs.webkit.org/show_bug.cgi?id=40798

Catches error in row callback for libPNG when extra rows are returned.

Test: fast/images/png-extra-row-crash.html

  • platform/image-decoders/png/PNGImageDecoder.cpp: (WebCore::PNGImageDecoder::rowAvailable):

2010-06-24 Cris Neckar <cdn@chromium.org>

Reviewed by Darin Fisher.

[Chromium] Out of bounds write in WebCore::PNGImageDecoder::rowAvailable
https://bugs.webkit.org/show_bug.cgi?id=40798

Tests a PNG with an extra row.

  • fast/images/png-extra-row-crash-expected.txt: Added.
  • fast/images/png-extra-row-crash.html: Added.
  • fast/images/resources/png-extra-row-crash.png: Added.
Location:
trunk
Files:
3 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r61814 r61816  
     12010-06-24  Cris Neckar  <cdn@chromium.org>
     2
     3        Reviewed by Darin Fisher.
     4
     5        [Chromium] Out of bounds write in WebCore::PNGImageDecoder::rowAvailable
     6        https://bugs.webkit.org/show_bug.cgi?id=40798
     7
     8        Tests a PNG with an extra row.
     9
     10        * fast/images/png-extra-row-crash-expected.txt: Added.
     11        * fast/images/png-extra-row-crash.html: Added.
     12        * fast/images/resources/png-extra-row-crash.png: Added.
     13
    1142010-06-24  James Robinson  <jamesr@chromium.org>
    215
  • trunk/WebCore/ChangeLog

    r61815 r61816  
     12010-06-24  Cris Neckar  <cdn@chromium.org>
     2
     3        Reviewed by Darin Fisher.
     4
     5        [Chromium] Out of bounds write in WebCore::PNGImageDecoder::rowAvailable
     6        https://bugs.webkit.org/show_bug.cgi?id=40798
     7
     8        Catches error in row callback for libPNG when extra rows are returned.
     9
     10        Test: fast/images/png-extra-row-crash.html
     11
     12        * platform/image-decoders/png/PNGImageDecoder.cpp:
     13        (WebCore::PNGImageDecoder::rowAvailable):
     14
    1152010-06-24  Eric Seidel  <eric@webkit.org>
    216
  • trunk/WebCore/platform/image-decoders/png/PNGImageDecoder.cpp

    r61699 r61816  
    356356    int width = scaledSize().width();
    357357    int destY = scaledY(rowIndex);
    358     if (destY < 0)
     358
     359    // Check that the row is within the image bounds. LibPNG may supply an extra row.
     360    if (destY < 0 || destY >= scaledSize().height())
    359361        return;
    360362    bool sawAlpha = buffer.hasAlpha();
Note: See TracChangeset for help on using the changeset viewer.