Changeset 61816 in webkit
- Timestamp:
- Jun 24, 2010, 8:06:48 PM (14 years ago)
- Location:
- trunk
- Files:
-
- 3 added
- 3 edited
-
LayoutTests/ChangeLog (modified) (1 diff)
-
LayoutTests/fast/images/png-extra-row-crash-expected.txt (added)
-
LayoutTests/fast/images/png-extra-row-crash.html (added)
-
LayoutTests/fast/images/resources/png-extra-row-crash.png (added)
-
WebCore/ChangeLog (modified) (1 diff)
-
WebCore/platform/image-decoders/png/PNGImageDecoder.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r61814 r61816 1 2010-06-24 Cris Neckar <cdn@chromium.org> 2 3 Reviewed by Darin Fisher. 4 5 [Chromium] Out of bounds write in WebCore::PNGImageDecoder::rowAvailable 6 https://bugs.webkit.org/show_bug.cgi?id=40798 7 8 Tests a PNG with an extra row. 9 10 * fast/images/png-extra-row-crash-expected.txt: Added. 11 * fast/images/png-extra-row-crash.html: Added. 12 * fast/images/resources/png-extra-row-crash.png: Added. 13 1 14 2010-06-24 James Robinson <jamesr@chromium.org> 2 15 -
trunk/WebCore/ChangeLog
r61815 r61816 1 2010-06-24 Cris Neckar <cdn@chromium.org> 2 3 Reviewed by Darin Fisher. 4 5 [Chromium] Out of bounds write in WebCore::PNGImageDecoder::rowAvailable 6 https://bugs.webkit.org/show_bug.cgi?id=40798 7 8 Catches error in row callback for libPNG when extra rows are returned. 9 10 Test: fast/images/png-extra-row-crash.html 11 12 * platform/image-decoders/png/PNGImageDecoder.cpp: 13 (WebCore::PNGImageDecoder::rowAvailable): 14 1 15 2010-06-24 Eric Seidel <eric@webkit.org> 2 16 -
trunk/WebCore/platform/image-decoders/png/PNGImageDecoder.cpp
r61699 r61816 356 356 int width = scaledSize().width(); 357 357 int destY = scaledY(rowIndex); 358 if (destY < 0) 358 359 // Check that the row is within the image bounds. LibPNG may supply an extra row. 360 if (destY < 0 || destY >= scaledSize().height()) 359 361 return; 360 362 bool sawAlpha = buffer.hasAlpha();
Note:
See TracChangeset
for help on using the changeset viewer.