Changeset 158840 in webkit

Timestamp:

Nov 7, 2013 3:04:16 AM (10 years ago)

Author:

commit-queue@webkit.org

Message:

Fix crash in BitmapImage::destroyDecodedData()
​https://bugs.webkit.org/show_bug.cgi?id=116494

Patch by Laszlo Vidacs <​lac@inf.u-szeged.hu> on 2013-11-07
Reviewed by Csaba Osztrogonác.

Merge from ​https://chromium.googlesource.com/chromium/blink/+/6b6887bf53068f8537908e501fdc7317ad2c6d86

• platform/graphics/BitmapImage.cpp:

(WebCore::BitmapImage::destroyDecodedData):

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• platform/graphics/BitmapImage.cpp (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-11-07  Laszlo Vidacs  <lac@inf.u-szeged.hu>
+        
+        Fix crash in BitmapImage::destroyDecodedData()
+        https://bugs.webkit.org/show_bug.cgi?id=116494
+
+        Reviewed by Csaba Osztrogonác.
+
+        Merge from https://chromium.googlesource.com/chromium/blink/+/6b6887bf53068f8537908e501fdc7317ad2c6d86
+
+        * platform/graphics/BitmapImage.cpp:
+        (WebCore::BitmapImage::destroyDecodedData):
+
 2013-11-06  Sergio Villar Senin  <svillar@igalia.com>
 

trunk/Source/WebCore/platform/graphics/BitmapImage.cpp

@@ -78 +78 @@
     unsigned frameBytesCleared = 0;
     const size_t clearBeforeFrame = destroyAll ? m_frames.size() : m_currentFrame;
-    for (size_t i = 0; i < clearBeforeFrame; ++i) {
+
+    // Because we can advance frames without always needing to decode the actual
+    // bitmap data, |m_currentFrame| may be larger than m_frames.size();
+    // make sure not to walk off the end of the container in this case.
+    for (size_t i = 0; i <  std::min(clearBeforeFrame, m_frames.size()); ++i) {
         // The underlying frame isn't actually changing (we're just trying to
         // save the memory for the framebuffer data), so we don't need to clear