Changeset 19491 in webkit
- Timestamp:
- Feb 7, 2007 9:06:44 PM (17 years ago)
- Location:
- trunk/WebCore
- Files:
-
- 2 edited
-
ChangeLog (modified) (1 diff)
-
loader/CachedImage.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/WebCore/ChangeLog
r19490 r19491 1 2007-02-07 Christopher Brichford <chrisb@adobe.com> 2 3 Reviewed by Brady. 4 5 http://bugs.webkit.org/show_bug.cgi?id=6286 6 Very large (~500MB) images cause reproducible Safari crash 7 8 * loader/CachedImage.cpp: 9 (WebCore::CachedImage::bufferData): Detect failure to create a 10 large Vector<> and call error() when that happens. 11 1 12 2007-02-07 Mitz Pettel <mitz@webkit.org> 2 13 -
trunk/WebCore/loader/CachedImage.cpp
r19436 r19491 167 167 createImage(); 168 168 169 // Add new bytes DIRECTLY to the buffer in the Image object. 170 Vector<char>& buffer = m_image->dataBuffer(); 171 172 unsigned oldSize = buffer.size(); 173 buffer.resize(oldSize + addedSize); 174 memcpy(buffer.data() + oldSize, bytes, addedSize); 175 176 return buffer; 169 Vector<char>& imageBuffer = m_image->dataBuffer(); 170 171 if (addedSize > 0) { 172 bool success = false; 173 unsigned oldSize = imageBuffer.size(); 174 unsigned newSize = oldSize + addedSize; 175 176 // Check for overflow 177 if (newSize > oldSize) { 178 // Use temporary Vector so we can safely detect if the allocation fails 179 // 180 // The code that was here before, just called resize of the imageBuffer. Vector<>::resize 181 // will crash if the resize of a non-empty Vector<> fails. 182 Vector<char> tempBuffer(newSize); 183 184 char* tempBufferBytes = tempBuffer.data(); 185 if (tempBufferBytes) { 186 memcpy(tempBufferBytes, imageBuffer.data(), oldSize); 187 memcpy(tempBufferBytes + oldSize, bytes, addedSize); 188 tempBuffer.swap(imageBuffer); 189 success = true; 190 } 191 } 192 193 if (!success) 194 error(); 195 } 196 197 return imageBuffer; 177 198 } 178 199
Note: See TracChangeset
for help on using the changeset viewer.
