Changeset 25293 in webkit

Timestamp:

Aug 29, 2007 10:29:56 AM (17 years ago)

Author:

bdash

Message:

2007-08-29 Peter Kasting <​zerodpx@gmail.com>

Reviewed by Maciej.

• fix ​http://bugs.webkit.org/show_bug.cgi?id=15104 Don't double-compensate for sizeof(unsigned) when making a buffer overflow check in the GIF decoder. Now interlaced GIFs don't sometimes get nothing/garbage in some of the bottom rows.

• platform/image-decoders/gif/GIFImageDecoder.cpp: (WebCore::GIFImageDecoder::haveDecodedRow):

Location:

trunk/WebCore

Files:

• ChangeLog (modified) (1 diff)
• platform/image-decoders/gif/GIFImageDecoder.cpp (modified) (1 diff)

trunk/WebCore/ChangeLog

@@ +1 @@
+2007-08-29  Peter Kasting  <zerodpx@gmail.com>
+
+        Reviewed by Maciej.
+
+        - fix http://bugs.webkit.org/show_bug.cgi?id=15104
+        Don't double-compensate for sizeof(unsigned) when making a buffer
+        overflow check in the GIF decoder.  Now interlaced GIFs don't
+        sometimes get nothing/garbage in some of the bottom rows.
+
+        * platform/image-decoders/gif/GIFImageDecoder.cpp:
+        (WebCore::GIFImageDecoder::haveDecodedRow):
+
 2007-08-28  Sam Weinig  <sam@webkit.org>
 

trunk/WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp

@@ -346 +346 @@
     if (repeatCount > 1) {
         // Copy the row |repeatCount|-1 times.
-        unsigned size = (currDst - dst) * sizeof(unsigned);
+        unsigned num = currDst - dst;
+        unsigned size = num * sizeof(unsigned);
         unsigned width = m_size.width();
         unsigned* end = buffer.bytes().data() + width * m_size.height();
         currDst = dst + width;
         for (unsigned i = 1; i < repeatCount; i++) {
-            if (currDst + size > end) // Protect against a buffer overrun from a bogus repeatCount.
+            if (currDst + num > end) // Protect against a buffer overrun from a bogus repeatCount.
                 break;
             memcpy(currDst, dst, size);