Changeset 71277 in webkit

Timestamp:

Nov 3, 2010 3:58:30 PM (13 years ago)

Author:

abarth@webkit.org

Message:

2010-11-03 Adam Barth <​abarth@webkit.org>

Reviewed by Eric Seidel.

CG use of WebKit image decoders crashes on some animated GIFs
​https://bugs.webkit.org/show_bug.cgi?id=48955

It turns out CFDataGetMutableBytePtr isn't safe call on a null pointer.

Test: fast/images/dont-crash-with-null-gif-frames.html

• platform/image-decoders/cg/ImageDecoderCG.cpp: (WebCore::RGBA32Buffer::copyReferenceToBitmapData): (WebCore::RGBA32Buffer::copyBitmapData):

2010-11-03 Adam Barth <​abarth@webkit.org>

Reviewed by Eric Seidel.

CG use of WebKit image decoders crashes on some animated GIFs
​https://bugs.webkit.org/show_bug.cgi?id=48955

Test image from Wikipedia that was crashing.

• fast/images/dont-crash-with-null-gif-frames-expected.txt: Added.
• fast/images/dont-crash-with-null-gif-frames.html: Added.
• fast/images/resources/quicksort.gif: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/images/dont-crash-with-null-gif-frames-expected.txt (added)
• LayoutTests/fast/images/dont-crash-with-null-gif-frames.html (added)
• LayoutTests/fast/images/resources/quicksort.gif (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/platform/image-decoders/cg/ImageDecoderCG.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-11-03  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        CG use of WebKit image decoders crashes on some animated GIFs
+        https://bugs.webkit.org/show_bug.cgi?id=48955
+
+        Test image from Wikipedia that was crashing.
+
+        * fast/images/dont-crash-with-null-gif-frames-expected.txt: Added.
+        * fast/images/dont-crash-with-null-gif-frames.html: Added.
+        * fast/images/resources/quicksort.gif: Added.
+
 2010-11-03  Csaba Osztrogonác  <ossy@webkit.org>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-11-03  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        CG use of WebKit image decoders crashes on some animated GIFs
+        https://bugs.webkit.org/show_bug.cgi?id=48955
+
+        It turns out CFDataGetMutableBytePtr isn't safe call on a null pointer.
+
+        Test: fast/images/dont-crash-with-null-gif-frames.html
+
+        * platform/image-decoders/cg/ImageDecoderCG.cpp:
+        (WebCore::RGBA32Buffer::copyReferenceToBitmapData):
+        (WebCore::RGBA32Buffer::copyBitmapData):
+
 2010-11-03  Adrienne Walker  <enne@google.com>
 

trunk/WebCore/platform/image-decoders/cg/ImageDecoderCG.cpp

@@ -32 +32 @@
 namespace WebCore {
 
+static RGBA32Buffer::PixelData* getPtrAsPixelData(CFMutableDataRef data)
+{
+    return data ? reinterpret_cast<RGBA32Buffer::PixelData*>(CFDataGetMutableBytePtr(data)) : 0;
+}
+   
 void RGBA32Buffer::copyReferenceToBitmapData(const RGBA32Buffer& other)
 {
     ASSERT(this != &other);
     m_backingStore = other.m_backingStore;
-    m_bytes = reinterpret_cast<PixelData*>(CFDataGetMutableBytePtr(m_backingStore.get()));
+    m_bytes = getPtrAsPixelData(m_backingStore.get());
     // FIXME: The rest of this function seems redundant with RGBA32Buffer::copyBitmapData.
     m_size = other.m_size;
@@ -48 +53 @@
 
     m_backingStore.adoptCF(CFDataCreateMutableCopy(kCFAllocatorDefault, 0, other.m_backingStore.get()));
-    m_bytes = reinterpret_cast<PixelData*>(CFDataGetMutableBytePtr(m_backingStore.get()));
+    m_bytes = getPtrAsPixelData(m_backingStore.get());
     m_size = other.m_size;
     setHasAlpha(other.m_hasAlpha);