[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
pkasting at chromium.org
pkasting at chromium.org
Wed Dec 22 13:49:42 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 10802e2898e09d157d7f8f25a3098d4306b2a28f
Author: pkasting at chromium.org <pkasting at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Sep 27 23:44:36 2010 +0000
WebCore: ImageDecoderSkia.cpp needs to check for allocator failure when copying
bitmaps.
https://bugs.webkit.org/show_bug.cgi?id=46437
Reviewed by James Robinson.
* manual-tests/large-size-image-crash.html: Added.
* manual-tests/resources/large-size-image-crash.gif: Added.
* platform/image-decoders/ImageDecoder.cpp:
(WebCore::RGBA32Buffer::copyBitmapData):
* platform/image-decoders/ImageDecoder.h:
* platform/image-decoders/gif/GIFImageDecoder.cpp:
(WebCore::GIFImageDecoder::initFrameBuffer):
* platform/image-decoders/qt/RGBA32BufferQt.cpp:
(WebCore::RGBA32Buffer::copyBitmapData):
* platform/image-decoders/skia/ImageDecoderSkia.cpp:
(WebCore::RGBA32Buffer::copyBitmapData):
LayoutTests: This resource should have been in r62399; without it the test no-ops.
https://bugs.webkit.org/show_bug.cgi?id=41487
Reviewed by James Robinson.
* fast/images/resources/large-size-image-crash.jpeg: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@68446 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 4da2ac9..06996b8 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,12 @@
+2010-09-27 Peter Kasting <pkasting at google.com>
+
+ Reviewed by James Robinson.
+
+ This resource should have been in r62399; without it the test no-ops.
+ https://bugs.webkit.org/show_bug.cgi?id=41487
+
+ * fast/images/resources/large-size-image-crash.jpeg: Added.
+
2010-09-27 James Robinson <jamesr at chromium.org>
Reviewed by Simon Fraser.
diff --git a/LayoutTests/fast/images/resources/large-size-image-crash.jpeg b/LayoutTests/fast/images/resources/large-size-image-crash.jpeg
new file mode 100644
index 0000000..9e97147
Binary files /dev/null and b/LayoutTests/fast/images/resources/large-size-image-crash.jpeg differ
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 640a185..e41a6f4 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,23 @@
+2010-09-27 Peter Kasting <pkasting at google.com>
+
+ Reviewed by James Robinson.
+
+ ImageDecoderSkia.cpp needs to check for allocator failure when copying
+ bitmaps.
+ https://bugs.webkit.org/show_bug.cgi?id=46437
+
+ * manual-tests/large-size-image-crash.html: Added.
+ * manual-tests/resources/large-size-image-crash.gif: Added.
+ * platform/image-decoders/ImageDecoder.cpp:
+ (WebCore::RGBA32Buffer::copyBitmapData):
+ * platform/image-decoders/ImageDecoder.h:
+ * platform/image-decoders/gif/GIFImageDecoder.cpp:
+ (WebCore::GIFImageDecoder::initFrameBuffer):
+ * platform/image-decoders/qt/RGBA32BufferQt.cpp:
+ (WebCore::RGBA32Buffer::copyBitmapData):
+ * platform/image-decoders/skia/ImageDecoderSkia.cpp:
+ (WebCore::RGBA32Buffer::copyBitmapData):
+
2010-09-27 James Robinson <jamesr at chromium.org>
Reviewed by Simon Fraser.
diff --git a/WebCore/manual-tests/large-size-image-crash.html b/WebCore/manual-tests/large-size-image-crash.html
new file mode 100644
index 0000000..93cafa2
--- /dev/null
+++ b/WebCore/manual-tests/large-size-image-crash.html
@@ -0,0 +1,6 @@
+<html>
+ <body>
+ Displaying the animated GIF below should not result in memory corruption.
+ <img src="resources/large-size-image-crash.gif">
+ </body>
+</html>
diff --git a/WebCore/manual-tests/resources/large-size-image-crash.gif b/WebCore/manual-tests/resources/large-size-image-crash.gif
new file mode 100644
index 0000000..6da80af
Binary files /dev/null and b/WebCore/manual-tests/resources/large-size-image-crash.gif differ
diff --git a/WebCore/platform/image-decoders/ImageDecoder.cpp b/WebCore/platform/image-decoders/ImageDecoder.cpp
index c1e19d8..5d4e7b1 100644
--- a/WebCore/platform/image-decoders/ImageDecoder.cpp
+++ b/WebCore/platform/image-decoders/ImageDecoder.cpp
@@ -128,14 +128,15 @@ void RGBA32Buffer::zeroFill()
m_hasAlpha = true;
}
-void RGBA32Buffer::copyBitmapData(const RGBA32Buffer& other)
+bool RGBA32Buffer::copyBitmapData(const RGBA32Buffer& other)
{
if (this == &other)
- return;
+ return true;
m_bytes = other.m_bytes;
m_size = other.m_size;
setHasAlpha(other.m_hasAlpha);
+ return true;
}
bool RGBA32Buffer::setSize(int newWidth, int newHeight)
diff --git a/WebCore/platform/image-decoders/ImageDecoder.h b/WebCore/platform/image-decoders/ImageDecoder.h
index 38160ec..b97d864 100644
--- a/WebCore/platform/image-decoders/ImageDecoder.h
+++ b/WebCore/platform/image-decoders/ImageDecoder.h
@@ -84,8 +84,8 @@ namespace WebCore {
void zeroFill();
// Creates a new copy of the image data in |other|, so the two images
- // can be modified independently.
- void copyBitmapData(const RGBA32Buffer& other);
+ // can be modified independently. Returns whether the copy succeeded.
+ bool copyBitmapData(const RGBA32Buffer& other);
// Copies the pixel data at [(startX, startY), (endX, startY)) to the
// same X-coordinates on each subsequent row up to but not including
diff --git a/WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp b/WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp
index 4d2a92d..36a7bd7 100644
--- a/WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp
+++ b/WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp
@@ -356,7 +356,8 @@ bool GIFImageDecoder::initFrameBuffer(unsigned frameIndex)
if ((prevMethod == RGBA32Buffer::DisposeNotSpecified) || (prevMethod == RGBA32Buffer::DisposeKeep)) {
// Preserve the last frame as the starting state for this frame.
- buffer->copyBitmapData(*prevBuffer);
+ if (!buffer->copyBitmapData(*prevBuffer))
+ return setFailed();
} else {
// We want to clear the previous frame to transparent, without
// affecting pixels in the image outside of the frame.
@@ -369,7 +370,8 @@ bool GIFImageDecoder::initFrameBuffer(unsigned frameIndex)
return setFailed();
} else {
// Copy the whole previous buffer, then clear just its frame.
- buffer->copyBitmapData(*prevBuffer);
+ if (!buffer->copyBitmapData(*prevBuffer))
+ return setFailed();
for (int y = prevRect.y(); y < prevRect.bottom(); ++y) {
for (int x = prevRect.x(); x < prevRect.right(); ++x)
buffer->setRGBA(x, y, 0, 0, 0, 0);
diff --git a/WebCore/platform/image-decoders/qt/RGBA32BufferQt.cpp b/WebCore/platform/image-decoders/qt/RGBA32BufferQt.cpp
index 044515a..a782373 100644
--- a/WebCore/platform/image-decoders/qt/RGBA32BufferQt.cpp
+++ b/WebCore/platform/image-decoders/qt/RGBA32BufferQt.cpp
@@ -75,15 +75,16 @@ void RGBA32Buffer::zeroFill()
m_pixmap.fill(QColor(0, 0, 0, 0));
}
-void RGBA32Buffer::copyBitmapData(const RGBA32Buffer& other)
+bool RGBA32Buffer::copyBitmapData(const RGBA32Buffer& other)
{
if (this == &other)
- return;
+ return true;
m_image = other.m_image;
m_pixmap = other.m_pixmap;
m_size = other.m_size;
m_hasAlpha = other.m_hasAlpha;
+ return true;
}
bool RGBA32Buffer::setSize(int newWidth, int newHeight)
diff --git a/WebCore/platform/image-decoders/skia/ImageDecoderSkia.cpp b/WebCore/platform/image-decoders/skia/ImageDecoderSkia.cpp
index 149937e..3f435e4 100644
--- a/WebCore/platform/image-decoders/skia/ImageDecoderSkia.cpp
+++ b/WebCore/platform/image-decoders/skia/ImageDecoderSkia.cpp
@@ -69,14 +69,14 @@ void RGBA32Buffer::zeroFill()
m_bitmap.eraseARGB(0, 0, 0, 0);
}
-void RGBA32Buffer::copyBitmapData(const RGBA32Buffer& other)
+bool RGBA32Buffer::copyBitmapData(const RGBA32Buffer& other)
{
if (this == &other)
- return;
+ return true;
m_bitmap.reset();
const NativeImageSkia& otherBitmap = other.m_bitmap;
- otherBitmap.copyTo(&m_bitmap, otherBitmap.config());
+ return otherBitmap.copyTo(&m_bitmap, otherBitmap.config());
}
bool RGBA32Buffer::setSize(int newWidth, int newHeight)
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list