[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.22-985-g3c00f00

pkasting at chromium.org pkasting at chromium.org
Wed Mar 17 17:56:17 UTC 2010 

The following commit has been merged in the webkit-1.1 branch:
commit e8164a9b969dcac62f746f3214b29ee07b92f55c
Author: pkasting at chromium.org <pkasting at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Mon Feb 22 23:23:47 2010 +0000

    Avoid recursion when trying to get the size of a PNG; it's unnecessary
    and in the worst case can lead to heap corruption.
    https://bugs.webkit.org/show_bug.cgi?id=35167
    
    Reviewed by Eric Seidel.
    
    WebCore:
    
    Test: fast/images/bad-png.html
    
    * platform/image-decoders/png/PNGImageDecoder.cpp:
    (WebCore::PNGImageReader::decode):
    
    LayoutTests:
    
    * fast/images/bad-png-expected.txt: Added.
    * fast/images/bad-png.html: Added.
    * fast/images/resources/bad-png.png: Added.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@55108 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 3ede518..5852648 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2010-02-19  Peter Kasting  <pkasting at google.com>
+
+        Reviewed by Eric Seidel.
+
+        Avoid recursion when trying to get the size of a PNG; it's unnecessary
+        and in the worst case can lead to heap corruption.
+        https://bugs.webkit.org/show_bug.cgi?id=35167
+
+        * fast/images/bad-png-expected.txt: Added.
+        * fast/images/bad-png.html: Added.
+        * fast/images/resources/bad-png.png: Added.
+
 2010-02-22  Robert Hogan  <robert at roberthogan.net>
 
         Reviewed by Alexey Proskuryakov.
diff --git a/LayoutTests/fast/forms/menulist-selection-reset-expected.txt b/LayoutTests/fast/images/bad-png-expected.txt
similarity index 100%
copy from LayoutTests/fast/forms/menulist-selection-reset-expected.txt
copy to LayoutTests/fast/images/bad-png-expected.txt
diff --git a/LayoutTests/fast/images/bad-png.html b/LayoutTests/fast/images/bad-png.html
new file mode 100644
index 0000000..a9662ba
--- /dev/null
+++ b/LayoutTests/fast/images/bad-png.html
@@ -0,0 +1,16 @@
+<html>
+  <head>
+    <script>
+      if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+    </script>
+
+   </head>
+   <body>
+     <!-- This previously tried to recursively decode the PNG, leading to heap
+          corruption when trying to unwind the stack through a member of a
+          destroyed object. -->
+     <img src="resources/bad-png.png">
+     <p>PASS</p>
+   </body>
+ </html>
diff --git a/LayoutTests/fast/images/resources/bad-png.png b/LayoutTests/fast/images/resources/bad-png.png
new file mode 100644
index 0000000..52d907d
Binary files /dev/null and b/LayoutTests/fast/images/resources/bad-png.png differ
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index b29711b..350e039 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,16 @@
+2010-02-19  Peter Kasting  <pkasting at google.com>
+
+        Reviewed by Eric Seidel.
+
+        Avoid recursion when trying to get the size of a PNG; it's unnecessary
+        and in the worst case can lead to heap corruption.
+        https://bugs.webkit.org/show_bug.cgi?id=35167
+
+        Test: fast/images/bad-png.html
+
+        * platform/image-decoders/png/PNGImageDecoder.cpp:
+        (WebCore::PNGImageReader::decode):
+
 2010-02-22  Brady Eidson  <beidson at apple.com>
 
         Reviewed by Tim Hatcher.
diff --git a/WebCore/platform/image-decoders/png/PNGImageDecoder.cpp b/WebCore/platform/image-decoders/png/PNGImageDecoder.cpp
index 36f818f..961ff03 100644
--- a/WebCore/platform/image-decoders/png/PNGImageDecoder.cpp
+++ b/WebCore/platform/image-decoders/png/PNGImageDecoder.cpp
@@ -140,7 +140,10 @@ public:
             m_readOffset += segmentLength;
             m_currentBufferSize = m_readOffset;
             png_process_data(m_png, m_info, reinterpret_cast<png_bytep>(const_cast<char*>(segment)), segmentLength);
-            if ((sizeOnly && decoder->isSizeAvailable()) || m_hasFinishedDecoding)
+            // We explicitly specify the superclass isSizeAvailable() because we
+            // merely want to check if we've managed to set the size, not
+            // (recursively) trigger additional decoding if we haven't.
+            if ((sizeOnly && decoder->ImageDecoder::isSizeAvailable()) || m_hasFinishedDecoding)
                 return;
         }
         if (!m_hasFinishedDecoding && decoder->isAllDataReceived())

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list