[webkit-reviews] review granted: [Bug 48634] fast/images/size-failure.html results in malloc of 2 Gb after switching to WebKit image decoders : [Attachment 73810] Patch

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Nov 12 23:14:00 PST 2010


Adam Barth <abarth at webkit.org> has granted Mihai Parparita
<mihaip at chromium.org>'s request for review:
Bug 48634: fast/images/size-failure.html results in malloc of 2 Gb after
switching to WebKit image decoders
https://bugs.webkit.org/show_bug.cgi?id=48634

Attachment 73810: Patch
https://bugs.webkit.org/attachment.cgi?id=73810&action=review

------- Additional Comments from Adam Barth <abarth at webkit.org>
View in context: https://bugs.webkit.org/attachment.cgi?id=73810&action=review

> WebCore/platform/image-decoders/cg/ImageDecoderCG.cpp:63
> +    int backingStoreSize = newWidth * newHeight * sizeof(PixelData);

Is "int" the right type here?  I would have expected size_t.  Do we need to
check for overflow?

> WebCore/platform/image-decoders/cg/ImageDecoderCG.cpp:67
> +    if (!backingStoreRef)
> +	   return false;
> +    m_backingStore.adoptCF(backingStoreRef);

Are these the right failure semantics?	I guess setSize is called exactly once.
 Maybe we should ASSERT something about the state of m_backingStore at the top
of the function (e.g., that it's NULL).


More information about the webkit-reviews mailing list