[Webkit-unassigned] [Bug 15104] New: GIFImageDecoder.cpp buffer overrun prevention bug
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Aug 28 14:49:00 PDT 2007
http://bugs.webkit.org/show_bug.cgi?id=15104
Summary: GIFImageDecoder.cpp buffer overrun prevention bug
Product: WebKit
Version: 522+ (nightly)
Platform: PC
OS/Version: All
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: Images
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: zerodpx at gmail.com
GIFImageDecoder.cpp (not used by Safari, but used by Cairo/QT) has a bug in
some buffer overflow prevention code that results in the frame buffer never
being written for rows near the bottom of some interlaced GIFs (resulting in
either nothing or garbage showing up for those rows).
Specifically, the repeated rows code in haveDecodedRow() double-compensates for
sizeof(unsigned) in its buffer overrun check, by adding a pre-multiplied scalar
to a pointer (which causes the compiler to multiply it again).
Patch coming shortly.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list