[Webkit-unassigned] [Bug 15778] Public GIF image decoder can corrupt memory on malformed GIFs

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Oct 31 14:24:23 PDT 2007


zerodpx at gmail.com changed:

           What    |Removed                     |Added
  Attachment #16968|                            |review?
               Flag|                            |

------- Comment #1 from zerodpx at gmail.com  2007-10-31 14:24 PDT -------
Created an attachment (id=16968)
 --> (http://bugs.webkit.org/attachment.cgi?id=16968&action=view)
patch v1

This patch does a couple of things:
* Explicitly ignores rows past the end of the image in
GIFImageDecoder::haveDecodedRow().  This is similar to the behavior of the
Mozilla image decoder sources, which allow a frame decoder to provide whatever
data it wants, and then simply ignore the excess data when compositing/drawing
the image.
* Removes some broken code in GIFImageReader::output_row() that looks like it
was trying to prevent this case, but didn't really succeed.  This code isn't
present in the Mozilla GIF decoder this file is based on, doesn't work right,
and is significantly more complex than the simple added conditional described
* Fixes some code in GIFImageDecoder::read() that would be hit in this case to
set local variables more correctly.  This doesn't make much difference, but
it's much closer to the original Mozilla code -- it looks like when the file
was ported to WebKit, someone originally misplaced a close brace in here, so
e.g. screen_height would only get reset if screen_width also needed to be

The current Mozilla sources avoid the "rowbuf" struct entirely, but updating to
that change is both a large patch and not really related to this bug.

Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list