[Webkit-unassigned] [Bug 20774] New: Crash in PNGImageDecoder::rowAvailable if bytes.resize() fails
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 10 15:54:47 PDT 2008
https://bugs.webkit.org/show_bug.cgi?id=20774
Summary: Crash in PNGImageDecoder::rowAvailable if bytes.resize()
fails
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: WebCore Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: amohr at adobe.com
in PNGImageDecoder.cpp, PNGImageDecoder::rowAvailable it attempts to resize the
buffer to the size of the image. The issue is that if there's not enough
memory bytes.resize() will faill and the buffer not be valid. This will later
cause an access violation when attempting to access memory which has not been
allocated.
Suggested fix after bytes.resize:
if( !bytes.data() ) {
bytes.resize(0);
return;
}
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list