[Webkit-unassigned] [Bug 26527] New: XBM decoder fails if it gets a packet boundary whilst parsing the width / height

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=26527

           Summary: XBM decoder fails if it gets a packet boundary whilst
                    parsing the width / height
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: Images
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: scarybeasts at gmail.com


Let's say we have an XBM file that starts like this:

#define dolphin_width 64
#define dolphin_height 64
static char dolphin_bits[] = {... blah

And the first 49 bytes of this file arrive in a packet, to be processed by the
XBM parser. The first 49 bytes would be:

#define dolphin_width 64
#define dolphin_height 6

Looking at how the XBM decoder parses the header, we see:

        if (sscanf(&input[m_decodeOffset], "#define %*s %i #define %*s %i%n",
                   &width, &height, &count) != 2)
            return false;

In the case of the above 49 bytes, the sscanf() will be successful, leaving
width==64, height==6 (should be 64) and therefore a corrupt image results.

The fix, which I will attach shortly, is to defer setting the width and the
height if the sscanf() consumed the last byte of input.


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.