[Webkit-unassigned] [Bug 48634] fast/images/size-failure.html results in malloc of 2 Gb after switching to WebKit image decoders
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Nov 13 12:00:55 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=48634
--- Comment #20 from Peter Kasting <pkasting at google.com> 2010-11-13 12:00:55 PST ---
(In reply to comment #19)
> (From update of attachment 73810 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=73810&action=review
>
> > WebCore/platform/image-decoders/cg/ImageDecoderCG.cpp:63
> > + int backingStoreSize = newWidth * newHeight * sizeof(PixelData);
>
> Is "int" the right type here? I would have expected size_t. Do we need to check for overflow?
Adam is correct that this should be a size_t. As for checking for overflow, I forget off the top of my head whether it's possible to get arbitrary dimensions here without tripping the master isOverSize() check.
> > WebCore/platform/image-decoders/cg/ImageDecoderCG.cpp:67
> > + if (!backingStoreRef)
> > + return false;
> > + m_backingStore.adoptCF(backingStoreRef);
>
> Are these the right failure semantics? I guess setSize is called exactly once. Maybe we should ASSERT something about the state of m_backingStore at the top of the function (e.g., that it's NULL).
These are the right failure semantics. ASSERT()ing would be fine to add or leave off as desired -- the other platforms don't bother to ASSERT this and we have sufficient checks to prevent it in the callers.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list