[Webkit-unassigned] [Bug 48634] fast/images/size-failure.html results in malloc of 2 Gb after switching to WebKit image decoders
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Nov 14 15:30:06 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=48634
--- Comment #22 from Mihai Parparita <mihaip at chromium.org> 2010-11-14 15:30:06 PST ---
(In reply to comment #20)
> > Is "int" the right type here? I would have expected size_t. Do we need to check for overflow?
>
> Adam is correct that this should be a size_t. As for checking for overflow, I forget off the top of my head whether it's possible to get arbitrary dimensions here without tripping the master isOverSize() check.
Changed to size_t; I'm quite sure we only get here if we pass the isOverSize check.
> > > WebCore/platform/image-decoders/cg/ImageDecoderCG.cpp:67
> > > + if (!backingStoreRef)
> > > + return false;
> > > + m_backingStore.adoptCF(backingStoreRef);
> >
> > Are these the right failure semantics? I guess setSize is called exactly once. Maybe we should ASSERT something about the state of m_backingStore at the top of the function (e.g., that it's NULL).
>
> These are the right failure semantics. ASSERT()ing would be fine to add or leave off as desired -- the other platforms don't bother to ASSERT this and we have sufficient checks to prevent it in the callers.
Added the ASSERT, just to be safe.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list