[Webkit-unassigned] [Bug 48634] fast/images/size-failure.html results in malloc of 2 Gb after switching to WebKit image decoders
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Nov 16 09:55:33 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=48634
--- Comment #27 from Darin Adler <darin at apple.com> 2010-11-16 09:55:32 PST ---
(From update of attachment 73859)
View in context: https://bugs.webkit.org/attachment.cgi?id=73859&action=review
> WebCore/platform/image-decoders/cg/ImageDecoderCG.cpp:64
> + size_t backingStoreSize = newWidth * newHeight * sizeof(PixelData);
This code needs a check for overflow. Doing multiplication like this without a check for overflow can lead to security problems.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list