[Webkit-unassigned] [Bug 48634] fast/images/size-failure.html results in malloc of 2 Gb after switching to WebKit image decoders
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Nov 16 11:24:46 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=48634
--- Comment #29 from Peter Kasting <pkasting at google.com> 2010-11-16 11:24:46 PST ---
(In reply to comment #28)
> (In reply to comment #27)
> > This code needs a check for overflow. Doing multiplication like this without a check for overflow can lead to security problems.
>
> ImageDecoder::isOveSize will reject image sizes that can lead to overflow issues, so we would never get here in that case.
In fact, that's its explicit purpose in life. It is there to be an overflow check for all future "w * h * bpp" calculations because not all of them are explicitly under our control. (For example, Skia does calculations like this internally in some cases.)
I would prefer not to have code that implies that overflow should be possible here. A comment about isOverSize() checking this would be fine. If you're nervous, you can couple it with an ASSERT(). An actual conditional that returns if there's overflow would be misleading, though.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list