[Webkit-unassigned] [Bug 67469] New: IconDatabase::defaultIcon always fails because loadDefaultIconRecord returns a TIFF

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Sep 2 01:20:34 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=67469

           Summary: IconDatabase::defaultIcon always fails because
                    loadDefaultIconRecord returns a TIFF
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: david.delaune at hotmail.com
                CC: bfulgham at webkit.org


Hi,

I encountered an access violation inside WebKit.dll while implementing favicons. In a nutshell... The loadDefaultIconRecord returns a big-endian TIFF in a static buffer. The ImageDecoder::create is checking the first 14 bytes of the image in order to return the correct ImageDecoder class. The problem is that ImageDecoder::create never even checks for a TIFF header and returns a NULL ImageDecoder* which causes ImageSource::setData to fail.

The end-result is an access violation at this line in WebIconDatabase.cpp when attempting to get the default icon.

> if (!iconDatabase().defaultIcon(*size)->getHBITMAPOfSize(result, size)) {

This call stack shows all of the functions involved:

WebKit.dll!WebCore::ImageDecoder::create(const WebCore::SharedBuffer & data={...}, WebCore::ImageSource::AlphaOption alphaOption=AlphaPremultiplied, WebCore::ImageSource::GammaAndColorProfileOption gammaAndColorProfileOption=GammaAndColorProfileApplied)  Line 105    C++
WebKit.dll!WebCore::ImageSource::setData(WebCore::SharedBuffer * data=0x7ef30258, bool allDataReceived=true)  Line 82 + 0xe bytes    C++
WebKit.dll!WebCore::BitmapImage::dataChanged(bool allDataReceived=true)  Line 213    C++
WebKit.dll!WebCore::Image::setData(WTF::PassRefPtr<WebCore::SharedBuffer> data={...}, bool allDataReceived=true)  Line 77 + 0xe bytes    C++
WebKit.dll!WebCore::IconRecord::setImageData(WTF::PassRefPtr<WebCore::SharedBuffer> data={...})  Line 72 + 0x19 bytes    C++
WebKit.dll!WebCore::loadDefaultIconRecord(WebCore::IconRecord * defaultIconRecord=0x7eedbc00)  Line 375    C++
WebKit.dll!WebCore::IconDatabase::defaultIcon(const WebCore::IntSize & size={...})  Line 386 + 0x9 bytes    C++
WebKit.dll!WebIconDatabase::getOrCreateDefaultIconBitmap(tagSIZE * size=0x90050d8c)  Line 313 + 0x1b bytes    C++
WebKit.dll!WebIconDatabase::defaultIconWithSize(tagSIZE * size=0x0018f6b4, unsigned int * result=0x0018f6c4)  Line 194 + 0xc bytes    C++
WebKit.dll!WebIconDatabase::iconForURL(wchar_t * url=0x7ee99000, tagSIZE * size=0x0018f6b4, int __formal=1, unsigned int * bitmap=0x0018f6c4)  Line 187 + 0x13 bytes    C++
[...]

Note: The above call stack is before the access violation has occured. The access violation will occur in WebIconDatabase::getOrCreateDefaultIconBitmap due to the NULL Image* pointer. Ports such as QT and GTK might not experience this bug because CAN_THEME_URL_ICON is defined which causes the default icon to be loaded from resource.

Best Wishes,
-David Delaune

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list