[Webkit-unassigned] [Bug 68753] New: [WinCairo] BitmapImage::drawFrameMatchingSourceSize causes access violation if BitmapImage::frameAtIndex() returns NULL

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Sep 24 02:13:54 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=68753

           Summary: [WinCairo] BitmapImage::drawFrameMatchingSourceSize
                    causes access violation if BitmapImage::frameAtIndex()
                    returns NULL
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Unspecified
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebKit API
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: david.delaune at hotmail.com
                CC: bfulgham at webkit.org


Hi,

I encountered an access violation in one of my unit tests at BitmapImage::drawFrameMatchingSourceSize. Below is the call stack:

>	WebKit.dll!WebCore::BitmapImage::drawFrameMatchingSourceSize(WebCore::GraphicsContext * ctxt=0x0023edb0, const WebCore::FloatRect & dstRect={...}, const WebCore::IntSize & srcSize={...}, WebCore::ColorSpace styleColorSpace=ColorSpaceDeviceRGB, WebCore::CompositeOperator compositeOp=CompositeCopy)  Line 100 + 0x10 bytes
     WebKit.dll!WebCore::BitmapImage::getHBITMAPOfSize(HBITMAP__ * bmp=0xee0510de, tagSIZE * size=0x0023ef74)  Line 90
     WebKit.dll!WebIconDatabase::iconForURL(wchar_t * url=0x77f34618, tagSIZE * size=0x0023ef74, int __formal=1, unsigned int * bitmap=0x0023ef84)  Line 179 + 0xb bytes

After an investigation it appears that in some circumstances frameAtIndex() can return a NULL NativeImagePtr pointer. The WinCairo branch calls cairo_image_surface_get_height and cairo_image_surface_get_width and these functions will throw an exception if passed a NULL pointer. I noticed that the ImageCGWin.cpp implementation is nearly identical and based the comments in the Bug 61684 patch I wonder if it should also be reviewed.

Best Wishes,
-David Delaune

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list