[Webkit-unassigned] [Bug 170332] [GTK+] Crash in WebCore::ImageFrame::ImageFrame()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Apr 10 05:14:20 PDT 2017


--- Comment #1 from Miguel Gomez <magomez at igalia.com> ---
The problematic image is https://philip.html5.org/tests/apng/044.png, which belongs to a test that checks for invalid images.

The rest reports 2 frames in its acTL segment, but then a single fdAT segment is found, meaning that there's only data from a single frame. ImageFrameCache::frameCount() initially reports 2 frames and ImageFrameCache::growFrames() is called to accomodate those 2 frames, but at some point ImageFrameCache::frameCount() starts returning 1 (I guess the decoder realizes there's no data for the second frame), and ImageFrameCache::growFrames() gets called again using a frameCount value smaller that the value it had, which causes the crash. There's an assertion ensuring that (m_frames.size() <= frameCount()) that gets triggered on debug mode warning about this.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170410/11fad31b/attachment-0001.html>

More information about the webkit-unassigned mailing list