[Webkit-unassigned] [Bug 274027] REGRESSION(277476 at main): [GTK] Crash in WebCore::GIFImageDecoder::haveDecodedRow
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon May 13 08:16:58 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=274027
--- Comment #5 from Michael Catanzaro <mcatanzaro at redhat.com> ---
There is a preexisting buffer overread here in GIFImageDecoder::haveDecodedRow:
const size_t colorIndex = static_cast<size_t>(sourceValue) * 3;
buffer.backingStore()->setPixel(currentAddress, colorMap[colorIndex], colorMap[colorIndex + 1], colorMap[colorIndex + 2], 255);
Here the values of colorIndex are in practice much larger than the values of colorMapSize.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240513/676b074e/attachment-0001.htm>
More information about the webkit-unassigned
mailing list