Bug 11760

Summary: Animated GIFs with offsets crash WebKit
Product: WebKit Reporter: Dex Deacon <occupant4>
Component: ImagesAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ddkilzer, hyatt
Priority: P1    
Version: 420+   
Hardware: All   
OS: Windows XP   
URL: http://images.strategyinformer.com/u3/6644/00169596.gif
Attachments:
Description Flags
proposed patch
none
better patch with layout test mjs: review+

Description Dex Deacon 2006-12-05 11:39:13 PST 
WebKit crashes when decoding an animated GIF that contains a frame with a nonzero X offset.
Comment 1 Dex Deacon 2006-12-05 11:41:51 PST 
Created attachment 11742 [details]
proposed patch
Comment 2 David Kilzer (:ddkilzer) 2006-12-06 03:11:08 PST 
The image at the URL above appears to work for me without crashing using a locally-built debug build of r18014.

Please post a stack trace if you get a crash.
Comment 3 Alexey Proskuryakov 2006-12-06 09:06:27 PST 
I think that's because WebKit uses ImageIO on Mac OS X, rather than the built-in decoders.
Comment 4 David Kilzer (:ddkilzer) 2006-12-06 11:14:03 PST 
(In reply to comment #3)
> I think that's because WebKit uses ImageIO on Mac OS X, rather than the
> built-in decoders.

My bad--didn't notice this happened on Win XP.
Comment 5 Dex Deacon 2006-12-06 13:06:41 PST 
Created attachment 11757 [details]
better patch with layout test

This patch fixes another buffer overflow that I missed in the first patch.  Also, this also corrects the way frames are composited in animating GIFs.
Comment 6 Maciej Stachowiak 2006-12-07 15:37:21 PST 
Comment on attachment 11757 [details]
better patch with layout test

r=me
Comment 7 Mark Rowe (bdash) 2006-12-18 15:42:20 PST 
Landed in r18289.  Dex, can you please be wary of using tabs in changelog entries?  Thanks very much for the fix!