15104 2007-08-28 14:48:59 -0700 GIFImageDecoder.cpp buffer overrun prevention bug 2007-08-29 10:36:21 -0700 1 1 1 Unclassified WebKit Images 523.x (Safari 3) PC All RESOLVED FIXED P2 Normal --- 0 pkasting webkit-unassigned oldest_to_newest 1319 0 pkasting 2007-08-28 14:48:59 -0700 GIFImageDecoder.cpp (not used by Safari, but used by Cairo/QT) has a bug in some buffer overflow prevention code that results in the frame buffer never being written for rows near the bottom of some interlaced GIFs (resulting in either nothing or garbage showing up for those rows). Specifically, the repeated rows code in haveDecodedRow() double-compensates for sizeof(unsigned) in its buffer overrun check, by adding a pre-multiplied scalar to a pointer (which causes the compiler to multiply it again). Patch coming shortly. 1317 1 16148 pkasting 2007-08-28 15:09:54 -0700 Created attachment 16148 patch v1 Simple fix. 1305 2 16148 mjs 2007-08-28 20:26:51 -0700 Comment on attachment 16148 patch v1 r=me It might also be helpful to provide a test case of a bad gif like this. 1249 3 mrowe 2007-08-29 10:36:21 -0700 Landed in r25293. Peter, can you please be sure to use spaces rather than tabs for indentation in your ChangeLog entries? Thanks! :) 16148 2007-08-28 15:09:54 -0700 2007-08-28 20:26:51 -0700 patch v1 patch text/plain 1794 pkasting SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiAyNTI3OSkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTUgQEAKKzIwMDctMDgtMjggIFBldGVyIEthc3RpbmcgIDx6ZXJvZHB4QGdtYWls LmNvbT4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAt IGZpeCBodHRwOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xNTEwNAorCURvbid0 IGRvdWJsZS1jb21wZW5zYXRlIGZvciBzaXplb2YodW5zaWduZWQpIHdoZW4gbWFraW5nIGEgYnVm ZmVyCisJb3ZlcmZsb3cgY2hlY2sgaW4gdGhlIEdJRiBkZWNvZGVyLiAgTm93IGludGVybGFjZWQg R0lGcyBkb24ndAorCXNvbWV0aW1lcyBnZXQgbm90aGluZy9nYXJiYWdlIGluIHNvbWUgb2YgdGhl IGJvdHRvbSByb3dzLgorCisgICAgICAgICogcGxhdGZvcm0vaW1hZ2UtZGVjb2RlcnMvZ2lmL0dJ RkltYWdlRGVjb2Rlci5jcHA6CisgICAgICAgIChXZWJDb3JlOjpHSUZJbWFnZURlY29kZXI6Omhh dmVEZWNvZGVkUm93KToKKwogMjAwNy0wOC0yOCAgTWFyayBSb3dlICA8bXJvd2VAYXBwbGUuY29t PgogCiAgICAgICAgIFJldmlld2VkIGJ5IERhcmluIEFkbGVyLgpJbmRleDogV2ViQ29yZS9wbGF0 Zm9ybS9pbWFnZS1kZWNvZGVycy9naWYvR0lGSW1hZ2VEZWNvZGVyLmNwcAo9PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0t LSBXZWJDb3JlL3BsYXRmb3JtL2ltYWdlLWRlY29kZXJzL2dpZi9HSUZJbWFnZURlY29kZXIuY3Bw CShyZXZpc2lvbiAyNTI2NykKKysrIFdlYkNvcmUvcGxhdGZvcm0vaW1hZ2UtZGVjb2RlcnMvZ2lm L0dJRkltYWdlRGVjb2Rlci5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTM0NSwxMiArMzQ1LDEzIEBA IHZvaWQgR0lGSW1hZ2VEZWNvZGVyOjpoYXZlRGVjb2RlZFJvdyh1bnMKIAogICAgIGlmIChyZXBl YXRDb3VudCA+IDEpIHsKICAgICAgICAgLy8gQ29weSB0aGUgcm93IHxyZXBlYXRDb3VudHwtMSB0 aW1lcy4KLSAgICAgICAgdW5zaWduZWQgc2l6ZSA9IChjdXJyRHN0IC0gZHN0KSAqIHNpemVvZih1 bnNpZ25lZCk7CisgICAgICAgIHVuc2lnbmVkIG51bSA9IGN1cnJEc3QgLSBkc3Q7CisgICAgICAg IHVuc2lnbmVkIHNpemUgPSBudW0gKiBzaXplb2YodW5zaWduZWQpOwogICAgICAgICB1bnNpZ25l ZCB3aWR0aCA9IG1fc2l6ZS53aWR0aCgpOwogICAgICAgICB1bnNpZ25lZCogZW5kID0gYnVmZmVy LmJ5dGVzKCkuZGF0YSgpICsgd2lkdGggKiBtX3NpemUuaGVpZ2h0KCk7CiAgICAgICAgIGN1cnJE c3QgPSBkc3QgKyB3aWR0aDsKICAgICAgICAgZm9yICh1bnNpZ25lZCBpID0gMTsgaSA8IHJlcGVh dENvdW50OyBpKyspIHsKLSAgICAgICAgICAgIGlmIChjdXJyRHN0ICsgc2l6ZSA+IGVuZCkgLy8g UHJvdGVjdCBhZ2FpbnN0IGEgYnVmZmVyIG92ZXJydW4gZnJvbSBhIGJvZ3VzIHJlcGVhdENvdW50 LgorICAgICAgICAgICAgaWYgKGN1cnJEc3QgKyBudW0gPiBlbmQpIC8vIFByb3RlY3QgYWdhaW5z dCBhIGJ1ZmZlciBvdmVycnVuIGZyb20gYSBib2d1cyByZXBlYXRDb3VudC4KICAgICAgICAgICAg ICAgICBicmVhazsKICAgICAgICAgICAgIG1lbWNweShjdXJyRHN0LCBkc3QsIHNpemUpOwogICAg ICAgICAgICAgY3VyckRzdCArPSB3aWR0aDsK