Summary: | [GTK+] Crash in WebCore::ImageFrame::ImageFrame() | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Miguel Gomez <magomez> | ||||||
Component: | WebKitGTK | Assignee: | Miguel Gomez <magomez> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | bugs-noreply, cgarcia, commit-queue, sabouhallawa, webkit-bug-importer | ||||||
Priority: | P2 | Keywords: | InRadar | ||||||
Version: | WebKit Nightly Build | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Attachments: |
|
Description
Miguel Gomez
2017-03-31 01:42:09 PDT
The problematic image is https://philip.html5.org/tests/apng/044.png, which belongs to a test that checks for invalid images. The rest reports 2 frames in its acTL segment, but then a single fdAT segment is found, meaning that there's only data from a single frame. ImageFrameCache::frameCount() initially reports 2 frames and ImageFrameCache::growFrames() is called to accomodate those 2 frames, but at some point ImageFrameCache::frameCount() starts returning 1 (I guess the decoder realizes there's no data for the second frame), and ImageFrameCache::growFrames() gets called again using a frameCount value smaller that the value it had, which causes the crash. There's an assertion ensuring that (m_frames.size() <= frameCount()) that gets triggered on debug mode warning about this. Created attachment 307267 [details]
Patch
Created attachment 307363 [details]
Patch
Comment on attachment 307363 [details] Patch Clearing flags on attachment: 307363 Committed r215458: <http://trac.webkit.org/changeset/215458> All reviewed patches have been landed. Closing bug. |