Fix potential overflow in jpeg exif reader. Found by aedla@google.com.
Created attachment 170540 [details] Patch
Comment on attachment 170540 [details] Patch Sounds like the security folks are still tweaking what to do here.
Created attachment 171328 [details] Patch
Comment on attachment 171328 [details] Patch This is really a Noel review. If he says LGTM, then I'm happy to r+.
Noel really should add himself to http://trac.webkit.org/browser/trunk/Tools/Scripts/webkitpy/common/config/watchlist for all the decoder files. :)
Created attachment 171460 [details] Patch
Sounds like folks are happy with this. Can I get r+?
Comment on attachment 171460 [details] Patch I assume Noel had a chance to look (and may have just commented to you over IRC)?
Comment on attachment 171460 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=171460&action=review > Source/WebCore/platform/image-decoders/jpeg/JPEGImageDecoder.cpp:192 > + if (marker->data_length < 6 || ifdOffset >= marker->data_length - 6) > + continue; > ifdOffset += 6; // Account for 'Exif\0<fill byte>' header. 6 should probably be a constant with a nice name instead.
Created attachment 171534 [details] Patch for landing
Created attachment 171535 [details] Patch for landing
LGTM.
Comment on attachment 171535 [details] Patch for landing Clearing flags on attachment: 171535 Committed r132961: <http://trac.webkit.org/changeset/132961>
All reviewed patches have been landed. Closing bug.