Bug 11760 - Animated GIFs with offsets crash WebKit
Summary: Animated GIFs with offsets crash WebKit
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Images (show other bugs)
Version: 420+
Hardware: All Windows XP
: P1 Normal
Assignee: Nobody
URL: http://images.strategyinformer.com/u3...
Keywords:
Depends on:
Blocks:
 
Reported: 2006-12-05 11:39 PST by Dex Deacon
Modified: 2006-12-18 15:42 PST (History)
2 users (show)

See Also:


Attachments
proposed patch (1.40 KB, patch)
2006-12-05 11:41 PST, Dex Deacon
no flags Details | Formatted Diff | Diff
better patch with layout test (9.03 KB, patch)
2006-12-06 13:06 PST, Dex Deacon
mjs: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dex Deacon 2006-12-05 11:39:13 PST
WebKit crashes when decoding an animated GIF that contains a frame with a nonzero X offset.
Comment 1 Dex Deacon 2006-12-05 11:41:51 PST
Created attachment 11742 [details]
proposed patch
Comment 2 David Kilzer (:ddkilzer) 2006-12-06 03:11:08 PST
The image at the URL above appears to work for me without crashing using a locally-built debug build of r18014.

Please post a stack trace if you get a crash.

Comment 3 Alexey Proskuryakov 2006-12-06 09:06:27 PST
I think that's because WebKit uses ImageIO on Mac OS X, rather than the built-in decoders.
Comment 4 David Kilzer (:ddkilzer) 2006-12-06 11:14:03 PST
(In reply to comment #3)
> I think that's because WebKit uses ImageIO on Mac OS X, rather than the
> built-in decoders.

My bad--didn't notice this happened on Win XP.
Comment 5 Dex Deacon 2006-12-06 13:06:41 PST
Created attachment 11757 [details]
better patch with layout test

This patch fixes another buffer overflow that I missed in the first patch.  Also, this also corrects the way frames are composited in animating GIFs.
Comment 6 Maciej Stachowiak 2006-12-07 15:37:21 PST
Comment on attachment 11757 [details]
better patch with layout test

r=me
Comment 7 Mark Rowe (bdash) 2006-12-18 15:42:20 PST
Landed in r18289.  Dex, can you please be wary of using tabs in changelog entries?  Thanks very much for the fix!