Bug 15142 - GIFImageDecoder can lie about frame count
Summary: GIFImageDecoder can lie about frame count
Alias: None
Product: WebKit
Classification: Unclassified
Component: Images (show other bugs)
Version: 523.x (Safari 3)
Hardware: PC All
: P2 Normal
Assignee: Nobody
Depends on:
Reported: 2007-09-04 12:01 PDT by Peter Kasting
Modified: 2007-10-14 04:36 PDT (History)
0 users

See Also:

patch v1 (1.25 KB, patch)
2007-09-04 12:06 PDT, Peter Kasting
mjs: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Kasting 2007-09-04 12:01:26 PDT
WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp (not used by Safari, but used by Cairo/QT) has an API safety issue in frameBufferAtIndex(): it assumes the frame count has already been decoded, so it just returns the size of the internal frame buffer.  But if a caller calls this function when the decoder has received more data since its last decode (or since ever, if nothing has forced the decoder to start decoding), this value is out of date.

The fix is easy: just call the existing frameCount() function which determines if the count is up to date and recalculates it if not.

Patch coming shortly.
Comment 1 Peter Kasting 2007-09-04 12:06:49 PDT
Created attachment 16199 [details]
patch v1

Simple fix
Comment 2 Maciej Stachowiak 2007-09-29 18:12:34 PDT
Comment on attachment 16199 [details]
patch v1

Comment 3 Eric Seidel (no email) 2007-10-07 01:38:59 PDT
Is this for feature-branch or trunk?  I don't know where qt development is going on these days.
Comment 4 Mark Rowe (bdash) 2007-10-14 04:36:59 PDT
Landed in r26579.