Bug 20774 - Crash in PNGImageDecoder::rowAvailable if bytes.resize() fails
Summary: Crash in PNGImageDecoder::rowAvailable if bytes.resize() fails
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-09-10 15:54 PDT by Alexander Mohr
Modified: 2010-01-05 14:34 PST (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Mohr 2008-09-10 15:54:47 PDT 
in PNGImageDecoder.cpp, PNGImageDecoder::rowAvailable it attempts to resize the buffer to the size of the image.  The issue is that if there's not enough memory bytes.resize() will faill and the buffer not be valid.  This will later cause an access violation when attempting to access memory which has not been allocated.

Suggested fix after bytes.resize:

if( !bytes.data() ) {
    bytes.resize(0);
    return;
}
Comment 1 Alexey Proskuryakov 2008-09-13 08:37:40 PDT 
Thanks! Would you be willing to propose this fix as described in <http://webkit.org/coding/contributing.html>?
Comment 2 Mike Moretti 2009-12-30 11:34:36 PST 
This bug doesn't appear to be valid any more.  That code is totally changed since.
Comment 3 Alexander Mohr 2010-01-05 10:03:56 PST 
agreed, feel free to close this bug.  Or if you need me to do it let me know!
Comment 4 Mike Moretti 2010-01-05 10:06:36 PST 
I don't have access to close the bug.  Thanks!
Comment 5 Alexander Mohr 2010-01-05 14:34:56 PST 
this code has been reworked in such a way that this bug is no longer present.