20774 – Crash in PNGImageDecoder::rowAvailable if bytes.resize() fails

RESOLVED INVALID20774

Crash in PNGImageDecoder::rowAvailable if bytes.resize() fails

https://bugs.webkit.org/show_bug.cgi?id=20774

Summary Crash in PNGImageDecoder::rowAvailable if bytes.resize() fails

Alexander Mohr

Reported 2008-09-10 15:54:47 PDT

in PNGImageDecoder.cpp, PNGImageDecoder::rowAvailable it attempts to resize the buffer to the size of the image. The issue is that if there's not enough memory bytes.resize() will faill and the buffer not be valid. This will later cause an access violation when attempting to access memory which has not been allocated. Suggested fix after bytes.resize: if( !bytes.data() ) { bytes.resize(0); return; }

Attachments
Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2008-09-13 08:37:40 PDT

Thanks! Would you be willing to propose this fix as described in <http://webkit.org/coding/contributing.html>?

Mike Moretti

Comment 2 2009-12-30 11:34:36 PST

This bug doesn't appear to be valid any more. That code is totally changed since.

Alexander Mohr

Comment 3 2010-01-05 10:03:56 PST

agreed, feel free to close this bug. Or if you need me to do it let me know!

Mike Moretti

Comment 4 2010-01-05 10:06:36 PST

I don't have access to close the bug. Thanks!

Alexander Mohr

Comment 5 2010-01-05 14:34:56 PST

this code has been reworked in such a way that this bug is no longer present.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution INVALID

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component WebCore Misc.

Assignee

Nobody

Reported

2008-09-10 15:54 PDT

Modified

2010-01-05 14:34 PST History

CC List

2 users Show

URL

Keywords

Depends on

Blocks