[webkit-changes] [158840] trunk/Source/WebCore

Thu, 07 Nov 2013 03:02:55 -0800

Title: [158840] trunk/Source/WebCore
Revision
158840
Author
[email protected]
Date
2013-11-07 03:04:16 -0800 (Thu, 07 Nov 2013)

Log Message

Fix crash in BitmapImage::destroyDecodedData()
https://bugs.webkit.org/show_bug.cgi?id=116494

Patch by Laszlo Vidacs <[email protected]> on 2013-11-07
Reviewed by Csaba Osztrogonác.

Merge from https://chromium.googlesource.com/chromium/blink/+/6b6887bf53068f8537908e501fdc7317ad2c6d86

* platform/graphics/BitmapImage.cpp:
(WebCore::BitmapImage::destroyDecodedData):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (158839 => 158840)


--- trunk/Source/WebCore/ChangeLog	2013-11-07 10:53:17 UTC (rev 158839)
+++ trunk/Source/WebCore/ChangeLog	2013-11-07 11:04:16 UTC (rev 158840)
@@ -1,3 +1,15 @@
+2013-11-07  Laszlo Vidacs  <[email protected]>
+        
+        Fix crash in BitmapImage::destroyDecodedData()
+        https://bugs.webkit.org/show_bug.cgi?id=116494
+
+        Reviewed by Csaba Osztrogonác.
+
+        Merge from https://chromium.googlesource.com/chromium/blink/+/6b6887bf53068f8537908e501fdc7317ad2c6d86
+
+        * platform/graphics/BitmapImage.cpp:
+        (WebCore::BitmapImage::destroyDecodedData):
+
 2013-11-06  Sergio Villar Senin  <[email protected]>
 
         [CSS Grid Layout] CSSParser should reject <track-list> without a <track-size>

Modified: trunk/Source/WebCore/platform/graphics/BitmapImage.cpp (158839 => 158840)


--- trunk/Source/WebCore/platform/graphics/BitmapImage.cpp	2013-11-07 10:53:17 UTC (rev 158839)
+++ trunk/Source/WebCore/platform/graphics/BitmapImage.cpp	2013-11-07 11:04:16 UTC (rev 158840)
@@ -77,7 +77,11 @@
 {
     unsigned frameBytesCleared = 0;
     const size_t clearBeforeFrame = destroyAll ? m_frames.size() : m_currentFrame;
-    for (size_t i = 0; i < clearBeforeFrame; ++i) {
+
+    // Because we can advance frames without always needing to decode the actual
+    // bitmap data, |m_currentFrame| may be larger than m_frames.size();
+    // make sure not to walk off the end of the container in this case.
+    for (size_t i = 0; i <  std::min(clearBeforeFrame, m_frames.size()); ++i) {
         // The underlying frame isn't actually changing (we're just trying to
         // save the memory for the framebuffer data), so we don't need to clear
         // the metadata.

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to