Commit b1bdd112 authored by oliver's avatar oliver

Fix for <rdar://problem/5585334>

Reviewed by Darin.

Fix for <rdar://problem/5585334> numfuzz: integer overflows opening
malformed SVG file in WebCore::ImageBuffer::create. Add protection
against a potential overflow.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@27704 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 3f065f4a
2007-11-11 Oliver Hunt <oliver@apple.com>
Reviewed by Darin.
Fix for <rdar://problem/5585334> numfuzz: integer overflows opening
malformed SVG file in WebCore::ImageBuffer::create. Add protection
against a potential overflow.
* platform/graphics/cg/ImageBufferCG.cpp:
2007-11-11 Antti Koivisto <antti@apple.com> 2007-11-11 Antti Koivisto <antti@apple.com>
Reviewed by Darin. Reviewed by Darin.
......
...@@ -37,10 +37,16 @@ namespace WebCore { ...@@ -37,10 +37,16 @@ namespace WebCore {
auto_ptr<ImageBuffer> ImageBuffer::create(const IntSize& size, bool grayScale) auto_ptr<ImageBuffer> ImageBuffer::create(const IntSize& size, bool grayScale)
{ {
if (size.width() <= 0 || size.height() <= 0)
return auto_ptr<ImageBuffer>();
unsigned int bytesPerRow = size.width(); unsigned int bytesPerRow = size.width();
if (!grayScale) if (!grayScale) {
// Protect against overflow
if (bytesPerRow > 0x3FFFFFFF)
return auto_ptr<ImageBuffer>();
bytesPerRow *= 4; bytesPerRow *= 4;
}
void* imageBuffer = fastCalloc(size.height(), bytesPerRow); void* imageBuffer = fastCalloc(size.height(), bytesPerRow);
if (!imageBuffer) if (!imageBuffer)
return auto_ptr<ImageBuffer>(); return auto_ptr<ImageBuffer>();
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment