Bug 1432679. Do multiplication in nsGIFDecoder2::FinishImageDescriptor as int64_t to avoid overflow. r=aosmond
authorTimothy Nikkel <tnikkel@gmail.com>
Wed, 07 Feb 2018 17:00:06 -0600
changeset 402880 3509bf5962d123b1ae2064979523f8b567e4847a
parent 402879 dff22255b582c72ad2a46f09d10b4410029a3e2a
child 402881 5d9cab23db6756aeb64142fa577b593b0695c10d
push id33405
push usershindli@mozilla.com
push dateThu, 08 Feb 2018 10:04:47 +0000
treeherdermozilla-central@0ac953fcddf1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersaosmond
bugs1432679
milestone60.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1432679. Do multiplication in nsGIFDecoder2::FinishImageDescriptor as int64_t to avoid overflow. r=aosmond pixels_remaining is already an int64_t.
image/decoders/nsGIFDecoder2.cpp
--- a/image/decoders/nsGIFDecoder2.cpp
+++ b/image/decoders/nsGIFDecoder2.cpp
@@ -875,17 +875,18 @@ nsGIFDecoder2::FinishImageDescriptor(con
   const bool isInterlaced = packedFields & PACKED_FIELDS_INTERLACED_BIT;
 
   // Create the SurfacePipe we'll use to write output for this frame.
   if (NS_FAILED(BeginImageFrame(frameRect, realDepth, isInterlaced))) {
     return Transition::TerminateFailure();
   }
 
   // Clear state from last image.
-  mGIFStruct.pixels_remaining = frameRect.Width() * frameRect.Height();
+  mGIFStruct.pixels_remaining =
+    int64_t(frameRect.Width()) * int64_t(frameRect.Height());
 
   if (haveLocalColorTable) {
     // We have a local color table, so prepare to read it into the palette of
     // the current frame.
     mGIFStruct.local_colormap_size = 1 << depth;
 
     if (mGIFStruct.images_decoded == 0) {
       // The first frame has a local color table. Allocate space for it as we