Bug 525326. Fix crash on animated gifs with very large image sizes. r=vlad,alfredkayser a=ss GECKO1914_20091006_RELBRANCH
authorJeff Muizelaar <jmuizelaar@mozilla.com>
Mon, 02 Nov 2009 12:56:56 -0500
branchGECKO1914_20091006_RELBRANCH
changeset 26518 edf189567edc4e7984f111709b9a1c58cf6ea6ed
parent 26517 40f1c74ccf91c71f8c02485e5c7be85f0fb6dffc
child 26519 c204f7bb0064824dde9d28d394cf6611306492e9
push id2080
push userjdrew@mozilla.com
push dateMon, 02 Nov 2009 18:01:36 +0000
reviewersvlad, alfredkayser, ss
bugs525326, 514776
milestone1.9.1.4
Bug 525326. Fix crash on animated gifs with very large image sizes. r=vlad,alfredkayser a=ss Bug 514776 removed the check for a null mImageFrame for no good reason. mImageFrame can be null when the sizes of the image are very large, so this change adds the check back.
modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp
--- a/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp
+++ b/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp
@@ -1067,17 +1067,17 @@ nsresult nsGIFDecoder2::GifWrite(const P
         depth = (q[8]&0x07) + 1;
       PRUint32 realDepth = depth;
       while (mGIFStruct.tpixel >= (1 << realDepth) && (realDepth < 8)) {
         realDepth++;
       } 
       // Mask to limit the color values within the colormap
       mColorMask = 0xFF >> (8 - realDepth);
       BeginImageFrame(realDepth);
-      if (!mImageData) {
+      if (!mImageData || !mImageFrame) {
         mGIFStruct.state = gif_error;
         break;
       }
 
       if (q[8] & 0x40) {
         mGIFStruct.interlaced = PR_TRUE;
         mGIFStruct.ipass = 1;
       } else {