image/test/crashtests/1526717-1.html
author Timothy Nikkel <tnikkel@gmail.com>
Thu, 14 Mar 2019 14:32:37 -0500
changeset 522000 355c9ff9b895
permissions -rw-r--r--
Bug 1526717. Guard against libpng calling the info callback more than once. r=aosmond libpng uses the first IDAT chunk it encounters as a signal that it has read all header chunks and to send the info callback. The testcase png has an IDAT chunk, then a z chunk (not a known chunk type), and then another IDAT chunk. libpng tracks if we are in an "after idat" state, and throws a benign error if it encounters another IDAT chunk in "after idat" mode, but it just continues normally, processing the idat chunk as if it were the first and therefore sends the info callback again. This seems silly. https://searchfox.org/mozilla-central/rev/f1c7ba91fad60bfea184006f3728dd6ac48c8e56/media/libpng/pngpread.c#307

<img height="64" width="64" src="fuzz-1311.png?0.5592939664601271">