Bug 1288588 - Check for width,height==0 in fcTL chunk. r=jrmuizel, a=abillings
authorGlenn Randers-Pehrson <glennrp+bmo@gmail.com>
Tue, 16 Aug 2016 10:07:44 -0400
changeset 347670 8d65d9b7e5d2dcfeb773a7b6d4c2030d489ae335
parent 347669 fbcb77687057ec9298f8686bc0fe62cc11b59c20
child 347671 46e19362c2ba4af8d98ab9e804d014a4ff04d1d6
push id6389
push userraliiev@mozilla.com
push dateMon, 19 Sep 2016 13:38:22 +0000
treeherdermozilla-beta@01d67bfe6c81 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjrmuizel, abillings
bugs1288588
milestone50.0a2
Bug 1288588 - Check for width,height==0 in fcTL chunk. r=jrmuizel, a=abillings
image/decoders/nsPNGDecoder.cpp
--- a/image/decoders/nsPNGDecoder.cpp
+++ b/image/decoders/nsPNGDecoder.cpp
@@ -969,16 +969,21 @@ nsPNGDecoder::frame_info_callback(png_st
 
   // Save the information necessary to create the frame; we'll actually create
   // it when we return from the yield.
   const IntRect frameRect(png_get_next_frame_x_offset(png_ptr, decoder->mInfo),
                           png_get_next_frame_y_offset(png_ptr, decoder->mInfo),
                           png_get_next_frame_width(png_ptr, decoder->mInfo),
                           png_get_next_frame_height(png_ptr, decoder->mInfo));
 
+  if (frameRect.width == 0 || frameRect.height == 0)
+    png_error(png_ptr, "Frame width must not be 0");
+  if (frameRect.height == 0)
+    png_error(png_ptr, "Frame height must not be 0");
+
   const bool isInterlaced = bool(decoder->interlacebuf);
 
   decoder->mNextFrameInfo = Some(FrameInfo{ decoder->format,
                                             frameRect,
                                             isInterlaced });
 
   // Yield to the caller to notify them that the previous frame is now complete.
   return decoder->DoYield(png_ptr);