Closed Bug 370896 Opened 17 years ago Closed 17 years ago

potential jpeg problem with zero output_scanline

Categories

(Core :: Graphics, defect)

x86
Linux
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: guninski, Unassigned)

Details

potential jpeg problem with zero output_scanline 

this may be invalid, but have some suspicions about it so someone more
familiar with the code please comment.

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/jpeg/nsJPEGDecoder.cpp&rev=1.69&mark=413-417#413
412 tor       1.53         if (mInfo.output_scanline == 0xffffff)
413                          mInfo.output_scanline = 0;
414 tor       1.48 
415 gavin     1.68         if (!OutputScanlines()) {

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/jpeg/nsJPEGDecoder.cpp&rev=1.69&mark=507#507

473 tor       1.53 nsJPEGDecoder::OutputScanlines()
....
506 asqueella 1.69       // offset is in Cairo pixels (PRUint32)

507                      PRUint32 offset = (mInfo.output_scanline - 1) * mInfo.output_width;

if mInfo.output_scanline == 0 on line 507 this will screw the buffer
via int overflow.

lines 412-415 show a potential codepath for a zero value.

is a zero value possible on line 507?
Assignee: general → nobody
Component: General → GFX: Thebes
Product: Mozilla Application Suite → Core
QA Contact: general → thebes
I'm not familiar with that code, you probably meant to CC Alfred.
Flags: blocking1.9?
this seems to prevent it:

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/jpeg/nsJPEGDecoder.cpp&rev=1.69&mark=499-503#499
499 gavin     1.68       /* Request one scanline.  Returns 0 or 1 scanlines. */    
500                      if (jpeg_read_scanlines(&mInfo, mSamples, 1) != 1) {
501 tor       1.33         rv = PR_FALSE; /* suspend */
502                        break;
503                      }
Even if OutputScanlines() is called with mInfo.output_scanline == 0, the call to jpeg_read_scanlines increases it to 1 if it returns 1.
So the statement on line 507 always has output_scanlines of at least 1, so that offset will not become negative (or overflow). 

So, this is not a problem and cannot be explicitly triggered.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
resolving invalid per comment #3.

someone empowered please remove the `sensitive' flag.
(In reply to comment #4)

your wish is my command.
Group: security
CC list accessible: false
Not accessible to reporter
Flags: blocking1.9?
You need to log in before you can comment on or make changes to this bug.