Closed
Bug 370896
Opened 17 years ago
Closed 17 years ago
potential jpeg problem with zero output_scanline
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: guninski, Unassigned)
Details
potential jpeg problem with zero output_scanline this may be invalid, but have some suspicions about it so someone more familiar with the code please comment. http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/jpeg/nsJPEGDecoder.cpp&rev=1.69&mark=413-417#413 412 tor 1.53 if (mInfo.output_scanline == 0xffffff) 413 mInfo.output_scanline = 0; 414 tor 1.48 415 gavin 1.68 if (!OutputScanlines()) { http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/jpeg/nsJPEGDecoder.cpp&rev=1.69&mark=507#507 473 tor 1.53 nsJPEGDecoder::OutputScanlines() .... 506 asqueella 1.69 // offset is in Cairo pixels (PRUint32) 507 PRUint32 offset = (mInfo.output_scanline - 1) * mInfo.output_width; if mInfo.output_scanline == 0 on line 507 this will screw the buffer via int overflow. lines 412-415 show a potential codepath for a zero value. is a zero value possible on line 507?
Reporter | ||
Updated•17 years ago
|
Assignee: general → nobody
Component: General → GFX: Thebes
Product: Mozilla Application Suite → Core
QA Contact: general → thebes
Comment 1•17 years ago
|
||
I'm not familiar with that code, you probably meant to CC Alfred.
Updated•17 years ago
|
Flags: blocking1.9?
Reporter | ||
Comment 2•17 years ago
|
||
this seems to prevent it: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/jpeg/nsJPEGDecoder.cpp&rev=1.69&mark=499-503#499 499 gavin 1.68 /* Request one scanline. Returns 0 or 1 scanlines. */ 500 if (jpeg_read_scanlines(&mInfo, mSamples, 1) != 1) { 501 tor 1.33 rv = PR_FALSE; /* suspend */ 502 break; 503 }
Comment 3•17 years ago
|
||
Even if OutputScanlines() is called with mInfo.output_scanline == 0, the call to jpeg_read_scanlines increases it to 1 if it returns 1. So the statement on line 507 always has output_scanlines of at least 1, so that offset will not become negative (or overflow). So, this is not a problem and cannot be explicitly triggered.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 4•17 years ago
|
||
resolving invalid per comment #3. someone empowered please remove the `sensitive' flag.
Comment 5•17 years ago
|
||
(In reply to comment #4) your wish is my command.
Group: security
CC list accessible: false
Not accessible to reporter
Updated•17 years ago
|
Flags: blocking1.9?
You need to log in
before you can comment on or make changes to this bug.
Description
•