336145 - NULL deref in case of low-memory situation in gfx/src/qt/nsImageQt.cpp

Status: RESOLVED WONTFIX

(Core Graveyard :: Ports: Qt, defect)

Description

[Denis Vlasenko]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20060320 Firefox/1.5
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20060320 Firefox/1.5

nsresult nsImageQt::Init(PRInt32 aWidth,PRInt32 aHeight,
                         PRInt32 aDepth,
                         nsMaskRequirements aMaskRequirements)
{
...
    mImageBits = (PRUint8*)new PRUint8[mRowBytes * mHeight];
    mAlphaBits = new PRUint8[mAlphaRowBytes * mHeight];

    pixmapDirty = PR_TRUE;

    PR_LOG(gQtLogModule, QT_BASIC, ("nsImageQt::Init succeeded"));
    return NS_OK;
}

mImageBits and mAlphaBits may end up being NULL.
However, other member functions do not check for that:

void nsImageQt::updatePixmap()
{
    //qDebug("updatePixmap");
    QImage qimage(mWidth, mHeight, 32);
    const PRInt32 bytesPerPixel = mDepth / 8;
    PRUint8 *image = mImageBits;
    PRUint8 *alpha = mAlphaBits;

    PRInt32 i,j;
    QRgb *line;

    qimage.setAlphaBuffer(mAlphaDepth != 0);
    switch(mAlphaDepth) {
    case 0:
...
    case 1:
        for (i = 0; i < mHeight; i++) {
            line = (QRgb*)qimage.scanLine(i);

            PRUint8 *imagePtr = image;
            for (j = 0; j < mWidth; j++) {
                uchar a = (alpha[j / 8] & (1 << (7 - (j % 8)))) ? 0xff : 0;


Reproducible: Always

Comment 1

[Gordon P. Hemsley [:GPHemsley]]

This bug has been buried in the graveyard and has not been updated in over 5 years. It is probably safe to assume that it will never be fixed, so resolving as WONTFIX.

[Mass-change filter: graveyard-wontfix-2014-09-24]