Bug 1526717. Guard against libpng calling the info callback more than once. r=aosmond

libpng uses the first IDAT chunk it encounters as a signal that it has read all header chunks and to send the info callback. The testcase png has an IDAT chunk, then a z chunk (not a known chunk type), and then another IDAT chunk. libpng tracks if we are in an "after idat" state, and throws a benign error if it encounters another IDAT chunk in "after idat" mode, but it just continues normally, processing the idat chunk as if it were the first and therefore sends the info callback again. This seems silly. https://searchfox.org/mozilla-central/rev/f1c7ba91fad60bfea184006f3728dd6ac48c8e56/media/libpng/pngpread.c#307
2025-02-26 12:20:56 +00:00 · 2019-03-14 14:32:37 -05:00 · 2019-03-14 14:32:37 -05:00 · 48052cc9cb
commit 48052cc9cb
parent 4c2b26578f
5 changed files with 12 additions and 0 deletions
--- a/image/decoders/nsPNGDecoder.cpp
+++ b/image/decoders/nsPNGDecoder.cpp
@ -117,6 +117,7 @@ nsPNGDecoder::nsPNGDecoder(RasterImage* aImage)
      mPass(0),
      mFrameIsHidden(false),
      mDisablePremultipliedAlpha(false),
+      mGotInfoCallback(false),
      mNumFrames(0) {}

 nsPNGDecoder::~nsPNGDecoder() {
@ -537,6 +538,13 @@ void nsPNGDecoder::info_callback(png_structp png_ptr, png_infop info_ptr) {
  nsPNGDecoder* decoder =
      static_cast<nsPNGDecoder*>(png_get_progressive_ptr(png_ptr));

+  if (decoder->mGotInfoCallback) {
+    MOZ_LOG(sPNGLog, LogLevel::Warning, ("libpng called info_callback more than once\n"));
+    return;
+  }
+
+  decoder->mGotInfoCallback = true;
+
  // Always decode to 24-bit RGB or 32-bit RGBA
  png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
               &interlace_type, &compression_type, &filter_type);
--- a/image/decoders/nsPNGDecoder.h
+++ b/image/decoders/nsPNGDecoder.h
@ -103,6 +103,7 @@ class nsPNGDecoder : public Decoder {
  uint8_t mPass;
  bool mFrameIsHidden;
  bool mDisablePremultipliedAlpha;
+  bool mGotInfoCallback;

  struct AnimFrameInfo {
    AnimFrameInfo();
--- a/image/test/crashtests/1526717-1.html
+++ b/image/test/crashtests/1526717-1.html
@ -0,0 +1 @@
+<img height="64" width="64" src="fuzz-1311.png?0.5592939664601271">
--- a/image/test/crashtests/1526717-1.png
+++ b/image/test/crashtests/1526717-1.png
--- a/image/test/crashtests/crashtests.list
+++ b/image/test/crashtests/crashtests.list
@ -58,3 +58,5 @@ load truncated-second-frame.png # Bug 863975

 # Bug 1509998 - Ensure that we handle empty frame rects in animated images.
 load 1509998.gif
+
+load 1526717-1.html
				`@ -0,0 +1 @@`
				`<img height="64" width="64" src="fuzz-1311.png?0.5592939664601271">`