Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-12-02 18:08:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 787722 - Prevent out-of-bounds read/writes under nsSVGFELightingElement::Filter. r=roc.

Browse Source 
--HG--
extra : rebase_source : 8354ba5e16ca00a09a7b794b2408db63e76ca9df
This commit is contained in:
Jonathan Watt 2012-09-13 12:23:28 +01:00
parent 3871d8f191
commit 81a90a8fd3
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
content/svg/content/src/nsSVGFilters.cpp
View File

@ -149,7 +149,13 @@ nsSVGFE::SetupScalingFilter(nsSVGFilterInstance *aInstance,
r.RoundOut();
if (!gfxUtils::GfxRectToIntRect(r, &result.mDataRect))
return result;
// Rounding in the code above can mean that result.mDataRect is not contained
// within the bounds of the surfaces that we're about to create. We must
// clamp to these bounds to prevent out-of-bounds reads and writes:
result.mDataRect.IntersectRect(result.mDataRect,
nsIntRect(nsIntPoint(), scaledSize));
result.mSource = new gfxImageSurface(scaledSize,
gfxASurface::ImageFormatARGB32);
result.mTarget = new gfxImageSurface(scaledSize,