RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-06-01 09:18:11 +00:00
Code Issues Activity Actions

LibGfx: Restrict cleared area to GIF framebuffer

Browse source 
Found by OSS Fuzz, long-standing issue
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34824

The discovered testcase attempts to clear the framebuffer of size
1056x32 from the previous image, which has size 16416x32.
This commit is contained in:
Ben Wiederhake 2021-10-21 23:38:13 +02:00 committed by Linus Groh
parent 20bfd549e9
commit 1bc4a0d822
1 changed files with 5 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

11
Userland/Libraries/LibGfx/GIFLoader.cpp
View file

@ -266,16 +266,15 @@ static void copy_frame_buffer(Bitmap& dest, const Bitmap& src)
static void clear_rect(Bitmap& bitmap, const IntRect& rect, Color color)
{
if (rect.is_empty())
auto intersection_rect = rect.intersected(bitmap.rect());
if (intersection_rect.is_empty())
return;
VERIFY(bitmap.rect().contains(rect));
RGBA32* dst = bitmap.scanline(rect.top()) + rect.left();
RGBA32* dst = bitmap.scanline(intersection_rect.top()) + intersection_rect.left();
const size_t dst_skip = bitmap.pitch() / sizeof(RGBA32);
for (int i = rect.height() - 1; i >= 0; --i) {
fast_u32_fill(dst, color.value(), rect.width());
for (int i = intersection_rect.height() - 1; i >= 0; --i) {
fast_u32_fill(dst, color.value(), intersection_rect.width());
dst += dst_skip;
}
}