Bug 1240629. Don't buffer image file data that we are never going to look at in the gap between the header and the pixel data for BMP files. r=njn

The length of the gap is computed from the BMP file header, so in a malformed BMP we could needlessly make our input file buffer huge for no reason.
2024-09-13 09:24:08 -07:00 · 2016-02-12 16:58:34 -06:00 · 2016-02-12 16:58:34 -06:00 · 02307afbff
commit 02307afbff
parent 2036ec54ac
2 changed files with 11 additions and 1 deletions
--- a/image/decoders/nsBMPDecoder.cpp
+++ b/image/decoders/nsBMPDecoder.cpp
@ -450,6 +450,7 @@ nsBMPDecoder::WriteInternal(const char* aBuffer, uint32_t aCount)
        case State::BITFIELDS:        return ReadBitfields(aData, aLength);
        case State::COLOR_TABLE:      return ReadColorTable(aData, aLength);
        case State::GAP:              return SkipGap();
+        case State::AFTER_GAP:        return AfterGap();
        case State::PIXEL_ROW:        return ReadPixelRow(aData);
        case State::RLE_SEGMENT:      return ReadRLESegment(aData);
        case State::RLE_DELTA:        return ReadRLEDelta(aData);
@ -719,12 +720,19 @@ nsBMPDecoder::ReadColorTable(const char* aData, size_t aLength)
    PostDataError();
    return Transition::TerminateFailure();
  }
+
  uint32_t gapLength = mH.mDataOffset - mPreGapLength;
-  return Transition::To(State::GAP, gapLength);
+  return Transition::ToUnbuffered(State::AFTER_GAP, State::GAP, gapLength);
 }

 LexerTransition<nsBMPDecoder::State>
 nsBMPDecoder::SkipGap()
+{
+  return Transition::ContinueUnbuffered(State::GAP);
+}
+
+LexerTransition<nsBMPDecoder::State>
+nsBMPDecoder::AfterGap()
 {
  // If there are no pixels we can stop.
  //
--- a/image/decoders/nsBMPDecoder.h
+++ b/image/decoders/nsBMPDecoder.h
@ -165,6 +165,7 @@ private:
    BITFIELDS,
    COLOR_TABLE,
    GAP,
+    AFTER_GAP,
    PIXEL_ROW,
    RLE_SEGMENT,
    RLE_DELTA,
@ -194,6 +195,7 @@ private:
  LexerTransition<State> ReadBitfields(const char* aData, size_t aLength);
  LexerTransition<State> ReadColorTable(const char* aData, size_t aLength);
  LexerTransition<State> SkipGap();
+  LexerTransition<State> AfterGap();
  LexerTransition<State> ReadPixelRow(const char* aData);
  LexerTransition<State> ReadRLESegment(const char* aData);
  LexerTransition<State> ReadRLEDelta(const char* aData);