Fix crash in BitmapImage::destroyDecodedData()

https://bugs.webkit.org/show_bug.cgi?id=116494

Patch by Laszlo Vidacs <lac@inf.u-szeged.hu> on 2013-11-07
Reviewed by Csaba Osztrogonác.

Merge from https://chromium.googlesource.com/chromium/blink/+/6b6887bf53068f8537908e501fdc7317ad2c6d86

* platform/graphics/BitmapImage.cpp:
(WebCore::BitmapImage::destroyDecodedData):

Change-Id: Ifa093a86c9cf2bfb8df29bc021c58c9c80eeaece
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@158840 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Michael Bruning <michael.bruning@digia.com>

1 files changed, 5 insertions, 1 deletions

diff --git a/Source/WebCore/platform/graphics/BitmapImage.cpp b/Source/WebCore/platform/graphics/BitmapImage.cpp
index 07610d2d8..2e2f334c3 100644
--- a/Source/WebCore/platform/graphics/BitmapImage.cpp
+++ b/Source/WebCore/platform/graphics/BitmapImage.cpp
@@ -82,7 +82,11 @@ void BitmapImage::destroyDecodedData(bool destroyAll)
 {
     unsigned frameBytesCleared = 0;
     const size_t clearBeforeFrame = destroyAll ? m_frames.size() : m_currentFrame;
-    for (size_t i = 0; i < clearBeforeFrame; ++i) {
+
+    // Because we can advance frames without always needing to decode the actual
+    // bitmap data, |m_currentFrame| may be larger than m_frames.size();
+    // make sure not to walk off the end of the container in this case.
+    for (size_t i = 0; i <  std::min(clearBeforeFrame, m_frames.size()); ++i) {
         // The underlying frame isn't actually changing (we're just trying to
         // save the memory for the framebuffer data), so we don't need to clear
         // the metadata.