WebContent: Prevent renderer crash on partially invalid image

If an image had a valid header and valid metadata, but decoding the image frame data failed, the renderer used to crash. The crash only happened in SerenityOS, because there ImageCodecPluginSerenity returned nullptr bitmaps. Instead, return {} like ImageCodecPluginLadybird already does if there's a nullptr frame. Fixes #19141. Loading #19141 in the browser satisfyingly also serves as a manual test for the bug. (No automated test since we don't run layout tests within SerenityOS on the bots.)
author: Nico Weber <thakis@chromium.org> 2023-06-01 21:04:04 -0400
committer: Sam Atkins <atkinssj@gmail.com> 2023-06-02 09:57:20 +0100
commit: c9b8af70bf61a75656945697d3dc173104fba22b (patch)
tree: 2636242f9b2db1164102bf96daae8369e66fe336 /Userland
parent: 5617dd1c839eb27168f933bf8a93d2707ddba25a (diff)
download: serenity-c9b8af70bf61a75656945697d3dc173104fba22b.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/Userland/Services/WebContent/ImageCodecPluginSerenity.cpp b/Userland/Services/WebContent/ImageCodecPluginSerenity.cpp
index 426cf5fb27..3b04f5a2e1 100644
--- a/Userland/Services/WebContent/ImageCodecPluginSerenity.cpp
+++ b/Userland/Services/WebContent/ImageCodecPluginSerenity.cpp
@@ -31,6 +31,8 @@ Optional<Web::Platform::DecodedImage> ImageCodecPluginSerenity::decode_image(Rea
     decoded_image.is_animated = result.is_animated;
     decoded_image.loop_count = result.loop_count;
     for (auto const& frame : result.frames) {
+        if (!frame.bitmap)
+            return {};
         decoded_image.frames.empend(move(frame.bitmap), frame.duration);
     }
author	Nico Weber <thakis@chromium.org>	2023-06-01 21:04:04 -0400
committer	Sam Atkins <atkinssj@gmail.com>	2023-06-02 09:57:20 +0100
commit	c9b8af70bf61a75656945697d3dc173104fba22b (patch)
tree	2636242f9b2db1164102bf96daae8369e66fe336 /Userland
parent	5617dd1c839eb27168f933bf8a93d2707ddba25a (diff)
download	serenity-c9b8af70bf61a75656945697d3dc173104fba22b.zip