124767 - GIF images >4095 pixels wide crash Mozilla [@ HaveDecodedRow]

Status: RESOLVED FIXED

(Core :: Graphics: ImageLib, defect)

Description

[Steve Dagley]

GIF images >4095 pixels wide crash Mozilla on the Mac (both under Mac OS 9.x and
Mac OS X).  This problem does not occur on the Windows build of Mozilla 0.9.8. 
Here's the stack of the crash under Mac OS X:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000000

Thread 0 Crashed:
 #0   0x039aa858 in HaveDecodedRow(void *, unsigned char *, int, int, int, int,
unsigned char, int)
 #1   0x039aa71c in 0x39aa71c
 #2   0x039aae88 in output_row(gif_struct *)
 #3   0x039ab1cc in do_lzw(gif_struct *, unsigned char const *)
 #4   0x039abd00 in 0x39abd00
 #5   0x039aa130 in nsGIFDecoder2::ProcessData(unsigned char *, unsigned int)
 #6   0x039a9ea4 in ReadDataOut(nsIInputStream *, void *, char const *, unsigned
int, unsigned int, unsigned int *)
 #7   0x005d9044 in nsPipe::nsPipeInputStream::ReadSegments( (
(*)(nsIInputStream *)))
 #8   0x039aa1f8 in nsGIFDecoder2::WriteFrom(nsIInputStream *, unsigned int,
unsigned int *)
 #9   0x03054418 in OnDataAvailable__10imgRequestFP10nsIRequestP11nsISupportsP14ns
 #10  0x03050a74 in OnDataAvailable__13ProxyListenerFP10nsIRequestP11nsISupportsP1
 #11  0x02c84b80 in OnDataAvailable__13ImageListenerFP10nsIRequestP11nsISupportsP1
 #12  0x02ac8de8 in OnDataAvailable__18nsDocumentOpenInfoFP10nsIRequestP11nsISuppo
 #13  0x010397cc in OnDataAvailable__13nsFileChannelFP10nsIRequestP11nsISupportsP1
 #14  0x01048b20 in nsOnDataAvailableEvent::HandleEvent(void)
 #15  0x01057150 in nsARequestObserverEvent::HandlePLEvent(PLEvent *)
 #16  0x005f8a30 in PL_HandleEvent
 #17  0x005f889c in PL_ProcessPendingEvents
 #18  0x0059f17c in nsEventQueueImpl::ProcessPendingEvents(void)
 #19  0x0299c84c in nsMacNSPREventQueueHandler::ProcessPLEventQueue(void)
 #20  0x0299c610 in nsMacNSPREventQueueHandler::RepeatAction(EventRecord const &)
 #21  0x01196b14 in Repeater::DoRepeaters(EventRecord const &)
 #22  0x029afaf8 in nsMacMessagePump::DispatchEvent(int, EventRecord *)
 #23  0x029af6d0 in nsMacMessagePump::DoMessagePump(void)
 #24  0x029af00c in nsAppShell::Run(void)
 #25  0x0296ce4c in nsAppShellService::Run(void)
 #26  0x004cebb4 in main1(int, char **, nsISupports *)
 #27  0x004cf68c in main

Comment 1

[R.K.Aa.]

dup of bug 83804?

Comment 2

[Steve Dagley]

Not that it isn't related but I don't think it's exactly a dupe since my test of 
the Windows 0.9.8 build did not crash on a 4096x1 pixel GIF image like the Mac 
builds did.

Comment 3

[Stuart Parmenter]

dup of 113406

*** This bug has been marked as a duplicate of 113406 ***

Comment 4

[Steve Dagley]

Pav, look again - #113406 is a failure to display an image.  This is a crasher.

Comment 5

[hirata masakazu]

Then this must be a dupe of bug 120781.

*** This bug has been marked as a duplicate of 120781 ***

Comment 6

[Simon Fraser [no longer active]]

Reopening. This bug is not a dup of bug 120781. Wide JPEG image do not cause
crashes, but wide GIF images do. The bug cannot therefore lie in the Mac GFX
code, since that has no notion of image formats. The problem here is that the
GIF code does insufficient error checking.

Comment 7

[Simon Fraser [no longer active]]

*** Bug 152381 has been marked as a duplicate of this bug. ***

Comment 8

[saari (gone)]

Umm, bryner and I fixed this Friday night in the GIF code. Giving to him for
closure as appropriate

Comment 9

[Matthias Versen [:Matti]]

*** Bug 154660 has been marked as a duplicate of this bug. ***

Comment 10

[R.K.Aa.]

*** Bug 154716 has been marked as a duplicate of this bug. ***

Comment 11

[Brian Ryner (not reading)]

What saari said.