Closed Bug 229652 Opened 21 years ago Closed 21 years ago

Browser crashes accessing broken GIF

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: noririty, Assigned: tor)

References

(
URL
)

Details

(Keywords: crash, regression)

Attachments

(1 file, 1 obsolete file)

fix style nits
2.38 KB, patch
tor
: review+
bryner
: superreview+
Details | Diff | Splinter Review
Since checkin of bug 205761. Mozilla, Mozilla Firebird on Windows XP and Windows 2000 crash loading certain URL. http://bugzilla.mozilla.gr.jp/attachment.cgi?id=1935&action=view Those pages contain bad GIF image file. This situation may easily occur by interruption while FTP transfer.
wfm Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7a) Gecko/20031226 Bug 205761 was checked in 2003-10-22 14:12 no crash, instead of image I get an icon of a broken image with text, the URL isn´t fully displayed, it stops at the border of the box: The image “http://bugzilla.mozilla.gr.j cannot be displayed, because it contains errors.
crashes Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7a) Gecko/20031226 didn´t crash using Mozilla 1.5, so no Talkback. Couldn´t get it to crash when loading in same tab, but multiple times crashed loading in a new tab loading in the background. I was seeing an animated gif just cycling once, then sometimes crashing. Right-clicking on the gif produced the same broken gif icon. I saved it locally as attachment.cgi.html and I renamed a copy to attachment.cgi.html.gif I couldn´t load the copy in Mozilla, but could see it looping in irfanview. After some unsuccessful attempts to crash, I started writing this bug, then, when opening a menu, Mozilla crashed.
Attachment #139062 - Flags: review?(darin)
Blocks: 229520
*** Bug 229520 has been marked as a duplicate of this bug. ***
Comment on attachment 139062 [details] [diff] [review] fix nsRecyclingAllocator, propogate errors to imglib, stop memory scribbling >Index: xpcom/ds/nsRecyclingAllocator.cpp >+ if (zeroit) >+ memset(DATA(freeBlock), 0, bytes); >+ > return DATA(freeBlock); store result of DATA to avoid duplicating pointer arithmetic. i'm not sure if the compiler will anyways optimize away the duplicate arithmetic, so maybe this is a ridiculous point. but, fwiw maybe this would be better: void* data = DATA(freeBlock); if (zeroit) memset(data, 0, bytes); return data; >Index: modules/libpr0n/decoders/gif/GIF2.cpp >+ /* Protect against too much image data */ >+ if ((PRUintn)drow_start >= gs->height) >+ return; >+ nit: would a debug warning or assertion be of use here? NS_WARNING/NS_ERROR("too much image data"); >Index: modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp >+ nsresult rv = inStr->ReadSegments(ReadDataOut, this, count, _retval); >+ >+ /* necko doesn't propogate the errors from ReadDataOut - take matters >+ into our own hands */ >+ if (NS_SUCCEEDED(rv) && mGIFStruct && mGIFStruct->state == gif_error) >+ return NS_ERROR_FAILURE; >+ else >+ return rv; > } nit: "else" after "return" is unnecessary. how about this instead: if (...) rv = NS_ERROR_FAILURE; return rv; r=darin
Attachment #139062 - Flags: review?(darin) → review+
Attached patch fix style nitsSplinter Review
Attachment #139062 - Attachment is obsolete: true
Comment on attachment 139167 [details] [diff] [review] fix style nits Transfering r=darin
Attachment #139167 - Flags: superreview?(bryner)
Attachment #139167 - Flags: review+
Comment on attachment 139167 [details] [diff] [review] fix style nits >Index: modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp >=================================================================== >RCS file: /cvsroot/mozilla/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp,v >retrieving revision 1.58 >diff -u -r1.58 nsGIFDecoder2.cpp >--- modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp 14 Jan 2004 17:08:26 -0000 1.58 >+++ modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp 16 Jan 2004 01:39:13 -0000 >@@ -214,7 +214,14 @@ > /* unsigned long writeFrom (in nsIInputStream inStr, in unsigned long count); */ > NS_IMETHODIMP nsGIFDecoder2::WriteFrom(nsIInputStream *inStr, PRUint32 count, PRUint32 *_retval) > { >- return inStr->ReadSegments(ReadDataOut, this, count, _retval); >+ nsresult rv = inStr->ReadSegments(ReadDataOut, this, count, _retval); >+ >+ /* necko doesn't propogate the errors from ReadDataOut - take matters "propagate" sr=bryner
Attachment #139167 - Flags: superreview?(bryner) → superreview+
Checked in with spelling fixed.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Not sure why you're mentioning a JPEG decoder problem in a GIF bug, but the problem with those files is that they're in YCCK colorspace (bug 44781).
was because of the error message being displayed maybe it could be customized to say that this type of jpeg file format isn't supported ?? anyway, really helpful feeback, regards
*** Bug 234043 has been marked as a duplicate of this bug. ***
*** Bug 235098 has been marked as a duplicate of this bug. ***
*** Bug 272955 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: