Closed Bug 78166 Opened 23 years ago Closed 23 years ago

Browser crashes loading page

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.1

People

(Reporter: phil, Assigned: saari)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [imglib])

Attachments

(1 file)

Patch to fix this crash
1.13 KB, patch
Details | Diff | Splinter Review 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.8.1+) Gecko/20010429
BuildID:    2001042920

Browser crashes with an invalid page fault in module IMGGIF.DLL at 0177:60471f56
when loading page


Reproducible: Always
Steps to Reproduce:
1.Browse to http://www.multimap.com
2.
3.

Actual Results:  MOZILLA caused an invalid page fault in
module IMGGIF.DLL at 0177:60471f56.
Registers:
EAX=00000000 CS=0177 EIP=60471f56 EFLGS=00010202
EBX=00000000 SS=017f ESP=0068f784 EBP=0068f7a8
ECX=00000006 DS=017f ESI=00989d50 FS=32e7
EDX=00000002 ES=017f EDI=00989d5c GS=0000
Bytes at CS:EIP:
8b 08 ff 51 68 ff 75 10 8b 46 08 ff 75 0c 8b 08 
Stack dump:
00000000 00000000 012ea045 00989ee0 00000000 00000000 0000000f 0000000f 0098f4c1
00000001 60471857 00989d50 00000001 00000000 00000000 0068f85c
Linux build also crashed.

Program received signal SIGSEGV, Segmentation fault.
0x40d82fdf in nsGIFDecoder2::SetObserver ()
   from /home/mozilla/dist/bin/components/libimggif.so
(gdb) bt
#0  0x40d82fdf in nsGIFDecoder2::SetObserver ()
   from /home/mozilla/dist/bin/components/libimggif.so
#1  0x40d821a5 in gif_write ()
   from /home/mozilla/dist/bin/components/libimggif.so
#2  0x40d82c22 in nsGIFDecoder2::ProcessData ()
   from /home/mozilla/dist/bin/components/libimggif.so
#3  0x40d82bde in nsGIFDecoder2::Write ()
   from /home/mozilla/dist/bin/components/libimggif.so
#4  0x400d59e1 in nsInputStreamTee::WriteSegmentFun ()
   from /home/mozilla/dist/bin/libxpcom.so
#5  0x400ce35c in nsPipe::nsPipeInputStream::ReadSegments ()
   from /home/mozilla/dist/bin/libxpcom.so
#6  0x400d6024 in nsInputStreamTee::ReadSegments ()
   from /home/mozilla/dist/bin/libxpcom.so
#7  0x40d82ce3 in nsGIFDecoder2::WriteFrom ()
   from /home/mozilla/dist/bin/components/libimggif.so
#8  0x40d5488d in imgRequest::OnDataAvailable ()
   from /home/mozilla/dist/bin/components/libimglib2.so
#9  0x40d51767 in ProxyListener::OnDataAvailable ()
   from /home/mozilla/dist/bin/components/libimglib2.so
#10 0x4083939d in nsHTTPFinalListener::OnDataAvailable ()
   from /home/mozilla/dist/bin/components/libnecko.so
#11 0x408001b9 in nsStreamListenerTee::OnDataAvailable ()
   from /home/mozilla/dist/bin/components/libnecko.so
#12 0x4083781d in nsHTTPServerListener::OnDataAvailable ()
   from /home/mozilla/dist/bin/components/libnecko.so
#13 0x407e738a in nsOnDataAvailableEvent::HandleEvent ()
   from /home/mozilla/dist/bin/components/libnecko.so
#14 0x407e63fe in nsARequestObserverEvent::HandlePLEvent ()
   from /home/mozilla/dist/bin/components/libnecko.so
#15 0x400ed042 in PL_HandleEvent () from /home/mozilla/dist/bin/libxpcom.so
#16 0x400eced9 in PL_ProcessPendingEvents ()
   from /home/mozilla/dist/bin/libxpcom.so
#17 0x400eed78 in nsEventQueueImpl::ProcessPendingEvents ()
   from /home/mozilla/dist/bin/libxpcom.so
#18 0x40e9f8ff in nsAppShell::SetDispatchListener ()
   from /home/mozilla/dist/bin/components/libwidget_gtk.so
#19 0x40e9f58d in keysym2ucs ()
   from /home/mozilla/dist/bin/components/libwidget_gtk.so
#20 0x40690afa in g_io_unix_dispatch (source_data=0x8255a70, 
    current_time=0xbffff78c, user_data=0x82649b0) at giounix.c:135
#21 0x406921b6 in g_main_dispatch (dispatch_time=0xbffff78c) at gmain.c:656
#22 0x40692781 in g_main_iterate (block=1, dispatch=1) at gmain.c:877
#23 0x40692921 in g_main_run (loop=0x8238750) at gmain.c:935
#24 0x405ba7b9 in gtk_main () from /usr/lib/libgtk-1.2.so.0
#25 0x40ea03ae in nsAppShell::Run ()
   from /home/mozilla/dist/bin/components/libwidget_gtk.so
#26 0x41c88308 in nsAppShellService::Run ()
   from /home/mozilla/dist/bin/components/libnsappshell.so
#27 0x805116e in StringAllocator_char ()
#28 0x8051de9 in StringAllocator_char ()
#29 0x4027b9cb in __libc_start_main (
    main=0x8051c70 <StringAllocator_char(void)+23352>, argc=1, 
    argv=0xbffff9a4, init=0x804b958 <_init>, fini=0x8057164 <_fini>, 
    rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbffff99c)
    at ../sysdeps/generic/libc-start.c:92
Status: UNCONFIRMED → NEW
Ever confirmed: true
*** Bug 78167 has been marked as a duplicate of this bug. ***
The following JavaScript causes a crash.

function logrt (){
 loaddate=new Date();
 loadimg =new Image();
 loadimg.src='http://www.multimap.com/map/uk.cgi?counter=1&referer='+document.referrer;
}

I got a same crash on loading <http://www.multimap.com/map/uk.cgi?counter=1>.
OS: Windows 98 → All
I don't have any problems in GNU/Linux i386 (RedHat-6.1), Mozilla build
2001032614. The page is loaded without fuss.
crashed with win2k build 20010429.. (CVS debug)

win32 Stack :

EndImageFrame(void * 0x03ba93b0, unsigned int 1, unsigned int 0, unsigned int 0) 
line 303 + 21 bytes
gif_write(gif_struct * 0x0392c388, const unsigned char * 0x03c80c85, unsigned 
int 61) line 1476 + 42 bytes
nsGIFDecoder2::ProcessData(nsGIFDecoder2 * const 0x03ba93b0, unsigned char * 
0x03c80c85, unsigned int 61) line 161 + 20 bytes
ReadDataOut(nsIInputStream * 0x0393fe88, void * 0x03ba93b0, const char * 
0x03c80c85, unsigned int 0, unsigned int 61, unsigned int * 0x0012f5c4) line 148 
+ 17 bytes
nsInputStreamTee::WriteSegmentFun(nsIInputStream * 0x0393fe88, void * 
0x03ba9368, const char * 0x03c80c85, unsigned int 0, unsigned int 61, unsigned 
int * 0x0012f5c4) line 81 + 33 bytes
nsPipe::nsPipeInputStream::ReadSegments(nsPipe::nsPipeInputStream * const 
0x0393fe88, unsigned int (nsIInputStream *, void *, const char *, unsigned int, 
unsigned int, unsigned int *)* 0x1004d950 
nsInputStreamTee::WriteSegmentFun(nsIInputStream *, void *, const char *, 
unsigned int, unsigned int, unsigned int *), void * 0x03ba9368, unsigned int 61, 
unsigned int * 0x0012f7d8) line 4
nsInputStreamTee::ReadSegments(nsInputStreamTee * const 0x03ba9368, unsigned int 
(nsIInputStream *, void *, const char *, unsigned int, unsigned int, unsigned 
int *)* 0x03431bc0 ReadDataOut(nsIInputStream *, void *, const char *, unsigned 
int, unsigned int, unsigned int *), void * 0x03ba93b0, unsigned int 61, unsigned 
int * 0x0012f7d8) line 138
nsGIFDecoder2::WriteFrom(nsGIFDecoder2 * const 0x03ba93b0, nsIInputStream * 
0x03ba9368, unsigned int 61, unsigned int * 0x0012f7d8) line 190
imgRequest::OnDataAvailable(imgRequest * const 0x0474feb0, nsIRequest * 
0x0474fcf0, nsISupports * 0x00000000, nsIInputStream * 0x03ba9368, unsigned int 
0, unsigned int 61) line 757 + 47 bytes
ProxyListener::OnDataAvailable(ProxyListener * const 0x046d27a0, nsIRequest * 
0x0474fcf0, nsISupports * 0x00000000, nsIInputStream * 0x03ba9368, unsigned int 
0, unsigned int 61) line 374
nsHTTPFinalListener::OnDataAvailable(nsHTTPFinalListener * const 0x0474fa40, 
nsIRequest * 0x0474fcf0, nsISupports * 0x00000000, nsIInputStream * 0x03ba9368, 
unsigned int 0, unsigned int 61) line 1173 + 46 bytes
nsStreamListenerTee::OnDataAvailable(nsStreamListenerTee * const 0x03b4b5e8, 
nsIRequest * 0x0474fcf0, nsISupports * 0x00000000, nsIInputStream * 0x0393fe88, 
unsigned int 0, unsigned int 61) line 56 + 51 bytes
nsHTTPServerListener::OnDataAvailable(nsHTTPServerListener * const 0x03ba5ce8, 
nsIRequest * 0x03c97718, nsISupports * 0x0474fcf0, nsIInputStream * 0x0393fe88, 
unsigned int 133, unsigned int 61) line 542 + 64 bytes
nsOnDataAvailableEvent::HandleEvent() line 173 + 70 bytes
nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x046c76a4) line 64
PL_HandleEvent(PLEvent * 0x046c76a4) line 588 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00e70de0) line 518 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x00050164, unsigned int 49389, unsigned int 0, 
long 15142368) line 1069 + 9 bytes
USER32! 77e048dc()
USER32! 77e04aa7()
USER32! 77e166fd()
nsAppShellService::Run(nsAppShellService * const 0x00e35c78) line 408
main1(int 2, char * * 0x003576c8, nsISupports * 0x00000000) line 1005 + 32 bytes
main(int 2, char * * 0x003576c8) line 1306 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e892a6()
Keywords: crash
changing status to imglib
Whiteboard: [imglib]
GIF crasher
Assignee: pavlov → saari
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.1

    
    

    
  
r=, sr= needed

    
    

    
  
Fixed
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED

    
    

    
  
Verified fixed mac build 2001052405
Verified fixed w98 build 2001052404
Verified fixed linux build 2001052310
Status: RESOLVED → VERIFIED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: