Closed
Bug 1332587
Opened 7 years ago
Closed 7 years ago
Crash in memcpy | NS_CopySegmentToBuffer rising in Firefox 49
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
VERIFIED
FIXED
mozilla53
People
(Reporter: baku, Assigned: baku)
References
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
806 bytes,
patch
|
smaug
:
review+
jcristau
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → amarchesini
Assignee | ||
Comment 1•7 years ago
|
||
Attachment #8828752 -
Flags: review?(bugs)
Comment 2•7 years ago
|
||
Comment on attachment 8828752 [details] [diff] [review] fr.patch ok, the limit is coming from ArrayBufferObject::setByteLength but make >= just >
Attachment #8828752 -
Flags: review?(bugs) → review+
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/9b5cc104aaf6 FileReader cannot allocate more than INT32_MAX for an ArrayBuffer, r=smaug
Comment 4•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/9b5cc104aaf6
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox53:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Comment 5•7 years ago
|
||
Setting 51 to affected since this is something we may want to keep on the radar for a dot release ride-along if such a thing comes into being. Otherwise, this feels edge-casey enough that we could uplift to 52 and let it ride the trains from there.
status-firefox50:
--- → wontfix
status-firefox51:
--- → affected
status-firefox52:
--- → affected
tracking-firefox51:
--- → ?
tracking-firefox52:
--- → ?
tracking-firefox53:
--- → ?
Updated•7 years ago
|
Flags: needinfo?(amarchesini)
Assignee | ||
Comment 6•7 years ago
|
||
We can uplift this only if we also uplift 1332602. Are we OK with it?
Flags: needinfo?(amarchesini) → needinfo?(ryanvm)
Updated•7 years ago
|
Flags: needinfo?(amarchesini)
Assignee | ||
Comment 8•7 years ago
|
||
Comment on attachment 8828752 [details] [diff] [review] fr.patch Approval Request Comment [Feature/Bug causing the regression]: FileReader [User impact if declined]: a crash if the size of the buffer is > INT32_MAX [Is this code covered by automated tests?]: no [Has the fix been verified in Nightly?]: yes in bug 1332602 [Needs manual test from QE? If yes, steps to reproduce]: follow bug 1332602 [List of other uplifts needed for the feature/fix]: 1332602 _must_ be uplift as well. [Is the change risky?]: no [Why is the change risky/not risky?]: Just a size check [String changes made/needed]: none
Flags: needinfo?(amarchesini)
Attachment #8828752 -
Flags: approval-mozilla-aurora?
Updated•7 years ago
|
Attachment #8828752 -
Flags: approval-mozilla-aurora? → approval-mozilla-beta?
Comment 9•7 years ago
|
||
Comment on attachment 8828752 [details] [diff] [review] fr.patch check for files > 2GB in FileReader, beta52+
Attachment #8828752 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 10•7 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/391cffbadd09
Comment 12•7 years ago
|
||
Flagging this for verification per Comment 8. Instructions available in Comment 0.
Flags: qe-verify+
Updated•7 years ago
|
Comment 13•7 years ago
|
||
Too late for 51 and the volume of crash is low now. Mark 51 as won't fix.
Comment 15•7 years ago
|
||
I've reproduced the issue described in comment https://bugzilla.mozilla.org/show_bug.cgi?id=1330273#c25 using 53.0a1 Nightly (Build Id:20170116030326,Crash Signature: bp-e44065d7-1831-436b-afc1-f7b9d2170223)and on 52.0a2 Aurora (Build Id:20170117004014, Crash Signature: bp-1762c275-0711-44e8-a147-63a892170223). I have verified that the issue is not reproducible using 52.0b8 (Build Id:20170220070057) and using 53.0a2 (Build Id:20170221004019) on Windows 10 64bit.
Status: RESOLVED → VERIFIED
Flags: qe-verify+
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•