Closed Bug 1133830 Opened 10 years ago Closed 10 years ago

crash in mozilla::image::ImageFactory::CreateRasterImage(nsIRequest*, imgStatusTracker*, nsCString const&, mozilla::image::ImageURL*, unsigned int, unsigned int) at 0x5a5a5a5e

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1123835

People

(Reporter: wsmwk, Unassigned)

Details

(Keywords: crash, csectype-uaf, sec-high)

Crash Data

#61 crash for 35.0.1 Some crashes eg bp-9f0e408f-13a8-46c3-9473-ebd7a2150215 cite Exploitability high Looks like crash rate is substantially less prior to version 30, or perhaps even 31.0, per August crash reports. Regression? This bug was filed from the Socorro interface and is report bp-f00e1006-181b-44c6-b5c6-c142f2150213. ============================================================= 0 xul.dll mozilla::image::ImageFactory::CreateRasterImage(nsIRequest*, imgStatusTracker*, nsCString const&, mozilla::image::ImageURL*, unsigned int, unsigned int) image/src/ImageFactory.cpp 1 xul.dll mozilla::image::ImageFactory::CreateImage(nsIRequest*, imgStatusTracker*, nsCString const&, mozilla::image::ImageURL*, bool, unsigned int) image/src/ImageFactory.cpp 2 xul.dll imgRequest::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned __int64, unsigned int) image/src/imgRequest.cpp 3 xul.dll ProxyListener::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned __int64, unsigned int) image/src/imgLoader.cpp 4 xul.dll nsStreamListenerTee::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned __int64, unsigned int) netwerk/base/src/nsStreamListenerTee.cpp 5 xul.dll mozilla::net::nsHttpChannel::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned __int64, unsigned int) netwerk/protocol/http/nsHttpChannel.cpp 6 xul.dll nsInputStreamPump::OnStateTransfer() netwerk/base/src/nsInputStreamPump.cpp 7 xul.dll nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) netwerk/base/src/nsInputStreamPump.cpp http://hg.mozilla.org/releases/mozilla-release/annotate/5ea9473a99ff/image/src/ImageFactory.cpp#l117 seth@126082 108 // Compute the image's initialization flags. seth@126082 109 uint32_t imageFlags = ComputeImageFlags(aURI, aIsMultiPart); seth@126082 110 seth@126082 111 // Select the type of image to create based on MIME type. seth@128840 112 if (aMimeType.EqualsLiteral(IMAGE_SVG_XML)) { seth@126082 113 return CreateVectorImage(aRequest, aStatusTracker, aMimeType, seth@126085 114 aURI, imageFlags, aInnerWindowId); seth@126082 115 } else { seth@126082 116 return CreateRasterImage(aRequest, aStatusTracker, aMimeType, seth@126085 117 aURI, imageFlags, aInnerWindowId); http://hg.mozilla.org/releases/mozilla-release/annotate/5ea9473a99ff/image/src/ImageFactory.cpp#l196 seth@126085 196 nsRefPtr<RasterImage> newImage = new RasterImage(aStatusTracker, aURI);
Flags: needinfo?(seth)
Crashing on an address like 0x5a5a5a5x usually indicates a use-after-free. Since we only know about this from crash-stats it may be hard to make progress here, but maybe that enough info to reason about possible causes.
Keywords: csectype-uaf, sec-high
Component: Graphics → ImageLib
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(seth)
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.