128825 - Browser crash if I view an image

Status: VERIFIED FIXED

(Core :: Internationalization, defect)

Description

[Mario Mueller]

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.8) Gecko/20020204
BuildID:    2002020406

On the website http://www.macx.info/, the author has some images (the headlines
in the middle), which were created by PHP. The URL to the image contains spaces.

http://www.macx.info/include/headlines/phpttf.php?use=Die Qualität enscheidet

If I view the complete website, all is ok, but if I say "View image", the
browser crashes.

Reproducible: Always
Steps to Reproduce:
1. Go to http://www.macx.info/
2. click right on the headline-images (e.g. Die Qualität enscheidet)
3. select "View image"

Actual Results:  the browser show the image and crashes immediately

Expected Results:  the browser show the image

Because I have notice the author, that he use spaces in the URL, it could
possible, he has corrected this in the meantime.

Comment 1

[Paul Wyskoczka]

I see an illegal operation in plugin (Flash)
-> plugins

Comment 2

[Matthias Versen [:Matti]]

wfm with win2k and build 20020304.. and Shockwave Flash 6.0 r2

-> Plugins (why XP APPS ?) and if you confirm add a build ID and your flash
version..

Comment 3

[shrirang khanzode]

I crash immediately while loading the image in new page/frame.
stakc is pointing to DOM...cc'ing jst
stack:
http://climate.netscape.com/reports/incidenttemplate.cfm?bbid=3624069

Comment 4

[R.B.]

Hang (not crash) on Linux 2002030108. The browser is unresponsive, but does not
eat CPU time. The context menu has a life of its own, and stays on top of any
other window. After terminating and restarting Moz, talkback appears; talkback
ID TB3635548Q.

In the page source, the image is called with:
<img src="../include/headlines/phpttf.php?use=Die Qualita"t enscheidet">
I don't think this has anything to do with plugins, but rather with the way the
browser tries to retreive (or save) the image.

Comment 5

[serge (gone)]

Attachment: patch proposal v1

This bug definitely has nothing  to do with the plugins, this is pure i18 bug,
the attachment is the proposal to patch the problem,  the crash happened
because nsUnicodeToUTF8::Convert() call overwrite the memory, see the patch for
more explanation.

Comment 6

[serge (gone)]

shanjian it's yours now. 

Comment 7

[Shanjian Li]

Attachment: complete patch

Thanks serge for identifying the problem and providing the original patch.

Comment 8

[Shanjian Li]

nominate this one as nsbeta1

Comment 9

[Frank Tang]

nsbeta1+ since it is a crasher.

Comment 10

[Shanjian Li]

frank, could you review my patch?

Comment 11

[Johnny Stenback (:jst)]

Comment on attachment 73551 [details] [diff] [review]
complete patch

Does this patch even compile? I see |len| being used furhter down in
nsLocation.cpp, yet you're removing the definition of it.

Comment 12

[Shanjian Li]

Attachment: update patch to correct a embarassing mistake.

Comment 13

[Johnny Stenback (:jst)]

Comment on attachment 73777 [details] [diff] [review]
update patch to correct a embarassing mistake.

sr=jst

Comment 14

[Frank Tang]

Comment on attachment 73777 [details] [diff] [review]
update patch to correct a embarassing mistake.

make sense r=ftang

Comment 15

[Mike Shaver (:shaver -- probably not reading bugmail closely)]

Comment on attachment 73777 [details] [diff] [review]
update patch to correct a embarassing mistake.

a=shaver for 1.0 trunk.

Comment 16

[Shanjian Li]

fix checked in. 

Comment 17

[shrirang khanzode]

no crash, verified fixed (0315 trunk)