Closed
Bug 1414427
Opened 7 years ago
Closed 6 years ago
Assertion failure: !mIsStartingImageLoad (some evil code is reentering LoadImage.) [@ nsImageLoadingContent::LoadImage]
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1414762
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox56 | --- | unaffected |
firefox57 | --- | unaffected |
firefox58 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, sec-high, testcase)
Attachments
(3 files)
This must be served from a HTTP server to repro. "python -m SimpleHTTPServer 8000" will run a web server in the current directory. Assertion failure: !mIsStartingImageLoad (some evil code is reentering LoadImage.), at /src/dom/base/nsImageLoadingContent.cpp:903 #0 nsImageLoadingContent::LoadImage(nsIURI*, bool, bool, nsImageLoadingContent::ImageLoadType, bool, nsIDocument*, unsigned int, nsIPrincipal*) /src/dom/base/nsImageLoadingContent.cpp:903:3 #1 nsImageLoadingContent::LoadImage(nsTSubstring<char16_t> const&, bool, bool, nsImageLoadingContent::ImageLoadType, nsIPrincipal*) /src/dom/base/nsImageLoadingContent.cpp:889:10 #2 mozilla::dom::HTMLImageElement::LoadSelectedImage(bool, bool, bool) /src/dom/html/HTMLImageElement.cpp:1012:12 #3 mozilla::dom::ImageLoadTask::Run() /src/dom/html/HTMLImageElement.cpp:98:17 #4 mozilla::CycleCollectedJSContext::ProcessStableStateQueue() /src/xpcom/base/CycleCollectedJSContext.cpp:312:12 #5 XPCJSContext::AfterProcessTask(unsigned int) /src/js/xpconnect/src/XPCJSContext.cpp:1205:30 #6 nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1053:24 #7 NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:513:10 #8 bool mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*)::$_0>(mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*)::$_0&&, nsIThread*) /src/obj-firefox/dist/include/nsThreadUtils.h:323:25 #9 mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*) /src/dom/xhr/XMLHttpRequestMainThread.cpp:3106:12 #10 mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /src/dom/xhr/XMLHttpRequestMainThread.cpp:2935:11 #11 mozilla::dom::XMLHttpRequestBinding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1249:9 #12 mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3040:13
Flags: in-testsuite?
Reporter | ||
Comment 1•7 years ago
|
||
Reporter | ||
Comment 2•7 years ago
|
||
Comment 3•7 years ago
|
||
Basically the same as bug 1413981 except we call LoadImage instead of TrackImage.
Comment 4•7 years ago
|
||
(In reply to Timothy Nikkel (:tnikkel) from comment #3) > Basically the same as bug 1413981 except we call LoadImage instead of > TrackImage. Except this isn't a security problem because we specifically detect it and prevent it from going further with an early return after the assert.
Updated•7 years ago
|
Blocks: 1404422
Has Regression Range: --- → yes
status-firefox56:
--- → unaffected
status-firefox57:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Updated•7 years ago
|
Component: DOM → ImageLib
Comment 5•7 years ago
|
||
This should be fixed by bug 1414762.
Reporter | ||
Comment 7•6 years ago
|
||
Verified fixed with m-c BuildID=20171204202120 SourceStamp=7d191882de19faa537753b2deaea9444277a6533
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(twsmith)
Resolution: --- → DUPLICATE
Updated•4 years ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•