163697 - corrupt favicon crashes Camino (Jaguar only) [@ loadIco]

Status: RESOLVED WONTFIX

(Camino Graveyard :: Toolbars & Menus, defect)

Description

[Simon Fraser [no longer active]]

Load the URL with favicons turned on, and you'll crash:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x146863c5

Thread 0 Crashed:
 #0   0x70e06fcc in loadIco
 #1   0x70d266d8 in -[NSICOImageReader loadImage:]
 #2   0x70bd272c in -[NSBitmapImageRep _initWithImageReader:]
 #3   0x70c2a99c in +[NSBitmapImageRep _imagesWithData:hfsFileType:extension:zone:]
 #4   0x70c1d00c in +[NSBitmapImageRep imageRepsWithData:]
 #5   0x70d28dcc in -[NSImage initWithData:]
 #6   0x00062f20 in -[SiteIconProvider
doneRemoteLoad:forTarget:withUserData:data:status:]
 #7   0x0005ffac in StreamLoaderContext::LoadComplete(unsigned int, void const
*, unsigned int)
 #8   0x00060404 in RemoteURILoadManager::OnStreamComplete(nsIStreamLoader *,
nsISupports *, unsigned int, unsigned int, char const *)
 #9   0x04fb7b34 in nsStreamLoader::OnStopRequest(nsIRequest *, nsISupports *,
unsigned int)
 #10  0x04fb684c in nsStreamListenerTee::OnStopRequest(nsIRequest *, nsISupports
*, unsigned int)
 #11  0x0501accc in nsHttpChannel::OnStopRequest(nsIRequest *, nsISupports *,
unsigned int)
 #12  0x04f92834 in nsOnStopRequestEvent::HandleEvent(void)
 #13  0x04f91258 in nsARequestObserverEvent::HandlePLEvent(PLEvent *)
 #14  0x0142547c in PL_HandleEvent
 #15  0x014251fc in PL_ProcessPendingEvents
 #16  0x014278a8 in nsEventQueueImpl::ProcessPendingEvents(void)
 #17  0x0892a404 in -[EventQueueHandler eventTimer:]
 #18  0x708d06e8 in __NSFireTimer
 #19  0x70196cbc in __CFRunLoopDoTimer
 #20  0x7017c244 in __CFRunLoopRun
 #21  0x701b70ec in CFRunLoopRunSpecific
 #22  0x7017b8cc in CFRunLoopRunInMode
 #23  0x7312d904 in RunEventLoopInModeUntilEventArrives
 #24  0x73140818 in ReceiveNextEventCommon
 #25  0x731715fc in BlockUntilNextEventMatchingListInMode
 #26  0x70bd70b8 in _DPSNextEvent
 #27  0x70bfe5d8 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:]
 #28  0x70c23468 in -[NSApplication run]
 #29  0x70c91ed0 in NSApplicationMain
 #30  0x00002c20 in main
 #31  0x00002ab4 in _start
 #32  0x000028e4 in start

Comment 1

[Ian Neal]

Related to bug 159256?

Comment 2

[Simon Fraser [no longer active]]

No; bug 159256 is a crash in our code. This crashes in AppKit code.

Comment 3

[Toby Thain]

That .ico seems to be corrupt. Crashes Preview.app on MacOS 10.2.3, also
Iconographer even hangs on showing a directory listing with that .ico in it, or
when drag-and-dropped on it. I can extract the first icon from it, which is
slightly garbled, but the second one gives an unexpected EOF.

Comment 4

[Brant Gurganus]

By the definitions on <http://bugzilla.mozilla.org/bug_status.html#severity> and
<http://bugzilla.mozilla.org/enter_bug.cgi?format=guided>, crashing and dataloss
bugs are of critical or possibly higher severity.  Only changing open bugs to
minimize unnecessary spam.  Keywords to trigger this would be crash, topcrash,
topcrash+, zt4newcrash, dataloss.

Comment 5

[Adam Katz]

that icon is no longer used by the linked site (not even commented out in html).

hopefully somebody saved it or can find another instance of this bug?

if there is no way to check validity in OSX without crashing
and other programs crash when trying to read the same corrupt icon file,
then forget about it (ie WONTFIX), it would not mozilla's fault 
but rather one or more of the language, libraries, and environment.

Comment 6

[Simon Fraser [no longer active]]

It still crashes for me. It crashes Safari too  :)

Comment 7

[Simon Fraser [no longer active]]

Attachment: Bad favicon.ico, in case it goes away

Comment 8

[Mike Palumbo]

This is not just OSX specific, I just crashed a copy of IrfanView for Win32 with
that ico!

The ico file in question contains 2 icons.  One is 16x16; this shows up just
fine in Firebird .6.

The other icon is 2097152x2097152!  The ico is completely corrupt.

Comment 9

[Michael Blakeley]

This seems to be the same bug I've been seeing lately, with the favicon for
http://dslreports.com and http://broadbandreports.com - Camino nightly
2003060204 and Safari beta both crash in NSICOImageReader, as in the
previously-entered crash log. Downloaded, the favorite.ico from dslreports.com
crashes Apple's Preview, but doesn't crash GraphicConverter. My system is
10.2.6, iBook 500Mhz/384 MB.

As filed, this looks like a Mac OS X bug: NSImage shouldn't crash, no matter
what input it's given. I see that Apple has some interest in fixing bugs like
this
<http://developer.apple.com/techpubs/macosx/ReleaseNotes/AppKit.10.2.3.html>, if
someone can file with them. 

But would it possible to put exception handling around Mozilla's calls to
NSImage and friends, to avoid the crash?

Workaround: use Privoxy or another ad blocker to block the bad .ico files

Comment 10

[dan.m]

All test URLs WFM, Build ID: 2003082702

Comment 11

[Simon Fraser [no longer active]]

Did you upload the attached favicon.ico to a site to test it? If not, then you
dind't correctly test this bug. (Note that the favicon also crashes Preview if
you try to open it in the Finder.)

Comment 12

[Ludovic Hirlimann [:Usul]]

The favicon has been removed from the site.
The attached ico file still rahes preview on 10.2.6

Comment 13

[louis bennett]

i've set up the favicon at the following URL:
http://blue.nutrition.tufts.edu/bugzilla/163697.html

camino isn't crashing for me...

Comment 14

[Simon Fraser [no longer active]]

Crashes in Jaguar, not in Panther.

Comment 15

[Jasper]

Ok I just tested with 20040319 NB on 10.2.8 and I had no crash with the test
page posted in Comment #13 or the urls provided in Comment #9. On panther all
seems to work as well. anybody care to provide a new testcase otherwise I'll
mark as WFM.

Comment 16

[louis bennett]

sorry, comment 13 is now invalid -- i had to disable the favicon because it kept
crashing camino. (-:

camino still crashes in 10.2.8, but does not in 10.3.3.

for the time being, use http://test.louisbennett.com/ as a test site.

Comment 17

[Josh Aas]

this is not our bug - closing