Inconsistent functionality when loading the same corrupt image
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
1.29 KB,
application/x-zip-compressed
|
Details |
Found while fuzzing m-c 20231021-4124eee4f58c (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip
This code snippet highlights the required code but the test case reproduces the issue in a much better way.
<script>
window.onload = () => {
const image = document.getElementById('img00')
const canvas = document.createElement('canvas')
canvas.getContext('2d').drawImage(image, 0, 0) // <-- does not always raise
}
</script>
<img id='img00' src='sample.jpg'>
The attached test case can also be unpacked and run from a web server (python -m http.server).
|
||
Comment 1•2 years ago
|
||
I think this might be due to a race condition that effects corrupt images, bug 1645576 (and maybe bug 1182531 is relevant too).
|
||
Comment 2•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20231023215318-1f052dc81e97.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: 41ff1810fc5e1ee4ccdea2f1f81fcfc6d04d0fa1 (20221025094808)
End: 4124eee4f58ca46e13cb937c757a2fe1875120f0 (20231021203236)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
|
Reporter | |
Comment 3•2 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/Y0UYJURvKKIrLG5ijUvx6w/index.html
|
||
Updated•2 years ago
|
Description
•