194407 - crash if source contains IMG tag with invalid file name, ALT=" " and certain WIDTH and HEIGHT values

Status: RESOLVED DUPLICATE of bug 175108

(Core Graveyard :: GFX: Gtk, defect)

Description

[Simon Anders]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3b) Gecko/20030211
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3b) Gecko/20030211

The following line in an HTML source Mozilla to crash:
  <img src="does_not_exist"  height=60 width=234 alt=" ">

The file does_not_exist is of course meant to be non-existant.

Reproducible: Always

Steps to Reproduce:
1. Store the following file on your disk:
---8<---Begin Test File---
<html>
<head><title>Test</title></head>
<body>

   <img src="does_not_exist"  height=60 width=234 alt=" ">

</body>
</html>
---8<---End Test File---

2. View the File with Mozilla (by typing in the filename in the file:/// form)
Actual Results:  
Mozilla crashes instantly.


I get the follwing message in my shell:

[sanders@merlot tmp]$ mozilla file:///home/sanders/tmp/eis_.html
/usr/share/themes/Sunhouse/gtk-2.0/gtkrc:51: error: unexpected identifier
`make_tab_labels_bold', expected character `}'
Xlib:  extension "RENDER" missing on display ":0.0".
The program '<unknown>' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadValue (integer parameter out of range for operation)'.
  (Details: serial 1448 error_code 2 request_code 53 minor_code 0)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)

Expected Results:  
Show a box for the missing image with the ALT text inside (which is only white
space here).

The values for WIDTH and HEIGHT in the IMG tag in the above test file seem to be
relevant. If I change them Mozilla does not crash. Also, if I replace the ALT
text with 'ALT="ABS"' Mozilla does not crash either.

Comment 1

[Boris Zbarsky [:bzbarsky]]

Why are we looking for RENDER?  Is this a xft build or some other non-standard
build?

Comment 2

[Simon Anders]

The bug occured with the mozilla from the RPM package 
http://ftp.mozilla.org/pub/mozilla/releases/mozilla1.3b/Red_Hat_8x_RPMS/gtk2/SRPMS/mozilla-1.3b-0_gtk2_xft.src.rpm

I found this package following the link to RedHat packages on
http://www.mozilla.org/releases/

I have just changed (for other reasons) to the Mozilla as it gets installed by 
http://ftp.mozilla.org/pub/mozilla/releases/mozilla1.3b/mozilla-i686-pc-linux-gnu-1.3b-sea.tar.gz

That's the link on the enty page of www.mozilla.org.

And now, the bug disappeared!

Therefore, it must be something special of the build in the above mentioned RPM. 
Note that it is the PRM for "gtk2" not for "xft" (although I, being quite
ignorant about X11 development, don't know what this means).

HTH.

Comment 3

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

->gtk2

Comment 4

[Christopher Blizzard (:blizzard)]

I'm not getting any kind of crash here.  Can you start that build with --sync
and get me a stack trace?

Comment 5

[Simon Anders]

Attachment: Stack Trace of the described bug

blizzard, this is the stack trace you asked for.

As I'm not too experienced with this kind of stuff, I put the full terminal log
into the file. So you can see what I have done.

After giving gdb the cont command I switched to the browser window and entered
the 'file:' URL pointing to the test file of my initial description.

HTH.

Comment 6

[Christopher Blizzard (:blizzard)]

dup.  This is an upstream Xft bug.

*** This bug has been marked as a duplicate of 175108 ***