Closed
Bug 225015
Opened 21 years ago
Closed 21 years ago
Out-of-bounds access in nsCOMArray in imgContainerGIF::inlinedGetCurrentFrame
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: sicking, Assigned: tor)
Details
Attachments
(1 file, 1 obsolete file)
630 bytes,
patch
|
sicking
:
review+
bryner
:
superreview+
|
Details | Diff | Splinter Review |
Opening mail i get an assertion while trying to load the following gif: jar:resource:///chrome/en-US.jar!/locale/en-US/messenger/mail_mozilla.gif On line 137 of imgContainerGIF.h inline gfxIImageFrame* inlinedGetCurrentFrame() { if (mLastCompositedFrameIndex == mCurrentAnimationFrameIndex) return mCompositingFrame; return mFrames[mCurrentAnimationFrameIndex]; <-here } The assertion is that we're accessing out-of-bounds in the mFrame nsCOMArray (cc-ing bryner since he made the switch to use nsCOMArray). mCurrentAnimationFrameIndex is 0 and mLastCompositedFrameIndex is -1. mCurrentDecodingFrameIndex, mCurrentAnimationFrameIndex, mDoneDecoding is 0 mSize = {183, 68} mFirstFrameRefreshArea = {0, 0, 0, 0} mLoopCount = -1 Callstack: nsDebug::Assertion(const char * 0x100f74a0 `string', const char * 0x100f74f0 `string', const char * 0x100f755c `string', int 0x00000048) line 109 nsVoidArray::ElementAt(int 0x00000000) line 72 + 35 bytes nsCOMArray_base::ObjectAt(int 0x00000000) line 101 nsCOMArray<gfxIImageFrame>::ObjectAt(int 0x00000000) line 150 nsCOMArray<gfxIImageFrame>::operator[](int 0x00000000) line 155 imgContainerGIF::inlinedGetCurrentFrame() line 138 imgContainerGIF::GetCurrentFrame(imgContainerGIF * const 0x04165db8, gfxIImageFrame * * 0x0012f294) line 106 + 8 bytes nsImageFrame::OnDataAvailable(imgIRequest * 0x04162968, gfxIImageFrame * 0x00000000, const nsRect * 0x0012f3b8) line 615 + 47 bytes nsImageListener::OnDataAvailable(nsImageListener * const 0x04163a48, imgIRequest * 0x04162968, gfxIImageFrame * 0x00000000, const nsRect * 0x0012f3b8) line 2095 nsImageLoadingContent::OnDataAvailable(nsImageLoadingContent * const 0x0415c440, imgIRequest * 0x04162968, gfxIImageFrame * 0x00000000, const nsRect * 0x0012f3b8) line 170 + 79 bytes imgRequestProxy::OnDataAvailable(gfxIImageFrame * 0x00000000, const nsRect * 0x0012f3b8) line 366 imgRequest::OnDataAvailable(imgRequest * const 0x0415c8ec, imgIRequest * 0x00000000, gfxIImageFrame * 0x00000000, const nsRect * 0x0012f3b8) line 444 nsGIFDecoder2::BeginImageFrame(void * 0x04118e78, unsigned int 0x00000001, unsigned int 0x00000002, unsigned int 0x00000002, unsigned int 0x000000b1, unsigned int 0x00000042) line 301 gif_write(gif_struct * 0x040f5440, const unsigned char * 0x0263aae4, unsigned int 0x00001000) line 843 + 46 bytes nsGIFDecoder2::ProcessData(unsigned char * 0x0263aae4, unsigned int 0x00001000, unsigned int * 0x0012f494) line 197 + 20 bytes ReadDataOut(nsIInputStream * 0x041612b4, void * 0x04118e78, const char * 0x0263aae4, unsigned int 0x00000000, unsigned int 0x00001000, unsigned int * 0x0012f494) line 139 + 20 bytes nsPipeInputStream::ReadSegments(nsPipeInputStream * const 0x041612b4, unsigned int (nsIInputStream *, void *, const char *, unsigned int, unsigned int, unsigned int *)* 0x01ee3290 ReadDataOut(nsIInputStream *, void *, const char *, unsigned int, unsigned int, unsigned int *), void * 0x04118e78, unsigned int 0x000013ff, unsigned int * 0x0012f6ac) line 760 + 29 bytes nsGIFDecoder2::WriteFrom(nsGIFDecoder2 * const 0x04118e78, nsIInputStream * 0x041612b4, unsigned int 0x000013ff, unsigned int * 0x0012f6ac) line 218 imgRequest::OnDataAvailable(imgRequest * const 0x0415c8f0, nsIRequest * 0x0415cb68, nsISupports * 0x00000000, nsIInputStream * 0x041612b4, unsigned int 0x00000000, unsigned int 0x000013ff) line 797 + 47 bytes ProxyListener::OnDataAvailable(ProxyListener * const 0x0415cd68, nsIRequest * 0x0415cb68, nsISupports * 0x00000000, nsIInputStream * 0x041612b4, unsigned int 0x00000000, unsigned int 0x000013ff) line 869 nsJARChannel::OnDataAvailable(nsJARChannel * const 0x0415cb70, nsIRequest * 0x041611d8, nsISupports * 0x00000000, nsIInputStream * 0x041612b4, unsigned int 0x00000000, unsigned int 0x000013ff) line 689 + 57 bytes nsInputStreamPump::OnStateTransfer() line 433 + 65 bytes nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x041611dc, nsIAsyncInputStream * 0x041612b4) line 336 + 11 bytes nsInputStreamReadyEvent::EventHandler(PLEvent * 0x04162904) line 117 PL_HandleEvent(PLEvent * 0x04162904) line 671 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00ee0e48) line 606 + 9 bytes nsEventQueueImpl::ProcessPendingEvents(nsEventQueueImpl * const 0x00edfa98) line 391 + 12 bytes nsWindow::DispatchPendingEvents() line 3632 nsWindow::ProcessMessage(unsigned int 0x00000200, unsigned int 0x00000000, long 0x00170044, long * 0x0012fc34) line 3980 nsWindow::WindowProc(HWND__ * 0x001502f8, unsigned int 0x00000200, unsigned int 0x00000000, long 0x00170044) line 1333 + 27 bytes
imglib appears to be requesting the frame before we've taken care of the first row (which is when the initial frame gets added to mFrames).
Looking at nsImageFrame, it seems the appropriate thing is to return null if we don't yet have a frame.
Comment 3•21 years ago
|
||
Comment on attachment 135349 [details] [diff] [review] prevent access to nonexistent frame yup, exactly the patch I had too. Hope you don't mind me r+ before any request was put out
Attachment #135349 -
Flags: review+
Attachment #135349 -
Flags: superreview?(bryner)
Comment 4•21 years ago
|
||
Comment on attachment 135349 [details] [diff] [review] prevent access to nonexistent frame Of course now we're checking twice, since nsVoidArray still bounds checks this as well (after complaining)
Attachment #135349 -
Flags: superreview?(bryner) → superreview+
Attachment #135349 -
Attachment is obsolete: true
Attachment #135411 -
Flags: superreview?(bryner)
Attachment #135411 -
Flags: review?(bugmail)
Reporter | ||
Updated•21 years ago
|
Attachment #135411 -
Flags: review?(bugmail) → review+
Updated•21 years ago
|
Attachment #135411 -
Flags: superreview?(bryner) → superreview+
Checked in.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•