Closed Bug 225015 Opened 21 years ago Closed 21 years ago

Out-of-bounds access in nsCOMArray in imgContainerGIF::inlinedGetCurrentFrame

Categories

(Core :: Graphics: ImageLib, defect)

x86
Windows 2000
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: sicking, Assigned: tor)

Details

Attachments

(1 file, 1 obsolete file)

Opening mail i get an assertion while trying to load the following gif:

jar:resource:///chrome/en-US.jar!/locale/en-US/messenger/mail_mozilla.gif

On line 137 of imgContainerGIF.h

  inline gfxIImageFrame* inlinedGetCurrentFrame() {
    if (mLastCompositedFrameIndex == mCurrentAnimationFrameIndex)
      return mCompositingFrame;

    return mFrames[mCurrentAnimationFrameIndex];   <-here
  }

The assertion is that we're accessing out-of-bounds in the mFrame nsCOMArray
(cc-ing bryner since he made the switch to use nsCOMArray).

mCurrentAnimationFrameIndex is 0 and mLastCompositedFrameIndex is -1.
mCurrentDecodingFrameIndex, mCurrentAnimationFrameIndex, mDoneDecoding is 0
mSize = {183, 68}
mFirstFrameRefreshArea = {0, 0, 0, 0}
mLoopCount = -1


Callstack:

nsDebug::Assertion(const char * 0x100f74a0 `string', const char * 0x100f74f0
`string', const char * 0x100f755c `string', int 0x00000048) line 109
nsVoidArray::ElementAt(int 0x00000000) line 72 + 35 bytes
nsCOMArray_base::ObjectAt(int 0x00000000) line 101
nsCOMArray<gfxIImageFrame>::ObjectAt(int 0x00000000) line 150
nsCOMArray<gfxIImageFrame>::operator[](int 0x00000000) line 155
imgContainerGIF::inlinedGetCurrentFrame() line 138
imgContainerGIF::GetCurrentFrame(imgContainerGIF * const 0x04165db8,
gfxIImageFrame * * 0x0012f294) line 106 + 8 bytes
nsImageFrame::OnDataAvailable(imgIRequest * 0x04162968, gfxIImageFrame *
0x00000000, const nsRect * 0x0012f3b8) line 615 + 47 bytes
nsImageListener::OnDataAvailable(nsImageListener * const 0x04163a48, imgIRequest
* 0x04162968, gfxIImageFrame * 0x00000000, const nsRect * 0x0012f3b8) line 2095
nsImageLoadingContent::OnDataAvailable(nsImageLoadingContent * const 0x0415c440,
imgIRequest * 0x04162968, gfxIImageFrame * 0x00000000, const nsRect *
0x0012f3b8) line 170 + 79 bytes
imgRequestProxy::OnDataAvailable(gfxIImageFrame * 0x00000000, const nsRect *
0x0012f3b8) line 366
imgRequest::OnDataAvailable(imgRequest * const 0x0415c8ec, imgIRequest *
0x00000000, gfxIImageFrame * 0x00000000, const nsRect * 0x0012f3b8) line 444
nsGIFDecoder2::BeginImageFrame(void * 0x04118e78, unsigned int 0x00000001,
unsigned int 0x00000002, unsigned int 0x00000002, unsigned int 0x000000b1,
unsigned int 0x00000042) line 301
gif_write(gif_struct * 0x040f5440, const unsigned char * 0x0263aae4, unsigned
int 0x00001000) line 843 + 46 bytes
nsGIFDecoder2::ProcessData(unsigned char * 0x0263aae4, unsigned int 0x00001000,
unsigned int * 0x0012f494) line 197 + 20 bytes
ReadDataOut(nsIInputStream * 0x041612b4, void * 0x04118e78, const char *
0x0263aae4, unsigned int 0x00000000, unsigned int 0x00001000, unsigned int *
0x0012f494) line 139 + 20 bytes
nsPipeInputStream::ReadSegments(nsPipeInputStream * const 0x041612b4, unsigned
int (nsIInputStream *, void *, const char *, unsigned int, unsigned int,
unsigned int *)* 0x01ee3290 ReadDataOut(nsIInputStream *, void *, const char *,
unsigned int, unsigned int, unsigned int *), void * 0x04118e78, unsigned int
0x000013ff, unsigned int * 0x0012f6ac) line 760 + 29 bytes
nsGIFDecoder2::WriteFrom(nsGIFDecoder2 * const 0x04118e78, nsIInputStream *
0x041612b4, unsigned int 0x000013ff, unsigned int * 0x0012f6ac) line 218
imgRequest::OnDataAvailable(imgRequest * const 0x0415c8f0, nsIRequest *
0x0415cb68, nsISupports * 0x00000000, nsIInputStream * 0x041612b4, unsigned int
0x00000000, unsigned int 0x000013ff) line 797 + 47 bytes
ProxyListener::OnDataAvailable(ProxyListener * const 0x0415cd68, nsIRequest *
0x0415cb68, nsISupports * 0x00000000, nsIInputStream * 0x041612b4, unsigned int
0x00000000, unsigned int 0x000013ff) line 869
nsJARChannel::OnDataAvailable(nsJARChannel * const 0x0415cb70, nsIRequest *
0x041611d8, nsISupports * 0x00000000, nsIInputStream * 0x041612b4, unsigned int
0x00000000, unsigned int 0x000013ff) line 689 + 57 bytes
nsInputStreamPump::OnStateTransfer() line 433 + 65 bytes
nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x041611dc,
nsIAsyncInputStream * 0x041612b4) line 336 + 11 bytes
nsInputStreamReadyEvent::EventHandler(PLEvent * 0x04162904) line 117
PL_HandleEvent(PLEvent * 0x04162904) line 671 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00ee0e48) line 606 + 9 bytes
nsEventQueueImpl::ProcessPendingEvents(nsEventQueueImpl * const 0x00edfa98) line
391 + 12 bytes
nsWindow::DispatchPendingEvents() line 3632
nsWindow::ProcessMessage(unsigned int 0x00000200, unsigned int 0x00000000, long
0x00170044, long * 0x0012fc34) line 3980
nsWindow::WindowProc(HWND__ * 0x001502f8, unsigned int 0x00000200, unsigned int
0x00000000, long 0x00170044) line 1333 + 27 bytes
imglib appears to be requesting the frame before we've taken care of the first
row (which is when the initial frame gets added to mFrames).
Looking at nsImageFrame, it seems the appropriate thing is to return
null if we don't yet have a frame.
Comment on attachment 135349 [details] [diff] [review]
prevent access to nonexistent frame

yup, exactly the patch I had too.  Hope you don't mind me r+ before any request
was put out
Attachment #135349 - Flags: review+
Attachment #135349 - Flags: superreview?(bryner)
Comment on attachment 135349 [details] [diff] [review]
prevent access to nonexistent frame

Of course now we're checking twice, since nsVoidArray still bounds checks this
as well (after complaining)
Attachment #135349 - Flags: superreview?(bryner) → superreview+
Attachment #135349 - Attachment is obsolete: true
Attachment #135411 - Flags: superreview?(bryner)
Attachment #135411 - Flags: review?(bugmail)
Attachment #135411 - Flags: review?(bugmail) → review+
Attachment #135411 - Flags: superreview?(bryner) → superreview+
Checked in.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: