Closed Bug 243493 Opened 21 years ago Closed 21 years ago

Crash when opening bogus BMP file

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 243511

People

(Reporter: dave.mueller, Assigned: jdunn)

Details

(Keywords: crash)

Attachments

(1 file)

Bogus BMP
2.41 KB, application/octet-stream
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040421 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040421 Mozilla crashes when asked to open a bogus BMP file or when opening an email with a bogus BMP file embedded. Reproducible: Always Steps to Reproduce: 1. Open browser window 2. press Ctrl-O and select BMP file 3. Actual Results: crash Expected Results: display broken image icon. XV and GIMP both report the BMP file to be bogus. TB45948X, TB45952Z, TB45955H, TB45959M
Attached file Bogus BMP
No crash on opening, 20040503 PC/WinXP
Severity: normal → critical
Keywords: crash
Dave, what does uname -a return on your system? Also, what does about:buildconfig in Mozilla return? Thanks
(In reply to comment #3) > Dave, what does uname -a return on your system? > Linux pcdm 2.6.5 #1 Sat Apr 10 07:46:36 CEST 2004 i686 unknown unknown GNU/Linux > Also, what does about:buildconfig in Mozilla return? about:buildconfig Build platform target i686-pc-linux-gnu Build tools Compiler Version Compiler flags gcc gcc version 3.2.3 -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-long-long -pedantic -pthread -pipe c++ gcc version 3.2.3 -fno-rtti -fno-exceptions -Wall -Wconversion -Wpointer-arith -Wcast-align -Woverloaded-virtual -Wsynth -Wno-ctor-dtor-privacy -Wno-non-virtual-dtor -Wno-long-long -pedantic -fshort-wchar -pthread -pipe -I/usr/X11R6/include Configure arguments --disable-tests --enable-extensions=default,irc --without-system-nspr --without-system-jpeg --without-system-zlib --without-system-png --without-system-mng --disable-debug '--enable-optimize=-O2 -g' --enable-crypto
the header is bogus mNumcolors is 0xffffffff (-1) the allocation fails (nsbmpdecoder.cpp): if (mBIH.bpp <= 8) { mNumColors = mBIH.colors ? mBIH.colors : 1 << mBIH.bpp; mColors = new colorTable[mNumColors]; <====== mNumColors is -1 if (!mColors) return NS_ERROR_OUT_OF_MEMORY; } I've got a crash on Windows with MSVC 7.1 because operator new throws an exception instead of returning NULL. No crash with MSVC 6 because new returns NULL. Maybe this is what you are seeing.
maybe a dupe of bug 153621 ?
Here's the top of a stack trace. #0 0x4047d361 in __kill () from /lib/libc.so.6 #1 0x4010e052 in pthread_kill (thread=1024, signo=6) at signals.c:65 #2 0x4010e531 in raise (sig=6) at signals.c:236 #3 0x4047e88b in abort () at ../sysdeps/generic/abort.c:88 #4 0x40421681 in __gnu_cxx::__verbose_terminate_handler () at /build/gcc-3.4.0/libstdc++-v3/libsupc++/vterminate.cc:96 #5 0x4041f225 in __cxxabiv1::__terminate (handler=0x40421580 <__gnu_cxx::__verbose_terminate_handler()>) at /build/gcc-3.4.0/libstdc++-v3/libsupc++/eh_terminate.cc:43 #6 0x4041f262 in std::terminate () at /build/gcc-3.4.0/libstdc++-v3/libsupc++/eh_terminate.cc:53 #7 0x4041f3e2 in __cxa_throw (obj=0x90ecf28, tinfo=0x0, dest=0) at /build/gcc-3.4.0/libstdc++-v3/libsupc++/eh_throw.cc:80 #8 0x4041f632 in operator new (sz=4294967293) at new:56 #9 0x4041f6ed in operator new[] (sz=0) at /build/gcc-3.4.0/libstdc++-v3/libsupc++/new_opv.cc:36 #10 0x413973b5 in nsBMPDecoder::ProcessData (this=0x90ece10, aBuffer=0x8350f2a '<FF>' <repeats 200 times>..., aCount=2412) at nsBMPDecoder.cpp:263 (gdb) f 10 #10 0x413973b5 in nsBMPDecoder::ProcessData (this=0x90ece10, aBuffer=0x8350f2a '<FF>' <repeats 200 times>..., aCount=2412) at nsBMPDecoder.cpp:263 263 mColors = new colorTable[mNumColors]; Current language: auto; currently c++ (gdb) p mNumColors $1 = 4294967295 (gdb) This is another example of the system libs throwing exceptions but mozilla not handling them. There's a discussion in bug 166862 although this bug is different. Confirming the bug.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Bug 243511 seems to be a duplicate (with patch) of this
I'm duping to bug 243511, since that has the patch. *** This bug has been marked as a duplicate of 243511 ***
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: