254179 - Uncommonly wide image crashes Firefox [@ gfxImageFrame::SetAlphaData ]

Status: VERIFIED DUPLICATE of bug 253782

(Core Graveyard :: Image: Painting, defect)

Description

[bugzilla]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.7) Gecko/20040707 Firefox/0.9.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.7) Gecko/20040707 Firefox/0.9.2

Surprisingly, I have not found this in the bug database.

The attached .PNG image is 262144 * 1 pixels in size and has been saved at 16M
colors. Whenever you try to view this in Firefox, the browser crashes.

As this could be used to annoy malicous pages' visitors, this should urgently be
fixed.

Reproducible: Always
Steps to Reproduce:
1. Download the testcase or open it directly with Firefox.
Actual Results:  
The browser crahed immediately.

Expected Results:  
The browser should not have been affected, but maybe FF should refuse to display
that wide images if "[ ] make large images to fit the browser window" is not
enabled.

Comment 1

[bugzilla]

Attachment: Testcase .PNG image

Comment 2

[Logan Ingalls]

I also see this with 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7)
Gecko/20040728 Firefox/0.9.1+'

> The browser should not have been affected, but maybe FF should refuse to display
> that wide images if "[ ] make large images to fit the browser window" is not
> enabled.

For me at least, the browser crashes even if this preference is turned on
(although I'm not sure if you were implying that it doesn't).

Comment 3

[bugzilla]

(In reply to comment #2)
> (although I'm not sure if you were implying that it doesn't).

No, what I wanted to say is that without this bug, Firefox should not display
such large images when the option is not turned on, because that would produce a
*really* wide browser window, which can be considered as further annoyance.

Comment 4

[Adam Hauner]

Confirming with M1.7/W2K -> TB475349:
gfxImageFrame::SetAlphaData 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/gfx/src/shared/gfxImageFrame.cpp,
line 371]
row_callback 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/modules/libpr0n/decoders/png/nsPNGDecoder.cpp,
line 449]
MOZ_PNG_push_have_row 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/modules/libimg/png/pngpread.c,
line 1512]
MOZ_PNG_push_proc_row 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/modules/libimg/png/pngpread.c,
line 947]
MOZ_PNG_proc_IDAT_data 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/modules/libimg/png/pngpread.c,
line 740]
MOZ_PNG_push_read_IDAT 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/modules/libimg/png/pngpread.c,
line 696]
MOZ_PNG_proc_some_data 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/modules/libimg/png/pngpread.c,
line 94]
MOZ_PNG_process_data 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/modules/libimg/png/pngpread.c,
line 33]
ReadDataOut 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/modules/libpr0n/decoders/png/nsPNGDecoder.cpp,
line 146]
nsInputStreamTee::WriteSegmentFun 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpcom/io/nsInputStreamTee.cpp,
line 103]
nsPipeInputStream::ReadSegments 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpcom/io/nsPipe3.cpp,
line 763]
nsInputStreamTee::ReadSegments 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpcom/io/nsInputStreamTee.cpp,
line 157]
nsPNGDecoder::WriteFrom 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/modules/libpr0n/decoders/png/nsPNGDecoder.cpp,
line 161]
...

Marking as dupe of bug 253782.
Reporter, please reopen, if you could reproduce with actual Firefox aviary
branch nightbuild.

*** This bug has been marked as a duplicate of 253782 ***

Comment 5

[Stephen Donner [:stephend] Not actively reading bugmail]

verified dup