271076 - Mozilla 1.7.3 browser consistently crashes [@ nsImageFrame::ConvertPxRectToTwips ]

Status: RESOLVED DUPLICATE of bug 263846

(Core :: Layout: Images, Video, and HTML Frames, defect)

Description

[u166595]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20040910
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20040910

Browser crashes

Reproducible: Always
Steps to Reproduce:
1. visit http://www.hema.nl/site/HEMA-NL/FOTOSERVICE/default.aspx


Actual Results:  
Browser crashed

Expected Results:  
Guess... ;-)

Visiting the homepage www.hema.nl works fine, visiting any page on a deeper
level makes the browser crash, both under Win2000 (SP4) and WinXP (Home, SP2).
Conspicuously present in the source of all pages is this line:
<input type="hidden" name="__VIEWSTATE" value="LONG_STRING"
Key difference between the homepage and deeper level pages is the length of the
value string: on the homepage it is "only" 1272 chars, on deeper levels it does
reach lengths of 8000 chars and more!
This smells like an unchecked buffer overflow, with potential security hazards.
Asking around revealed that Firefox 0.9.x also crashes on these pages, but that
Firefox 1.0 is not affected.
I've let Quality Feedback Agent report further details.
Too bad these pages don't crash IE. ;-)

Comment 1

[Mats Palmgren (inactive)]

Please supply the Talkback IDs (run components\talkback.exe).

Comment 2

[u166595]

(In reply to comment #1)
> Please supply the Talkback IDs (run components\talkback.exe).
1) TB2058887X  19-11-2004 20:48  Win2000 SP4
2) TB2059093G  19-11-2004 20:58  WinXP Home SP2

Comment 3

[Olivier Cahagne]

nsImageFrame::ConvertPxRectToTwips 
[d:/BUILDS/tinderbox/Mozilla1.7.3/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsImageFrame.cpp,
line 422]
nsImageFrame::FrameChanged 
[d:/BUILDS/tinderbox/Mozilla1.7.3/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsImageFrame.cpp,
line 688]
nsImageListener::FrameChanged 
[d:/BUILDS/tinderbox/Mozilla1.7.3/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsImageFrame.cpp,
line 2080]
nsImageLoadingContent::FrameChanged 
[d:/BUILDS/tinderbox/Mozilla1.7.3/WINNT_5.0_Clobber/mozilla/content/base/src/nsImageLoadingContent.cpp,
line 138]
imgRequestProxy::FrameChanged 
[d:/BUILDS/tinderbox/Mozilla1.7.3/WINNT_5.0_Clobber/mozilla/modules/libpr0n/src/imgRequestProxy.cpp,
line 346]
imgRequest::FrameChanged 
[d:/BUILDS/tinderbox/Mozilla1.7.3/WINNT_5.0_Clobber/mozilla/modules/libpr0n/src/imgRequest.cpp,
line 347]
imgContainerGIF::Notify 
[d:/BUILDS/tinderbox/Mozilla1.7.3/WINNT_5.0_Clobber/mozilla/modules/libpr0n/decoders/gif/imgContainerGIF.cpp,
line 440]
nsTimerImpl::Fire 
[d:/BUILDS/tinderbox/Mozilla1.7.3/WINNT_5.0_Clobber/mozilla/xpcom/threads/nsTimerImpl.cpp,
line 395]
nsTimerManager::FireNextIdleTimer 
[d:/BUILDS/tinderbox/Mozilla1.7.3/WINNT_5.0_Clobber/mozilla/xpcom/threads/nsTimerImpl.cpp,
line 616]
nsAppShell::Run 
[d:/BUILDS/tinderbox/Mozilla1.7.3/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp,
line 142]
nsAppShellService::Run 
[d:/BUILDS/tinderbox/Mozilla1.7.3/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp,
line 524]
main1 
[d:/BUILDS/tinderbox/Mozilla1.7.3/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1313]
main 
[d:/BUILDS/tinderbox/Mozilla1.7.3/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1783]
WinMain 
[d:/BUILDS/tinderbox/Mozilla1.7.3/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1809]
WinMainCRTStartup()
kernel32.dll + 0x16d4f (0x7c816d4f)

Comment 4

[Patrick]

fwiw: wfm Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041118

Comment 5

[Martijn Wargers (dead)]

Probably a duplicate of bug 263846.

Comment 6

[u166595]

(In reply to comment #5)
> Probably a duplicate of bug 263846.

After checking the details of 263846: yes, must be the same bug.

Comment 7

[Olivier Cahagne]

*** This bug has been marked as a duplicate of 263846 ***