Closed Bug 272955 Opened 21 years ago Closed 20 years ago

Unreasonably large extremely shifted gif image likely to cause OOM [@ MSVCRT.DLL + 0x10d9 - imgContainerGIF::DoComposite]

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 229652

People

(Reporter: tzwoenn, Assigned: pavlov)

References

(
URL
)

Details

(Keywords: crash, hang, Whiteboard: TB2343805M TB2349119M)

Crash Data

Attachments

(1 file)

the broken gif image
50.99 KB, image/gif
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 When accessing this broken image, firefox consumes large amounts of memory. on another pc, firefox hangs, but doesnt crash. Reproducible: Always Steps to Reproduce: 1. access the given url Expected Results: firefox should not display this image if www.tomsnetworking.de removes this image from its websites, you can also access it over http://www.kamalook.de/sven/firefoxbug.gif
Attached image the broken gif image
Severity: normal → critical
Keywords: hang
Confirming with Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a6) Gecko/20041203 - it crashes. Talkback id TB2343805M.
Confirming with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Also crashes Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20041201.
Component: General → ImageLib
Product: Firefox → Core
Version: unspecified → 1.0 Branch
Version: 1.0 Branch → Trunk
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a6) Gecko/20041203 TB2349119M nearly same Talkback on Win98 and WinXP MSVCRT.DLL + 0x10d9 (0x780010d9) imgContainerGIF::DoComposite [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/modules/libpr0n/decoders/gif/imgContainerGIF.cpp, line 595] imgContainerGIF::Notify [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/modules/libpr0n/decoders/gif/imgContainerGIF.cpp, line 448] nsTimerImpl::Fire [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/threads/nsTimerImpl.cpp, line 396] nsTimerManager::FireNextIdleTimer [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/threads/nsTimerImpl.cpp, line 617] nsAppShell::Run [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp, line 142] nsAppStartup::Run [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/components/startup/src/nsAppStartup.cpp, line 216] main1 [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1330] main [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1801] WinMain [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1827] WinMainCRTStartup()
Assignee: firefox → pavlov
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
QA Contact: firefox.general
Whiteboard: TB2343805M TB2349119M
Mozilla/5.0 (Windows; U; Win98; de-DE; rv:1.7.5) Gecko/20041108 Firefox/1.0 crash when loading saved attachment http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB2349769W MSVCRT.DLL + 0x10d9 (0x780010d9) imgContainerGIF::DoComposite [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/modules/libpr0n/decoders/gif/imgContainerGIF.cpp, line 579] imgContainerGIF::Notify [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/modules/libpr0n/decoders/gif/imgContainerGIF.cpp, line 429] nsTimerImpl::Fire [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/xpcom/threads/nsTimerImpl.cpp, line 395] nsAppShellService::Run [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 495] main [c:/builds/tinderbox/firefox-aviarybranch-l10n/WINNT_5.1_Clobber/mozilla/browser/app/nsBrowserApp.cpp, line 58] KERNEL32.DLL + 0x1b537 (0xbff8b537) KERNEL32.DLL + 0x1b3e9 (0xbff8b3e9) KERNEL32.DLL + 0x19dac (0xbff89dac)
from tor: Image Descriptor: Image Left Position: 1945 pixels Image Top Position: 30232 pixels Image Width: 3011 pixels Image Height: 12324 pixels that's ... an OOM bug
Summary: Firefox becomes unresponsive when displaying this corrupt gif image → Unreasonably large extremely shifted gif image likely to cause OOM [@ MSVCRT.DLL + 0x10d9 - imgContainerGIF::DoComposite]
I think the problem is more that it's a two frame animated gif with an insane logical screen size: Logical Screen Descriptor: Logical Screen Width: 4956 pixels Logical Screen Height: 42556 pixels I have the suspicion that we might try allocating a full frame for compositing, which would be about 800MB.
I didn't crash with Firefox 1.0, but it did hang and I ended up killing the process as it approached 200MB of memory usage.
We have existing bugs on gifs that specify ridiculous logical screens.
Whiteboard: TB2343805M TB2349119M → DUPEME TB2343805M TB2349119M
This bug seems eerily like bug 209079. However, this bug is newer, and was reported after that bug was resolved. Can anyone still reproduce this one? If so, there's probably something else that still needs fixing. If not, this may yet be a dupe.
*** This bug has been marked as a duplicate of 229652 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Whiteboard: DUPEME TB2343805M TB2349119M → TB2343805M TB2349119M
Crash Signature: [@ MSVCRT.DLL + 0x10d9 - imgContainerGIF::DoComposite]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: