X error BadAlloc with 10000x1 GIF

VERIFIED DUPLICATE of bug 210931

Status

()

Firefox
General
VERIFIED DUPLICATE of bug 210931
12 years ago
12 years ago

People

(Reporter: David Schweikert, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.8.0.1) Gecko/20060202 Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.8.0.1) Gecko/20060202 Firefox/1.5.0.1

When a 10000x1 gif image is loaded, firefox crashes with a X error "BadAlloc" (see stacktrace)



Reproducible: Always

Steps to Reproduce:
1. Open the above URL
2. Crash




Stacktrace:

#0  gdk_x_error (display=0x59070, error=0xffbedab0) at gdkmain-x11.c:599
#1  0xfe53c494 in _XError () from /usr/openwin/lib/libX11.so.4
#2  0xfe51cc9c in _XReply () from /usr/openwin/lib/libX11.so.4
#3  0xfe523dac in XSync () from /usr/openwin/lib/libX11.so.4
#4  0xfe54dc74 in _XSyncFunction () from /usr/openwin/lib/libX11.so.4
#5  0xfe51eb18 in XCreatePixmap () from /usr/openwin/lib/libX11.so.4
#6  0xfef8a608 in gdk_pixmap_new (drawable=0x67418, width=10000, height=1, depth=24) at gdkpixmap-x11.c:199
#7  0xfcc1ea78 in nsImageGTK::UpdateCachedImage (this=0x961928)
    at /scratch/build/firefox-1.5.0.1-ds/mozilla/gfx/src/gtk/nsImageGTK.cpp:1613
#8  0xfcc20820 in nsImageGTK::Optimize (this=0x961928, aContext=0x0)
    at /scratch/build/firefox-1.5.0.1-ds/mozilla/gfx/src/gtk/nsImageGTK.cpp:1932
#9  0xfcc36b28 in gfxImageFrame::SetMutable (this=0x72cc08, aMutable=0) at nsCOMPtr.h:848
#10 0xfcbab204 in imgContainerGIF::DecodingComplete (this=0x95a3c8) at nsCOMArray.h:162
#11 0xfcba84a4 in nsGIFDecoder2::EndGIF (aClientData=0x95a388, aAnimationLoopCount=0) at nsCOMPtr.h:848
#12 0xfcba72d0 in gif_write (gs=0x4c0e94,
    buf=0x3dbe32 "-be-d705900\"\n\nAccept-Ranges: bytes\n\nContent-Length: 190\n\nKeep-Alive: timeout=15, max=30\n\nConnection:
    at /scratch/build/firefox-1.5.0.1-ds/mozilla/modules/libpr0n/decoders/gif/GIF2.cpp:979
#13 0xfcba8940 in nsGIFDecoder2::ProcessData (this=0x95a388,
    data=0x3dbe32 "-be-d705900\"\n\nAccept-Ranges: bytes\n\nContent-Length: 190\n\nKeep-Alive: timeout=15, max=30\n\nConnection:
    at /scratch/build/firefox-1.5.0.1-ds/mozilla/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp:230
#14 0xfcba8970 in ReadDataOut (in=0x7fd558, closure=0x95a388, fromRawSegment=0x3dbd74 "GIF89a\020'\001", toOffset=0, count=190,
    writeCount=0xffbee224) at /scratch/build/firefox-1.5.0.1-ds/mozilla/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp:172
#15 0xff1a7080 in nsInputStreamTee::WriteSegmentFun ()
   from /usr/pack/firefox-1.5.0.1-ds/sun4u-sun-solaris2.8/firefox/libxpcom_core.so
#16 0xff1af2a4 in nsPipeInputStream::ReadSegments ()
   from /usr/pack/firefox-1.5.0.1-ds/sun4u-sun-solaris2.8/firefox/libxpcom_core.so
#17 0xff1a6a10 in nsInputStreamTee::ReadSegments ()
   from /usr/pack/firefox-1.5.0.1-ds/sun4u-sun-solaris2.8/firefox/libxpcom_core.so
#18 0xfcba8388 in nsGIFDecoder2::WriteFrom (this=0x95a388, inStr=0x97bbe8, count=190, _retval=0xffbee3a8)
    at /scratch/build/firefox-1.5.0.1-ds/mozilla/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp:250
#19 0xfcba08b4 in imgRequest::OnDataAvailable (this=0x3cb3a0, aRequest=0x633638, ctxt=0xc00, inStr=0x97bbe8,
    sourceOffset=4290700360, count=190) at nsCOMPtr.h:848
#20 0xfcb96c70 in ProxyListener::OnDataAvailable (this=0x80004005, aRequest=0x633638, ctxt=0xc00, inStr=0x97bbe8,
    sourceOffset=4290700360, count=3978212) at nsCOMPtr.h:848
#21 0xfc0b1d54 in nsMediaDocumentStreamListener::OnDataAvailable ()
   from /usr/pack/firefox-1.5.0.1-ds/sun4u-sun-solaris2.8/firefox/components/libgklayout.so
#22 0xfc8fa794 in nsDocumentOpenInfo::OnDataAvailable ()
   from /usr/pack/firefox-1.5.0.1-ds/sun4u-sun-solaris2.8/firefox/components/libdocshell.so
#23 0xfd0b902c in nsStreamListenerTee::OnDataAvailable ()
   from /usr/pack/firefox-1.5.0.1-ds/sun4u-sun-solaris2.8/firefox/components/libnecko.so
#24 0xfd14f3a8 in nsHttpChannel::OnDataAvailable ()
   from /usr/pack/firefox-1.5.0.1-ds/sun4u-sun-solaris2.8/firefox/components/libnecko.so
#25 0xfd08cb9c in nsInputStreamPump::OnStateTransfer ()
   from /usr/pack/firefox-1.5.0.1-ds/sun4u-sun-solaris2.8/firefox/components/libnecko.so
#26 0xfd08d61c in nsInputStreamPump::OnInputStreamReady ()
   from /usr/pack/firefox-1.5.0.1-ds/sun4u-sun-solaris2.8/firefox/components/libnecko.so
#27 0xff228fe4 in nsInputStreamReadyEvent::EventHandler ()
   from /usr/pack/firefox-1.5.0.1-ds/sun4u-sun-solaris2.8/firefox/libxpcom_core.so
#28 0xff1d91c0 in PL_HandleEvent () from /usr/pack/firefox-1.5.0.1-ds/sun4u-sun-solaris2.8/firefox/libxpcom_core.so
#29 0xff1d9c04 in PL_ProcessPendingEvents () from /usr/pack/firefox-1.5.0.1-ds/sun4u-sun-solaris2.8/firefox/libxpcom_core.so
#30 0xff1dc3d8 in nsEventQueueImpl::ProcessPendingEvents ()
   from /usr/pack/firefox-1.5.0.1-ds/sun4u-sun-solaris2.8/firefox/libxpcom_core.so
#31 0xfc9c8538 in nsWindow::OnExposeEvent ()
   from /usr/pack/firefox-1.5.0.1-ds/sun4u-sun-solaris2.8/firefox/components/libwidget_gtk2.so
#32 0xfe75cc10 in g_io_unix_dispatch () from /usr/pack/gtk-2.8.13-ds/sun4u-sun-solaris2.8/lib/libglib-2.0.so.0
#33 0xfe72f09c in g_main_context_dispatch () from /usr/pack/gtk-2.8.13-ds/sun4u-sun-solaris2.8/lib/libglib-2.0.so.0
#34 0xfe731470 in g_main_context_iterate () from /usr/pack/gtk-2.8.13-ds/sun4u-sun-solaris2.8/lib/libglib-2.0.so.0
#35 0xfe731894 in g_main_loop_run () from /usr/pack/gtk-2.8.13-ds/sun4u-sun-solaris2.8/lib/libglib-2.0.so.0
#36 0xfea20b84 in gtk_main () at gtkmain.c:991
#37 0xfc9c9078 in nsAppShell::Run () from /usr/pack/firefox-1.5.0.1-ds/sun4u-sun-solaris2.8/firefox/components/libwidget_gtk2.so
#38 0xfb2aaf1c in nsAppStartup::Run ()
   from /usr/pack/firefox-1.5.0.1-ds/sun4u-sun-solaris2.8/firefox/components/libtoolkitcomps.so
#39 0x000226c4 in XRE_main ()
#40 0x00018280 in _start ()
#41 0x00018280 in _start ()

Comment 1

12 years ago

*** This bug has been marked as a duplicate of 210931 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → DUPLICATE

Updated

12 years ago
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.