Closed
Bug 329889
Opened 19 years ago
Closed 19 years ago
Crash in [@ imgContainerGIF::GetFrameAt] when dragging a corrupted gif file
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: tbertels+bugzilla, Assigned: darin.moz)
References
Details
(5 keywords)
Crash Data
Attachments
(5 files, 1 obsolete file)
11 bytes,
image/gif
|
Details | |
145 bytes,
text/html
|
Details | |
257 bytes,
text/html
|
Details | |
19.28 KB,
text/plain
|
Details | |
1.26 KB,
patch
|
pavlov
:
review+
dveditz
:
superreview+
pavlov
:
approval-branch-1.8.1+
dveditz
:
approval1.8.0.4+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
TB16130387E
Reproduced with Firefox 1.9a1 2006030807 and Thunderbird 1.5.
Reproducible: Always
Steps to Reproduce:
1. Drag a corrupted gif image
Actual Results:
crash
This only happens if the file has the gif extension (tested png and jpg).
Reporter | ||
Comment 1•19 years ago
|
||
This is just a text file with the gif extension.
Reporter | ||
Comment 2•19 years ago
|
||
Just drag the image to crash the browser.
I forgot to mention that the "gif image" can be attached to a mail to crash the mail client.
Reporter | ||
Updated•19 years ago
|
Comment 3•19 years ago
|
||
I'm not seeing an image (not even the broken image icon), so there isn't anything to drag for me.
From talkback ID:
imgContainerGIF::GetFrameAt [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/modules/libpr0n/decoders/gif/imgContainerGIF.cpp, line 142]
nsTransferableFactory::Produce [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsContentAreaDragDrop.cpp, line 1240]
nsTransferableFactory::CreateFromEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsContentAreaDragDrop.cpp, line 943]
nsContentAreaDragDrop::CreateTransferable [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsContentAreaDragDrop.cpp, line 668]
DispatchToInterface [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 141]
nsEventListenerManager::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1779]
nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2153]
nsXULElement::HandleChromeEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2833]
nsGlobalWindow::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 1585]
nsDocument::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsDocument.cpp, line 4013]
nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2206]
nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2198]
nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2198]
nsHTMLImageElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLImageElement.cpp, line 507]
nsEventStateManager::GenerateDragGesture [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 1608]
nsEventStateManager::PreHandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 521]
PresShell::HandleEventInternal [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6368]
PresShell::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6210]
nsViewManager::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2559]
nsViewManager::DispatchEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2246]
HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 174]
nsWindow::DispatchEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1252]
nsWindow::DispatchMouseEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 5982]
ChildWindow::DispatchMouseEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 6233]
nsWindow::WindowProc [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1434]
USER32.dll + 0x3a68 (0x77d13a68)
USER32.dll + 0x3b37 (0x77d13b37)
USER32.dll + 0x3d91 (0x77d13d91)
USER32.dll + 0x3df7 (0x77d13df7)
nsAppStartup::Run [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151]
main [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x214c7 (0x77e614c7)
Reporter | ||
Comment 4•19 years ago
|
||
(In reply to comment #3)
> I'm not seeing an image (not even the broken image icon), so there isn't
> anything to drag for me.
Well, I don't know which version you're using, but anyway the image is at the top left corner of the testcase page.
Comment 5•19 years ago
|
||
I'm using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060308 Firefox/1.6a1
and:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060118 SeaMonkey/1.5a Mnenhy/0.7.3.0
In both cases, the broken image disappears for me when the page has finished loading.
Reporter | ||
Comment 6•19 years ago
|
||
You're right, I didn't notice it.
I fixed the width and height to make it visible.
Attachment #214541 -
Attachment is obsolete: true
Comment 7•19 years ago
|
||
I can confirm the crash also in a linux build:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20060308 SeaMonkey/1.5a
BE
Reporter | ||
Updated•19 years ago
|
OS: Windows XP → All
Updated•19 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 8•19 years ago
|
||
Ok, this regressed between 2004-09-13 and 2004-09-16:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2004-09-13+07&maxdate=2004-09-16+09&cvsroot=%2Fcvsroot
Maybe because of bug 258121?
Comment 9•19 years ago
|
||
In comment 3, I mentioned I could not see the image with the testcase, using current trunk build. Actually that's a regression, I filed bug 329896 for that.
Comment 10•19 years ago
|
||
No, backing out the patch for bug 258121 doesn't help.
Updated•19 years ago
|
Summary: Crash when dragging a corrupted gif file → Crash in [@ imgContainerGIF::GetFrameAt] when dragging a corrupted gif file
Comment 11•19 years ago
|
||
Comment 12•19 years ago
|
||
So this seems to be a regression from bug 96108, caused by the check-in of https://bugzilla.mozilla.org/attachment.cgi?id=158824.
First I get an assertion:
#1 0x6ff47483 in Break(char const*) (
aMsg=0x22d8b8 "###!!! ASSERTION: index out of range: '0 <= aIndex && aIndex
< Count()', file ../../../dist/include/xpcom/nsVoidArray.h, line 71")
at c:/mozilla/mozilla/xpcom/base/nsDebugImpl.cpp:434
#2 0x6ff471e0 in NS_DebugBreak_P (aSeverity=1,
aStr=0x65d09fb0 "index out of range",
aExpr=0x65d09f90 "0 <= aIndex && aIndex < Count()",
aFile=0x65d09f50 "../../../dist/include/xpcom/nsVoidArray.h", aLine=71)
at c:/mozilla/mozilla/xpcom/base/nsDebugImpl.cpp:351
#3 0x65d563f0 in nsVoidArray::FastElementAt(int) const (this=0xee08b24,
aIndex=0) at ../../../../dist/include/xpcom/nsVoidArray.h:71
The the crash:
#0 0x65d563f8 in nsVoidArray::FastElementAt(int) const (this=0xee08b24,
aIndex=0) at ../../../../dist/include/xpcom/nsVoidArray.h:72
#1 0x65d565b4 in nsCOMArray_base::ObjectAt(int) const (this=0xee08b24,
aIndex=0) at ../../../../dist/include/xpcom/nsCOMArray.h:100
#2 0x65d56378 in nsCOMArray<gfxIImageFrame>::ObjectAt(int) const (
this=0xee08b24, aIndex=0)
at ../../../../dist/include/xpcom/nsCOMArray.h:160
#3 0x65d56394 in nsCOMArray<gfxIImageFrame>::operator[](int) const (
this=0xee08b24, aIndex=0)
at ../../../../dist/include/xpcom/nsCOMArray.h:170
Updated•19 years ago
|
Comment 13•19 years ago
|
||
Hitting that assertion in FastElementAt is a bad sign.
Flags: blocking1.8.0.3?
Updated•19 years ago
|
Assignee: nobody → pavlov
Component: XPCOM → ImageLib
Summary: Crash in [@ imgContainerGIF::GetFrameAt] when dragging a corrupted gif file → Crash in [@ imgContainerGIF::GetFrameAt] when dragging broken image (e.g. corrupted gif file)
Reporter | ||
Comment 14•19 years ago
|
||
e.g. corrupted gif file ?
This bug hasn't been reproduced with other files extensions (see the bug details).
Comment 15•19 years ago
|
||
Oops, I didn't mean to make that change to the summary. Reverting now.
Summary: Crash in [@ imgContainerGIF::GetFrameAt] when dragging broken image (e.g. corrupted gif file) → Crash in [@ imgContainerGIF::GetFrameAt] when dragging a corrupted gif file
Updated•19 years ago
|
Flags: blocking1.8.0.3? → blocking1.8.0.3+
Assignee | ||
Comment 16•19 years ago
|
||
simple patch. protect against calls to GetFrameAt that would dereference beyond the end of the array.
Comment 17•19 years ago
|
||
pav, can you review?
Comment 18•19 years ago
|
||
Comment on attachment 219693 [details] [diff] [review]
v1 patch
sr=dveditz
trying a different reviewer
Attachment #219693 -
Flags: superreview+
Attachment #219693 -
Flags: review?(pavlov)
Attachment #219693 -
Flags: review?(cbiesinger)
Comment 19•19 years ago
|
||
Comment on attachment 219693 [details] [diff] [review]
v1 patch
I don't think pav would appreciate me reviewing imagelib patches
but, why does the caller pass an out-of-range index here?
Attachment #219693 -
Flags: review?(cbiesinger) → review?(pavlov)
Comment 20•19 years ago
|
||
yeah, i'd like to know the same -- we shouldn't ever hit this case and should probably protect it somewhere else.
Assignee | ||
Comment 21•19 years ago
|
||
> yeah, i'd like to know the same -- we shouldn't ever hit this case and should
> probably protect it somewhere else.
Probably true, but this is a scriptable interface. The general rule is that any scriptable interface must protect against out-of-bound input errors (including null pointers). We try to make sure that Javascript extensions cannot crash the app.
Assignee | ||
Comment 22•19 years ago
|
||
Note: I'm converting a crash into a warning. We can still track down the cause of the warning. Since there is a code-freeze coming up on Monday for 1.5.0.4, I'd really like to see this crash fixed in that release. I won't have a chance to investigate this crash further before then.
Updated•19 years ago
|
Whiteboard: needs r=pavlov, a1.8.1=pavlov
Comment 23•19 years ago
|
||
Comment on attachment 219693 [details] [diff] [review]
v1 patch
Pav: please green-light this band-aide for the 1.8.0.4 release. Or propose an alternative.
Attachment #219693 -
Flags: approval-branch-1.8.1?(pavlov)
Comment 24•19 years ago
|
||
Comment on attachment 219693 [details] [diff] [review]
v1 patch
r/approval+ -- leave this open and someone find a real fix please.
Attachment #219693 -
Flags: review?(pavlov)
Attachment #219693 -
Flags: review+
Attachment #219693 -
Flags: approval-branch-1.8.1?(pavlov)
Attachment #219693 -
Flags: approval-branch-1.8.1+
Updated•19 years ago
|
Whiteboard: needs r=pavlov, a1.8.1=pavlov → needs branch landing
Comment 25•19 years ago
|
||
Comment on attachment 219693 [details] [diff] [review]
v1 patch
approved for 1.8.0 branch, a=dveditz for drivers
Attachment #219693 -
Flags: approval1.8.0.4+
Assignee | ||
Comment 26•19 years ago
|
||
fixed-on-trunk, fixed1.8.1, fixed1.8.0.4
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8.0.4,
fixed1.8.1
Resolution: --- → FIXED
Comment 27•19 years ago
|
||
Filed followup bug 329889: "Dragging broken GIF shouldn't call imgContainerGIF::GetFrameAt(0)".
Comment 28•19 years ago
|
||
Sorry, bug 336295.
Verified FIXED on SeaMonkey trunk / Windows XP using build 2006-05-03-10.
Status: RESOLVED → VERIFIED
Assignee | ||
Comment 30•19 years ago
|
||
*** Bug 320685 has been marked as a duplicate of this bug. ***
Updated•19 years ago
|
Flags: blocking1.9a1?
Whiteboard: needs branch landing
Comment 31•19 years ago
|
||
v.fixed on 1.8.0 branch: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4, no crash with either testcase, and no incidents in current Firefox15 Talkback data.
Keywords: fixed1.8.0.4 → verified1.8.0.4
Updated•13 years ago
|
Crash Signature: [@ imgContainerGIF::GetFrameAt]
You need to log in
before you can comment on or make changes to this bug.
Description
•