Closed Bug 331284 Opened 14 years ago Closed 14 years ago

Crash with animated GIF, XUL, and float: right

Categories

(Core :: Layout, defect, critical)

PowerPC
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: jruderman, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [sg:critical] deleted object (fixed by 282173))

Attachments

(1 file)

[sg:critical] because:
* |this| is 0xdadadaNN in one of the stacks I see with the reduced testcase.
* Before reducing the testcase, I saw a random hex address at the top of the stack once or twice.
* I heard that crashes with animated GIF stuff on the stack are likely to be security holes.
Whiteboard: [sg:critical]
This testcase causes crashes with many signatures, including:
[@ nsIFrame::Invalidate]
[@ nsStyleContext::GetStyleData]
[@ nsCachedStyleData::GetStyleData]
[@ nsImageFrame::SourceRectToDest]
[@ nsImageFrame::OnStartContainer]

Will bug 282173 fix this, like it is expected to fix bug 268575 and bug 324936?
Well, all my float crasher bugs were made dependant on bug 282173, so I guess this one should too.
Depends on: 282173
2006-04-08 mac trunk build: crashes
2006-04-10 mac trunk build: does not crash

-> FIXED by BuildFloatList removal.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
This testcase also crashes FF2/ff1.5.0.x, referencing deleted objects
Flags: blocking1.8.1?
Flags: blocking1.8.0.6?
Whiteboard: [sg:critical] → [sg:critical] deleted object (fixed by 282173)
Flags: blocking1.8.1? → blocking1.8.1+
fix in bug 282173 was checked into the 1.8 branch
Keywords: fixed1.8.1
Flags: blocking1.8.0.6? → blocking1.8.0.6+
bug 282173 has been fixed on the 1.8.0 branch now.
Keywords: fixed1.8.0.7
https://bugzilla.mozilla.org/attachment.cgi?id=215842
ff2b2 no crash winxp, linux, macppc
verified fixed 1.8
verified 1.8.0.7, no crash

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7pre) Gecko/20060821 Firefox/1.5.0.7pre




Status: RESOLVED → VERIFIED
Group: security
Flags: in-testsuite?
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.