Closed Bug 331284 Opened 14 years ago Closed 14 years ago
Crash with animated GIF, XUL, and float: right
[sg:critical] because: * |this| is 0xdadadaNN in one of the stacks I see with the reduced testcase. * Before reducing the testcase, I saw a random hex address at the top of the stack once or twice. * I heard that crashes with animated GIF stuff on the stack are likely to be security holes.
This testcase causes crashes with many signatures, including: [@ nsIFrame::Invalidate] [@ nsStyleContext::GetStyleData] [@ nsCachedStyleData::GetStyleData] [@ nsImageFrame::SourceRectToDest] [@ nsImageFrame::OnStartContainer] Will bug 282173 fix this, like it is expected to fix bug 268575 and bug 324936?
Well, all my float crasher bugs were made dependant on bug 282173, so I guess this one should too.
Depends on: 282173
2006-04-08 mac trunk build: crashes 2006-04-10 mac trunk build: does not crash -> FIXED by BuildFloatList removal.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
This testcase also crashes FF2/ff1.5.0.x, referencing deleted objects
Whiteboard: [sg:critical] → [sg:critical] deleted object (fixed by 282173)
https://bugzilla.mozilla.org/attachment.cgi?id=215842 ff2b2 no crash winxp, linux, macppc verified fixed 1.8
verified 22.214.171.124, no crash Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:126.96.36.199pre) Gecko/20060821 Firefox/188.8.131.52pre
Status: RESOLVED → VERIFIED
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.