Closed
Bug 380100
Opened 18 years ago
Closed 18 years ago
Save() crashes canvas
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: pvnick, Assigned: MatsPalmgren_bugz)
References
Details
(4 keywords, Whiteboard: [sg:critical?] 1.8-branch only)
Attachments
(4 files)
|
192 bytes,
text/html
|
Details | |
|
4.92 KB,
text/plain
|
Details | |
|
3.10 KB,
patch
|
vlad
:
review+
vlad
:
superreview+
dveditz
:
approval1.8.1.5+
|
Details | Diff | Splinter Review |
|
2.86 KB,
patch
|
vlad
:
review+
vlad
:
superreview+
dveditz
:
approval1.8.0.13+
|
Details | Diff | Splinter Review |
No description provided.
|
Reporter | |
Updated•18 years ago
|
|
||
Comment 1•18 years ago
|
||
Doesn't crash for me, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a5pre) Gecko/20070506 Minefield/3.0a5pre
Could you post a talkback ID or a stacktrace?
|
||
Comment 2•18 years ago
|
||
WFM, Linux, trunk, but I see the crash on branch
0x000000321c2756a4 in memcpy () from /lib64/libc.so.6
(gdb) bt
#0 0x000000321c2756a4 in memcpy () from /lib64/libc.so.6
#1 0x00002aaab1246ea3 in _cairo_pen_init_copy (pen=0x175e518, other=0x198d158)
at
/home/smaug/mozilla/mozilla_cvs/18_branch/mozilla/gfx/cairo/cairo/src/cairo-pen.c:143
#2 0x00002aaab1240240 in _cairo_gstate_clone (gstate=0x198cff0)
at
/home/smaug/mozilla/mozilla_cvs/18_branch/mozilla/gfx/cairo/cairo/src/cairo-gstate.c:166
#3 0x00002aaab123c0e6 in *INT_cairo_save (cr=0x15ab8f0) at
/home/smaug/mozilla/mozilla_cvs/18_branch/mozilla/gfx/cairo/cairo/src/cairo.c:289
#4 0x00002aaab0f2c0fb in nsCanvasRenderingContext2D::Save (this=0x16a93f0)
at
/home/smaug/mozilla/mozilla_cvs/18_branch/mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp:1147
#5 0x00002aaaaae99f97 in XPTC_InvokeByIndex (that=0x16a93f0, methodIndex=4,
paramCount=0, params=0x7fff94d16dd0)
at
/home/smaug/mozilla/mozilla_cvs/18_branch/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_linux.cpp:209
#6 0x00002aaaaecf5d4b in XPCWrappedNative::CallMethod (ccx=@0x7fff94d17150,
mode=Variable "mode" is not available.
|
||
Comment 3•18 years ago
|
||
WFM on the trunk, but a branch build crashes with this stack.
|
|
||
Updated•18 years ago
|
OS: Windows XP → All
Hardware: PC → All
Version: Trunk → 1.8 Branch
Oy. I wonder what's going on here; I'll take a look if noone beats me to it. I'm going to guess that cairo_pen_init_copy does something stupid with a really large pen due to the scale.
Assignee: nobody → vladimir
|
Assignee | |
Comment 5•18 years ago
|
||
The attached testcase crashes because
if (pen->num_vertices > 0xffff) {
is not resetting num_vertices. This can potentially happen in a couple of
more places, which I also fixed. The 'clone->next' hunk is unrelated,
but since I stumbled upon it I might as well fix that too...
Assignee: vladimir → mats.palmgren
Status: NEW → ASSIGNED
Attachment #264396 -
Flags: superreview?(vladimir)
Attachment #264396 -
Flags: review?(vladimir)
|
|
Assignee | |
Comment 6•18 years ago
|
||
Attachment #264397 -
Flags: superreview?(vladimir)
Attachment #264397 -
Flags: review?(vladimir)
Attachment #264396 -
Flags: superreview?(vladimir)
Attachment #264396 -
Flags: superreview+
Attachment #264396 -
Flags: review?(vladimir)
Attachment #264396 -
Flags: review+
Attachment #264397 -
Flags: superreview?(vladimir)
Attachment #264397 -
Flags: superreview+
Attachment #264397 -
Flags: review?(vladimir)
Attachment #264397 -
Flags: review+
|
|
Assignee | |
Updated•18 years ago
|
Attachment #264396 -
Flags: approval1.8.1.5?
|
|
Assignee | |
Updated•18 years ago
|
Attachment #264397 -
Flags: approval1.8.0.13?
|
||
Updated•18 years ago
|
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Keywords: crash
Whiteboard: [sg:critical?] 1.8-branch only
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
|
|
||
Comment 7•18 years ago
|
||
Comment on attachment 264396 [details] [diff] [review]
Branch 1.8 patch, rev. 1
approved for 1.8.1.5 and 1.8.0.13, a=dveditz for release-drivers
Attachment #264396 -
Flags: approval1.8.1.5? → approval1.8.1.5+
|
|
||
Updated•18 years ago
|
Attachment #264397 -
Flags: approval1.8.0.13? → approval1.8.0.13+
|
|
Assignee | |
Comment 8•18 years ago
|
||
Comment on attachment 264396 [details] [diff] [review]
Branch 1.8 patch, rev. 1
Checked in to MOZILLA_1_8_BRANCH:
gfx/cairo/cairo/src/cairo-gstate.c 1.1.4.2
gfx/cairo/cairo/src/cairo-pen.c 1.1.4.5
|
|
Assignee | |
Comment 9•18 years ago
|
||
Comment on attachment 264397 [details] [diff] [review]
Branch 1.8.0 patch, rev. 1
Checked in to MOZILLA_1_8_0_BRANCH:
gfx/cairo/cairo/src/cairo-gstate.c 1.1.4.1.2.1
gfx/cairo/cairo/src/cairo-pen.c 1.1.4.1.2.1
|
|
Assignee | |
Updated•18 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.0.13,
fixed1.8.1.5
Resolution: --- → FIXED
|
||
Comment 10•18 years ago
|
||
verified fixed 1.8.1.5 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.5pre) Gecko/2007071004 BonEcho/2.0.0.5pre on Windows x64 SP2 and Linux Fedora F7 with the testcase from this bug.
No crash on Testcase with 1.8.1.5 - adding verified keyword
Keywords: fixed1.8.1.5 → verified1.8.1.5
|
||
Comment 11•18 years ago
|
||
This doesn't crash Thunderbird 1.5.0.13 (2007080918) but I cannot get it to
crash 1.5.0.12 either.
|
|
||
Comment 12•18 years ago
|
||
verified fixed 1.8.0.13 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.13pre) Gecko/20070822 Firefox/1.5.0.13pre
no crash on testcase - adding verified keyword
Keywords: fixed1.8.0.13 → verified1.8.0.13
|
|
||
Updated•18 years ago
|
Group: security
Flags: in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•