Status

()

Core
Canvas: 2D
--
critical
RESOLVED FIXED
10 years ago
10 years ago

People

(Reporter: Paul Nickerson, Assigned: mats)

Tracking

(Blocks: 1 bug, 4 keywords)

1.8 Branch
crash, testcase, verified1.8.0.13, verified1.8.1.5
Points:
---
Bug Flags:
blocking1.8.1.5 +
blocking1.8.0.13 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?] 1.8-branch only)

Attachments

(4 attachments)

(Reporter)

Description

10 years ago
Created attachment 264173 [details]
This testcase crashes me all over the place, so it may have some scary potential.
(Reporter)

Updated

10 years ago
Blocks: 379903
Keywords: testcase
Doesn't crash for me, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a5pre) Gecko/20070506 Minefield/3.0a5pre
Could you post a talkback ID or a stacktrace?

Comment 2

10 years ago
WFM, Linux, trunk, but I see the crash on branch
0x000000321c2756a4 in memcpy () from /lib64/libc.so.6
(gdb) bt
#0  0x000000321c2756a4 in memcpy () from /lib64/libc.so.6
#1  0x00002aaab1246ea3 in _cairo_pen_init_copy (pen=0x175e518, other=0x198d158)
    at
/home/smaug/mozilla/mozilla_cvs/18_branch/mozilla/gfx/cairo/cairo/src/cairo-pen.c:143
#2  0x00002aaab1240240 in _cairo_gstate_clone (gstate=0x198cff0)
    at
/home/smaug/mozilla/mozilla_cvs/18_branch/mozilla/gfx/cairo/cairo/src/cairo-gstate.c:166
#3  0x00002aaab123c0e6 in *INT_cairo_save (cr=0x15ab8f0) at
/home/smaug/mozilla/mozilla_cvs/18_branch/mozilla/gfx/cairo/cairo/src/cairo.c:289
#4  0x00002aaab0f2c0fb in nsCanvasRenderingContext2D::Save (this=0x16a93f0)
    at
/home/smaug/mozilla/mozilla_cvs/18_branch/mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp:1147
#5  0x00002aaaaae99f97 in XPTC_InvokeByIndex (that=0x16a93f0, methodIndex=4,
paramCount=0, params=0x7fff94d16dd0)
    at
/home/smaug/mozilla/mozilla_cvs/18_branch/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_linux.cpp:209
#6  0x00002aaaaecf5d4b in XPCWrappedNative::CallMethod (ccx=@0x7fff94d17150,
mode=Variable "mode" is not available.
Created attachment 264176 [details]
branch stack

WFM on the trunk, but a branch build crashes with this stack.
OS: Windows XP → All
Hardware: PC → All
Version: Trunk → 1.8 Branch
Oy.  I wonder what's going on here; I'll take a look if noone beats me to it.  I'm going to guess that cairo_pen_init_copy does something stupid with a really large pen due to the scale.
Assignee: nobody → vladimir
(Assignee)

Comment 5

10 years ago
Created attachment 264396 [details] [diff] [review]
Branch 1.8 patch, rev. 1

The attached testcase crashes because 
     if (pen->num_vertices > 0xffff) {
is not resetting num_vertices.  This can potentially happen in a couple of
more places, which I also fixed.  The 'clone->next' hunk is unrelated,
but since I stumbled upon it I might as well fix that too...
Assignee: vladimir → mats.palmgren
Status: NEW → ASSIGNED
Attachment #264396 - Flags: superreview?(vladimir)
Attachment #264396 - Flags: review?(vladimir)
(Assignee)

Comment 6

10 years ago
Created attachment 264397 [details] [diff] [review]
Branch 1.8.0 patch, rev. 1
Attachment #264397 - Flags: superreview?(vladimir)
Attachment #264397 - Flags: review?(vladimir)
Attachment #264396 - Flags: superreview?(vladimir)
Attachment #264396 - Flags: superreview+
Attachment #264396 - Flags: review?(vladimir)
Attachment #264396 - Flags: review+
Attachment #264397 - Flags: superreview?(vladimir)
Attachment #264397 - Flags: superreview+
Attachment #264397 - Flags: review?(vladimir)
Attachment #264397 - Flags: review+
(Assignee)

Updated

10 years ago
Attachment #264396 - Flags: approval1.8.1.5?
(Assignee)

Updated

10 years ago
Attachment #264397 - Flags: approval1.8.0.13?
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Keywords: crash
Whiteboard: [sg:critical?] 1.8-branch only
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
Comment on attachment 264396 [details] [diff] [review]
Branch 1.8 patch, rev. 1

approved for 1.8.1.5 and 1.8.0.13, a=dveditz for release-drivers
Attachment #264396 - Flags: approval1.8.1.5? → approval1.8.1.5+
Attachment #264397 - Flags: approval1.8.0.13? → approval1.8.0.13+
(Assignee)

Comment 8

10 years ago
Comment on attachment 264396 [details] [diff] [review]
Branch 1.8 patch, rev. 1

Checked in to MOZILLA_1_8_BRANCH:
gfx/cairo/cairo/src/cairo-gstate.c  1.1.4.2
gfx/cairo/cairo/src/cairo-pen.c     1.1.4.5
(Assignee)

Comment 9

10 years ago
Comment on attachment 264397 [details] [diff] [review]
Branch 1.8.0 patch, rev. 1

Checked in to MOZILLA_1_8_0_BRANCH:
gfx/cairo/cairo/src/cairo-gstate.c  1.1.4.1.2.1
gfx/cairo/cairo/src/cairo-pen.c     1.1.4.1.2.1
(Assignee)

Updated

10 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Keywords: fixed1.8.0.13, fixed1.8.1.5
Resolution: --- → FIXED
verified fixed 1.8.1.5 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.5pre) Gecko/2007071004 BonEcho/2.0.0.5pre on Windows x64 SP2 and Linux Fedora F7 with the testcase from this bug.

No crash on Testcase with 1.8.1.5 - adding verified keyword
Keywords: fixed1.8.1.5 → verified1.8.1.5
This doesn't crash Thunderbird 1.5.0.13 (2007080918) but I cannot get it to
crash 1.5.0.12 either.
verified fixed 1.8.0.13 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.13pre) Gecko/20070822 Firefox/1.5.0.13pre

no crash on testcase - adding verified keyword
Keywords: fixed1.8.0.13 → verified1.8.0.13
Group: security
Flags: in-testsuite?
You need to log in before you can comment on or make changes to this bug.