svg rect + scale + filter causes int overflow

RESOLVED WORKSFORME

Status

()

RESOLVED WORKSFORME
12 years ago
11 years ago

People

(Reporter: guninski, Unassigned)

Tracking

({crash, testcase})

Trunk
PowerPC
Mac OS X
crash, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

Created attachment 271408 [details]
svg6e.xml

<rect fill="red" width="256" height="256" filter="url(#dafilter)" transform="scale(262145,9)"  />

causes crash with signs of integer overflow.
the stack is blown.

may be related to Bug 361745
(In reply to comment #0)
> 
> may be related to Bug 361745
> 

ooops wrong bug.
the correct one is 
Bug 376713 – margin-top, height crash @ARGB32_image_mark on trunk macosx
Keywords: crash, testcase
Component: General → SVG
Product: Firefox → Core
QA Contact: general → general
Georgi, did you need to let this run for a while or does it crash immediately?  And on which build of Mac OS X are you seeing this? (Run System Profiler, choose Software, example: Mac OS X 10.4.10 (8R2218))

Running this for a few minutes seems to work for me but maybe this needs to run longer before it crashes.

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a9pre) Gecko/2007092604 Minefield/3.0a9pre
(In reply to comment #2)
> Georgi, did you need to let this run for a while or does it crash immediately? 
> And on which build of Mac OS X are you seeing this? (Run System Profiler,
> choose Software, example: Mac OS X 10.4.10 (8R2218))
> 
> Running this for a few minutes seems to work for me but maybe this needs to run
> longer before it crashes.
> 

doesn't crash for me now.

software is mac os x 10.4.10 8R218



Comment 4

11 years ago
Marking as WFM based on comment 3.
Group: security
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → WORKSFORME

Updated

11 years ago
Flags: in-testsuite?

Comment 5

11 years ago
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.