Closed Bug 391028 Opened 13 years ago Closed 12 years ago

drawImage with broken PNG draws random memory

Categories

(Core :: Canvas: 2D, defect)

x86
All
defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: philip, Assigned: vlad)

References

Details

(4 keywords, Whiteboard: [sg:low])

Attachments

(4 files)

User-Agent:       Opera/9.22 (X11; Linux i686; U; en)
Build Identifier: 

With a broken PNG file (which causes "The image [...] cannot be displayed, because it contains errors." when opened in the browser normally), calling drawImage results in random stuff being drawn onto the canvas each time the page is reloaded.

Reproduced with:
    Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
    Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5
    Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a8pre) Gecko/2007080504 Minefield/3.0a8pre

Couldn't reproduce in
    Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9a8pre) Gecko/2007080505 Minefield/3.0a8pre
(it only ever gave a black rectangle).

HTML 5 says at http://www.whatwg.org/specs/web-apps/current-work/#complete that img.complete should be false if the image wasn't valid, and http://www.whatwg.org/specs/web-apps/current-work/#drawimage says that should cause INVALID_STATE_ERR in drawImage.


Reproducible: Always
Attached file test case
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.9?
Assignee: nobody → vladimir
Flags: blocking1.9? → blocking1.9+
This should fix it; something similar can go in on the branch.
Attachment #282781 - Flags: review?(pavlov)
Attachment #282781 - Flags: review?(pavlov)
Attachment #282781 - Flags: review+
Attachment #282781 - Flags: approval1.9+
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Attached patch er. followup.Splinter Review
Wrong line in the previous patch, sigh.
Flags: blocking1.8.1.10+
Whiteboard: [sg:low]
Comment on attachment 282781 [details] [diff] [review]
add a check for completed load status

approved for 1.8.1.10, a=dveditz for release-drivers
Attachment #282781 - Flags: approval1.8.1.10? → approval1.8.1.10+
Checked into 1.8 branch
Keywords: fixed1.8.1.10
verified fixed 1.8.1.10 using Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/2007111504 Firefox/2.0.0.10 and the testcase

- adding verified keyword

Group: security
Has this caused bug 405584?
(In reply to comment #7)
> Has this caused bug 405584?
> 

yes, the followup attachment 284556 [details] [diff] [review] wasn't checked in. 
Attachment #284556 - Flags: review?(pavlov)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
This is still FIXED on the trunk. Bug 405584  tracks the branch regression.
Status: REOPENED → RESOLVED
Closed: 13 years ago12 years ago
Depends on: 405584
Resolution: --- → FIXED
No longer depends on: 405584
Attachment #284556 - Flags: review?(pavlov) → review+
Attachment #284556 - Flags: approval1.8.1.11?
Comment on attachment 284556 [details] [diff] [review]
er. followup.

appears to have landed, though without approval. (Granted, I do feel its a safe and needed landing, but I wonder why it skipped approval)
(In reply to comment #10)
> (From update of attachment 284556 [details] [diff] [review])
> appears to have landed, though without approval. (Granted, I do feel its a safe
> and needed landing, but I wonder why it skipped approval)

The patch had a=release-drivers to land. The flag just wasn't marked as such on the patch. I'm sure dveditz or somebody will set the flag when they get to it, but it definitely had approval to land. :)
Attachment #284556 - Flags: approval1.8.1.12?
Attachment #284556 - Flags: approval1.8.1.12+
Attachment #284556 - Flags: approval1.8.1.11+
Sorry for the missing approvals, this one-bugfix release was mostly handled real-time on IRC. Nick had approvals to land on the _RELBRANCH and the mozilla 1.8 branch
Verified for 1.8.1.12 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12pre) Gecko/2008012208 BonEcho/2.0.0.12pre.
Attachment #307242 - Flags: approval1.8.0.15?
Flags: blocking1.8.0.15+
Comment on attachment 307242 [details] [diff] [review]
combined for 1.8.0

a=caillon for 1.8.0.15
Attachment #307242 - Flags: approval1.8.0.15? → approval1.8.0.15+
You need to log in before you can comment on or make changes to this bug.