Closed
Bug 403363
Opened 17 years ago
Closed 17 years ago
crash loading image [@ imgContainer::DrawFrameTo]
Categories
(Core :: Graphics: ImageLib, defect, P2)
Tracking
()
VERIFIED
FIXED
mozilla1.9beta2
People
(Reporter: polidobj, Assigned: alfredkayser)
References
()
Details
(Keywords: crash, regression, topcrash+)
Crash Data
Attachments
(3 files)
|
48.68 KB,
image/gif
|
Details | |
|
3.27 KB,
patch
|
pavlov
:
review+
tor
:
superreview+
|
Details | Diff | Splinter Review |
|
97.05 KB,
image/gif
|
Details |
crashing image
Loading the attached image crashes.
20071107 works
20071108 crash
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=PhoenixTinderbox&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-11-07+04%3A00%3A00&maxdate=2007-11-08+05%3A00%3A00&cvsroot=%2Fcvsroot
Breakpad reports have come for Windows and Mac.
Flags: blocking1.9?
|
Reporter | |
Updated•17 years ago
|
Keywords: regression
|
Assignee | |
Comment 1•17 years ago
|
||
The problem is in the ASSERTION in imgContainer.cpp line 1122:
// dstRect must fully fit within destination image
NS_ASSERTION((aDstRect.x >= 0) && (aDstRect.y >= 0) &&
(aDstRect.x + aDstRect.width <= dstRect.width) &&
(aDstRect.y + aDstRect.height <= dstRect.height),
"imgContainer::DrawFrameTo: Invalid aDstRect");
// dstRect size may be smaller than source, but not larger
NS_ASSERTION((aDstRect.width <= srcRect.width) &&
(aDstRect.height <= srcRect.height),
"imgContainer::DrawFrameTo: source and dest size must be equal");
The image in question does have a bad y offset (397) while the total image is only 224x244 big.
Instead of only asserting on these values, we need to really catch them (and clip where possible, or abort frame composition).
Assignee: nobody → alfredkayser
|
|
Assignee | |
Comment 2•17 years ago
|
||
Attachment #288216 -
Flags: review?(pavlov)
|
||
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
|
|
Assignee | |
Comment 3•17 years ago
|
||
Open this one with IrfanView, and you can see how screwed the animation is...
With my patch, gecko doesn't crash on this image anymore.
|
||
Comment 4•17 years ago
|
||
I hit this on a myspace page, it probably has a similarly screwed up image:
http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid=215157965
|
||
Comment 8•17 years ago
|
||
This is currently the #2 topcrash on trunk.
http://crash-stats.mozilla.com/topcrasher/byversion/Firefox/3.0b2pre
http://tinyurl.com/37nwbd
|
|
Assignee | |
Comment 9•17 years ago
|
||
Given the straightforward patch, and the clear testcases, this could be reviewed and applied quite quickly.
|
||
Updated•17 years ago
|
Attachment #288216 -
Flags: review?(pavlov) → review+
|
|
Assignee | |
Updated•17 years ago
|
Attachment #288216 -
Flags: superreview?(tor)
Attachment #288216 -
Flags: superreview?(tor) → superreview+
|
||
Comment 11•17 years ago
|
||
Checking in modules/libpr0n/src/imgContainer.cpp;
/cvsroot/mozilla/modules/libpr0n/src/imgContainer.cpp,v <-- imgContainer.cpp
new revision: 1.61; previous revision: 1.60
done
Status: NEW → RESOLVED
Closed: 17 years ago
Component: GFX → ImageLib
QA Contact: general → imagelib
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9 M10
|
|
Assignee | |
Updated•17 years ago
|
Attachment #288296 -
Attachment is patch: false
Attachment #288296 -
Attachment mime type: text/plain → image/gif
|
|
Assignee | |
Comment 12•17 years ago
|
||
bug 403985, bug 403757, bug 403580 and the link in comment #4, and the two test images don't crash anymore.
But, the link in bug 403578 still crashes... (the offending gif image seems to have a tpixel outside the colormap (globa_colormap_depth=3 (so 8 colors), and tpixel =15).
|
|
Assignee | |
Updated•17 years ago
|
Status: RESOLVED → VERIFIED
|
||
Updated•17 years ago
|
Flags: in-testsuite?
|
||
Updated•14 years ago
|
Crash Signature: [@ imgContainer::DrawFrameTo]
You need to log in
before you can comment on or make changes to this bug.
Description
•