Closed Bug 403363 Opened 15 years ago Closed 15 years ago

crash loading image [@ imgContainer::DrawFrameTo]

Categories

(Core :: Graphics: ImageLib, defect, P2)

x86
All
defect

Tracking

()

VERIFIED FIXED
mozilla1.9beta2

People

(Reporter: polidobj, Assigned: alfredkayser)

References

()

Details

(Keywords: crash, regression, topcrash+)

Crash Data

Attachments

(3 files)

Keywords: regression
The problem is in the ASSERTION in imgContainer.cpp line 1122:
    // dstRect must fully fit within destination image 
    NS_ASSERTION((aDstRect.x >= 0) && (aDstRect.y >= 0) &&
                 (aDstRect.x + aDstRect.width <= dstRect.width) &&
                 (aDstRect.y + aDstRect.height <= dstRect.height),
                "imgContainer::DrawFrameTo: Invalid aDstRect");
    // dstRect size may be smaller than source, but not larger
    NS_ASSERTION((aDstRect.width <= srcRect.width) &&
                 (aDstRect.height <= srcRect.height),
                 "imgContainer::DrawFrameTo: source and dest size must be equal");

The image in question does have a bad y offset (397) while the total image is only 224x244 big.

Instead of only asserting on these values, we need to really catch them (and clip where possible, or abort frame composition).
Assignee: nobody → alfredkayser
Attachment #288216 - Flags: review?(pavlov)
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
Open this one with IrfanView, and you can see how screwed the animation is...
With my patch, gecko doesn't crash on this image anymore.
I hit this on a myspace page, it probably has a similarly screwed up image:
http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid=215157965
Given the straightforward patch, and the clear testcases, this could be reviewed and applied quite quickly.
Attachment #288216 - Flags: review?(pavlov) → review+
Attachment #288216 - Flags: superreview?(tor)
Attachment #288216 - Flags: superreview?(tor) → superreview+
Checking in modules/libpr0n/src/imgContainer.cpp;
/cvsroot/mozilla/modules/libpr0n/src/imgContainer.cpp,v  <--  imgContainer.cpp
new revision: 1.61; previous revision: 1.60
done
Status: NEW → RESOLVED
Closed: 15 years ago
Component: GFX → ImageLib
QA Contact: general → imagelib
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9 M10
Attachment #288296 - Attachment is patch: false
Attachment #288296 - Attachment mime type: text/plain → image/gif
bug 403985, bug 403757, bug 403580 and the link in comment #4, and the two test images don't crash anymore.

But, the link in bug 403578 still crashes... (the offending gif image seems to have a tpixel outside the colormap (globa_colormap_depth=3 (so 8 colors), and tpixel =15).
Status: RESOLVED → VERIFIED
Flags: in-testsuite?
Depends on: 408288
Crash Signature: [@ imgContainer::DrawFrameTo]
You need to log in before you can comment on or make changes to this bug.