Closed
Bug 406036
Opened 17 years ago
Closed 17 years ago
putImageData draws random memory
Categories
(Core :: Graphics: Canvas2D, defect, P3)
Core
Graphics: Canvas2D
Tracking
()
VERIFIED
FIXED
People
(Reporter: philip, Assigned: vlad)
Details
(Keywords: testcase, verified1.8.1.12, Whiteboard: [sg:moderate?] mac and linux)
Attachments
(2 files, 1 obsolete file)
1.02 KB,
text/html
|
Details | |
1.50 KB,
patch
|
pavlov
:
review+
dveditz
:
approval1.8.1.12+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11pre) Gecko/20071127 BonEcho/2.0.0.11pre Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11pre) Gecko/20071127 BonEcho/2.0.0.11pre In FF2 on Linux, some uses of putImageData, e.g.: ctx.putImageData(ctx.getImageData(0, 0, 128, 64), 0, 128); on a 256x256 canvas, fill the destination with bits of memory instead of with the correct pattern. (The soon-to-be-attached test case works for me in trunk builds on Linux. I haven't tested any other platform.) Reproducible: Always
Reporter | ||
Comment 1•17 years ago
|
||
Comment 2•17 years ago
|
||
Confirmed on Mac branch (2.0.0.10), works on Trunk.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8.1.12?
Keywords: testcase
OS: Linux → All
Hardware: PC → All
Updated•17 years ago
|
Severity: normal → major
Version: unspecified → 1.8 Branch
Updated•17 years ago
|
Whiteboard: [sg:low]
Updated•17 years ago
|
Flags: blocking1.9?
Is this a regression relative to earlier branch builds, or has it always been present on branch?
Assignee | ||
Comment 4•17 years ago
|
||
Pretty sure it's always been present on branch -- I'm looking at the code now, and it's a buffer overrun; the wrong index was used in a loop involving memcpy(). This might raise the sg:low rating. I should have a patch shortly.
Assignee | ||
Comment 5•17 years ago
|
||
Here's an untested patch, based on visual inspection of the code and the crash site. I've got a build going now.
Comment 6•17 years ago
|
||
I haven't been able to reproduce this on Windows but the code looks cross-platform. Would that point the finger at all the cairo_ calls in the else section rather than the loop in the if() you changed? In a debugger I don't hit the loop you changed on the attached testcase, I hit the else section. If your patch is correct then you've stumbled on an unrelated potential overflow -- can we get a testcase for that too?
Assignee | ||
Comment 7•17 years ago
|
||
Yeah, I've had problems on the mac debugging -- I can't get gdb to find debug info for a debug build! Really annoying.
Comment 8•17 years ago
|
||
based on comment #4 moving to blocking list
Assignee: nobody → vladimir
Flags: blocking1.9? → blocking1.9+
Priority: -- → P3
Updated•17 years ago
|
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.12?
Flags: blocking1.8.1.12+
Assignee | ||
Comment 9•17 years ago
|
||
Ah ha, so here's the fix. The problem was twofold: 1) The wrong loop end condition was being used, which I caught earlier (y instead of h) 2) imgPtr was being used as the start of the source image data, but that pointer had been iterated over previously and now pointed to the end of the data! This fixes things for me. I'm pretty sure I never caught this originally because I was writing this code on windows, in which case we hit the else path; the path that doesn't use memcpy doesn't have this problem.
Attachment #290719 -
Attachment is obsolete: true
Attachment #297093 -
Flags: review?(dveditz)
Assignee | ||
Updated•17 years ago
|
Attachment #297093 -
Flags: review?(dveditz) → review?(pavlov)
Assignee | ||
Comment 10•17 years ago
|
||
Comment on attachment 297093 [details] [diff] [review] patch >+typedef unsigned int cairo_font_type_t; >+ Erm, ignore this part of this patch, needed this due to the version of cairo on my test system.
Updated•17 years ago
|
Attachment #297093 -
Flags: review?(pavlov) → review+
Assignee | ||
Updated•17 years ago
|
Attachment #297093 -
Flags: approval1.8.1.12?
Comment 11•17 years ago
|
||
Comment on attachment 297093 [details] [diff] [review] patch approved for 1.8.1.12, a=dveditz for release-drivers
Attachment #297093 -
Flags: approval1.8.1.12? → approval1.8.1.12+
Updated•17 years ago
|
Whiteboard: [sg:low] → [sg:moderate?] mac and linux
Assignee | ||
Comment 12•17 years ago
|
||
Checked in on trunk and 1.8.
Updated•17 years ago
|
Flags: in-testsuite?
Comment 13•17 years ago
|
||
Verified in branch in Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12pre) Gecko/2008012208 BonEcho/2.0.0.12pre. I don't see any trunk patch anywhere here. This is a branch only bug.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.12 → verified1.8.1.12
Assignee | ||
Comment 14•17 years ago
|
||
The patch was for branch and trunk.
Comment 15•17 years ago
|
||
Ah, since "Version" is marked "!.8 Branch", it wasn't clear that this was a trunk bug as well. This needs to be verified in trunk then.
Updated•17 years ago
|
Version: 1.8 Branch → Trunk
Comment 16•17 years ago
|
||
Verified for trunk with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b3pre) Gecko/2008012204 Minefield/3.0b3pre.
Updated•16 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•