Closed
Bug 413373
Opened 17 years ago
Closed 17 years ago
Crash [@nsGIFDecoder2::DoLzw] when loading GIF file
Categories
(Core :: Graphics: ImageLib, defect, P2)
Tracking
()
VERIFIED
FIXED
mozilla1.9beta3
People
(Reporter: pvnick, Assigned: alfredkayser)
References
Details
(Keywords: crash)
Crash Data
Attachments
(3 files)
|
8.35 KB,
image/gif
|
Details | |
|
3.30 KB,
text/plain
|
Details | |
|
695 bytes,
patch
|
pavlov
:
review+
tor
:
superreview+
beltzner
:
approval1.9+
|
Details | Diff | Splinter Review |
Testcase
The attached GIF file crashes the browser in a way that doesn't look exploitable. I hope no-one needs a reduced version, because I wouldn't know how to produce that.
|
Reporter | |
Comment 1•17 years ago
|
||
|
|
Reporter | |
Comment 2•17 years ago
|
||
Also, this doesn't seem to crash branch.
|
||
Comment 3•17 years ago
|
||
Can't reproduce the crash on Linux/64bit/trunk.
I get
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file mozilla/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp, line 244
|
Assignee | |
Comment 5•17 years ago
|
||
Traced it down to a specific malformed LZW stream issue.
In essence in the input stream there is an illegal code that is outside the valid range.
Note, Opera can read the image, but all other image tools (that I have) refuse to load it.
The fix is simple: before using 'code' as index in 'suffix' make sure it is within range of 'suffix'. If not, the image has to be considered 'illegal'.
Assignee: nobody → alfredkayser
Status: NEW → ASSIGNED
Attachment #298451 -
Flags: superreview?(tor)
Attachment #298451 -
Flags: review?(pavlov)
Attachment #298451 -
Flags: superreview?(tor) → superreview+
|
|
Assignee | |
Updated•17 years ago
|
Keywords: checkin-needed
|
||
Updated•17 years ago
|
Attachment #298451 -
Flags: review?(pavlov) → review+
|
||
Updated•17 years ago
|
Flags: blocking1.9?
|
|
||
Updated•17 years ago
|
Attachment #298451 -
Flags: approval1.9?
|
||
Comment 7•17 years ago
|
||
Comment on attachment 298451 [details] [diff] [review]
Patch to detect malformed LZW encoding
a=beltzner for 1.9
Attachment #298451 -
Flags: approval1.9? → approval1.9+
|
|
||
Updated•17 years ago
|
Keywords: checkin-needed
|
||
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
|
|
||
Comment 8•17 years ago
|
||
Checking in modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp;
/cvsroot/mozilla/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp,v <-- nsGIFDecoder2.cpp
new revision: 1.93; previous revision: 1.92
done
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9 M11
|
||
Updated•17 years ago
|
Flags: wanted1.8.1.x-
|
||
Comment 9•17 years ago
|
||
verified fixed using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b4pre) Gecko/2008020819 Minefield/3.0b4pre and the testcase from this bug
- no crash on this testcase -> Verified fixed
Status: RESOLVED → VERIFIED
|
||
Updated•13 years ago
|
Crash Signature: [@nsGIFDecoder2::DoLzw]
You need to log in
before you can comment on or make changes to this bug.
Description
•