Closed Bug 413931 Opened 17 years ago Closed 17 years ago

Crash [@nsGIFDecoder2::DoLzw] when loading GIF file, part 2


(Core :: Graphics: ImageLib, defect, P2)






(Reporter: martijn.martijn, Assigned: alfredkayser)



(Keywords: crash, regression, testcase)

Crash Data


(2 files, 4 obsolete files)

I had this image stored on my computer. No idea how I got it. Perhaps, I downloaded it from a bug where that image was crashing too in older builds or something.
Frame  	Signature  	Source
0 	nsGIFDecoder2::DoLzw(unsigned char const*) 	mozilla/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp:614
1 	nsGIFDecoder2::GifWrite(unsigned char const*, unsigned int) 	mozilla/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp:769
2 	ReadDataOut 	mozilla/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp:190
3 	nsPipeInputStream::ReadSegments(unsigned int (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) 	mozilla/xpcom/io/nsPipe3.cpp:799
4 	nsGIFDecoder2::WriteFrom(nsIInputStream*, unsigned int, unsigned int*) 	mozilla/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp:262
5 	imgRequest::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned int, unsigned int) 	mozilla/modules/libpr0n/src/imgRequest.cpp:861
6 	ProxyListener::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned int, unsigned int) 	mozilla/modules/libpr0n/src/imgLoader.cpp:877

This wasn't fixed by bug 413373, because I crash in the 2008-01-24 build, but not with the testcase from bug 413373.

This regressed between 2007-06-25 and 2007-06-26:
So I guess a regression from bug 196295.
Another fix to prevent crashes on malformed LZW data in GIF's.
Attachment #299063 - Attachment is obsolete: true
Attachment #299130 - Flags: superreview?(tor)
Attachment #299130 - Flags: review?(pavlov)
Note, the patch is a local diff as I don't have cvs access today
Assignee: nobody → alfredkayser
Attachment #299130 - Attachment is obsolete: true
Attachment #299131 - Flags: superreview?(tor)
Attachment #299131 - Flags: review?(pavlov)
Attachment #299131 - Flags: approval1.9?
Attachment #299130 - Flags: superreview?(tor)
Attachment #299130 - Flags: review?(pavlov)
Comment on attachment 299130 [details] [diff] [review]
Quick fix to prevent crashes on array out of bounds

this diff seems to have some issues..
Attachment #299130 - Attachment is obsolete: false
Attachment #299131 - Flags: review?(pavlov) → review+
This evening (CET time) I will try to upload a real cvs diff
Attachment #299131 - Flags: superreview?(tor) → superreview+
Flags: blocking1.9?
Keywords: checkin-needed
Comment on attachment 299131 [details] [diff] [review]
V2: Remove the cruft from the patch file

a=beltzner for 1.9
Attachment #299131 - Flags: approval1.9? → approval1.9+
Attached patch V3: correct cvs diff version (obsolete) — Splinter Review
Attachment #299130 - Attachment is obsolete: true
Attachment #299131 - Attachment is obsolete: true
Attached patch Correct versionSplinter Review
Attachment #299246 - Attachment is obsolete: true
Can we get this image in the testsuite as well?
Flags: in-testsuite?
Flags: blocking1.9?
Flags: blocking1.9+
Priority: -- → P2
Checking in modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp;
/cvsroot/mozilla/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp,v  <--  nsGIFDecoder2.cpp
new revision: 1.96; previous revision: 1.95
Closed: 17 years ago
Keywords: checkin-needed
OS: Windows XP → All
Hardware: PC → All
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9 M11
Depends on: 414185
So who's going to add a crashtest for this (search the tree for examples)?  Alfred?
Who can put the file of into the testsuite?
I wrote a simple reftest/crashtest the image, but ran into a problem. See bug 414185 for details (marked blocking this one).

Alfred: Is you last attachment the same image as the first attachment in this bug?
Yes, it is. There are no other images which display the same bug.
There is another image here, that was fixed by this patch:
But it's a bit large.
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3pre) Gecko/2008012704 Minefield/3.0b3pre
Crash Signature: [@nsGIFDecoder2::DoLzw]
Attachment #299702 - Attachment is patch: false
Attachment #299702 - Attachment mime type: text/plain → image/gif
You need to log in before you can comment on or make changes to this bug.