Closed
Bug 429774
Opened 16 years ago
Closed 16 years ago
Read past end of array [@ Convolve3x3] involving SVG feSpecularLighting filter
Categories
(Core :: SVG, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: longsonr)
References
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(3 files, 1 obsolete file)
|
837 bytes,
image/svg+xml
|
Details | |
|
7.17 KB,
text/plain
|
Details | |
|
1.14 KB,
patch
|
roc
:
review+
roc
:
superreview+
beltzner
:
approval1.9+
|
Details | Diff | Splinter Review |
testcase (often crashes Firefox when loaded)
Gary Kwong found this bug and I helped make a reduced testcase.
|
Reporter | |
Comment 1•16 years ago
|
||
|
||
Updated•16 years ago
|
Flags: wanted1.9.0.x?
|
Assignee | |
Comment 2•16 years ago
|
||
This doesn't crash on Windows. There is a clear issue, however. y goes from rect.y to rect.YMost in the loop that calls GenerateNormal. We therefore need to change the kernel indexing when it gets to YMost rather than height. Only a problem if rect.y or rect.x <> 0, otherwise YMost == height which is why http://www.w3.org/Graphics/SVG/Test/20061213/htmlObjectHarness/full-filters-light-01-f.html works. Is it possible to confirm this patch stops the crash on Macs?
Assignee: nobody → longsonr
Status: NEW → ASSIGNED
Attachment #316550 -
Flags: superreview?(roc)
Attachment #316550 -
Flags: review?(roc)
|
|
Assignee | |
Comment 3•16 years ago
|
||
BTW thanks for the stack trace Jesse, that made it much easier.
Those == 0 tests should be testing rect.x and rect.y, right?
|
|
Reporter | |
Comment 5•16 years ago
|
||
The patch fixes the crash for me.
|
|
Assignee | |
Comment 6•16 years ago
|
||
(In reply to comment #4) > Those == 0 tests should be testing rect.x and rect.y, right? > Seems reasonable. We shouldn't read outside the source area. Although that fault won't make it crash.
Attachment #316550 -
Attachment is obsolete: true
Attachment #316563 -
Flags: superreview?(roc)
Attachment #316563 -
Flags: review?(roc)
Attachment #316550 -
Flags: superreview?(roc)
Attachment #316550 -
Flags: review?(roc)
Attachment #316563 -
Flags: superreview?(roc)
Attachment #316563 -
Flags: superreview+
Attachment #316563 -
Flags: review?(roc)
Attachment #316563 -
Flags: review+
|
|
Assignee | |
Comment 7•16 years ago
|
||
Comment on attachment 316563 [details] [diff] [review] address review comment Simple fix to use correct bounds for reading.
Attachment #316563 -
Flags: approval1.9?
|
||
Comment 8•16 years ago
|
||
Comment on attachment 316563 [details] [diff] [review] address review comment a1.9=beltzner
Attachment #316563 -
Flags: approval1.9? → approval1.9+
|
|
Assignee | |
Comment 9•16 years ago
|
||
checked in.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Flags: wanted1.9.0.x?
Resolution: --- → FIXED
|
||
Updated•16 years ago
|
Flags: in-testsuite?
|
|
||
Comment 10•16 years ago
|
||
Verified that the testcase does not crash anymore in today's freshly compiled Mac debug builds.
Status: RESOLVED → VERIFIED
Flags: in-testsuite? → in-testsuite+
|
||
Updated•16 years ago
|
Group: core-security
Flags: wanted1.8.1.x-
|
||
Updated•13 years ago
|
Crash Signature: [@ Convolve3x3]
You need to log in
before you can comment on or make changes to this bug.
Description
•