Last Comment Bug 449703 - [1.8 branch] XBM appears to draw uninitialized memory
: [1.8 branch] XBM appears to draw uninitialized memory
Status: VERIFIED FIXED
[sg:low]
: privacy, testcase, verified1.8.1.17
Product: Core
Classification: Components
Component: ImageLib (show other bugs)
: 1.8 Branch
: x86 Mac OS X
: -- normal (vote)
: ---
Assigned To: Vladimir Vukicevic [:vlad] [:vladv]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-07 18:55 PDT by Jesse Ruderman
Modified: 2008-09-23 09:47 PDT (History)
8 users (show)
dveditz: blocking1.8.1.17+
asac: blocking1.8.0.next+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (XBM) (53 bytes, image/x-xbitmap)
2008-08-07 18:55 PDT, Jesse Ruderman
no flags Details
potential fix? (646 bytes, patch)
2008-08-21 11:24 PDT, Vladimir Vukicevic [:vlad] [:vladv]
no flags Details | Diff | Review
fix (591 bytes, patch)
2008-08-25 15:40 PDT, Vladimir Vukicevic [:vlad] [:vladv]
dveditz: review+
dveditz: approval1.8.1.17+
asac: approval1.8.0.next+
Details | Diff | Review

Description Jesse Ruderman 2008-08-07 18:55:23 PDT
Created attachment 332877 [details]
testcase (XBM)

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16

Loading this XBM file makes Firefox 2 draw some random pixels.  They're different each time the image is reloaded, so it seems like Firefox might be displaying contents of uninitialized memory.

In Firefox 3 and trunk, I just see white, but I don't know whether the bug was really fixed (or whether it was fixed intentionally).

Billy Hoffman pointed this bug out during his talk at Black Hat today.
Comment 1 Samuel Sidler (old account; do not CC) 2008-08-11 11:11:24 PDT
Vlad, can you find an owner for this?
Comment 2 Daniel Veditz [:dveditz] 2008-08-11 11:12:13 PDT
It would be nice to plug this in the next FF2 update since it's public. probably a memset() is all it needs.
Comment 3 :Gavin Sharp [email: gavin@gavinsharp.com] 2008-08-16 01:51:38 PDT
Presumably this was fixed on trunk by bug 376471?
Comment 4 Vladimir Vukicevic [:vlad] [:vladv] 2008-08-21 11:24:29 PDT
Created attachment 334923 [details] [diff] [review]
potential fix?

I can't actually get 1.8.1 to build on my mac any more; this bug is OSX-only, right?  This is likely to fix it if so; if someone has a 1.8.1 build they could try this out on, that'd be helpful.
Comment 5 Samuel Sidler (old account; do not CC) 2008-08-22 11:36:20 PDT
Comment on attachment 334923 [details] [diff] [review]
potential fix?

Dan, can you test this patch?
Comment 6 Daniel Veditz [:dveditz] 2008-08-22 11:44:20 PDT
Well, yes, I can test the mac-only patch, but this is not a mac-only bug.
Comment 7 Vladimir Vukicevic [:vlad] [:vladv] 2008-08-22 13:14:33 PDT
Ah, I didn't realize it wasn't Mac-only -- I can test 1.8.1 on linux.
Comment 8 Daniel Veditz [:dveditz] 2008-08-22 13:31:41 PDT
The patch didn't seem to work on the Mac. Did I not clobber enough?
Comment 9 Vladimir Vukicevic [:vlad] [:vladv] 2008-08-25 15:40:06 PDT
Created attachment 335439 [details] [diff] [review]
fix

Looks like this buffer isn't being zero'd out if we happen to bail early.  Do so.
Comment 10 Daniel Veditz [:dveditz] 2008-08-25 15:47:07 PDT
Comment on attachment 335439 [details] [diff] [review]
fix

Tested on Mac and Windows, r=dveditz

Approved for 1.8.1.17, a=dveditz for release-drivers.
Comment 11 Vladimir Vukicevic [:vlad] [:vladv] 2008-08-25 15:53:09 PDT
Checking in nsXBMDecoder.cpp;
/cvsroot/mozilla/modules/libpr0n/decoders/xbm/nsXBMDecoder.cpp,v  <--  nsXBMDecoder.cpp
new revision: 1.17.2.2; previous revision: 1.17.2.1
done

This doesn't seem to be present on trunk (and indeed, the offending code is gone from trunk -- memory allocation happens in a different spot).
Comment 12 Al Billings [:abillings] 2008-09-02 16:53:29 PDT
Verified for 1.8.1.17 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.17) Gecko/2008082910 Firefox/2.0.0.17.
Comment 13 Alexander Sack 2008-09-23 09:47:39 PDT
Comment on attachment 335439 [details] [diff] [review]
fix

a=asac for 1.8.0.15

Note You need to log in before you can comment on or make changes to this bug.