Closed
Bug 455976
Opened 16 years ago
Closed 16 years ago
Crash [@ argb32_image_mark] with border-image on very wide element
Categories
(Core :: Graphics, defect, P3)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: vlad)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical?])
Crash Data
Attachments
(4 files, 1 obsolete file)
1.22 KB,
text/html
|
Details | |
7.05 KB,
text/plain
|
Details | |
2.24 KB,
patch
|
roc
:
review+
|
Details | Diff | Splinter Review |
1.06 KB,
patch
|
pavlov
:
review+
|
Details | Diff | Splinter Review |
Looks a bit scary: dies trying to derefernce the bogus address bdf7df78.
Flags: blocking1.9.1?
Reporter | ||
Updated•16 years ago
|
Whiteboard: [sg:critical?]
Reporter | ||
Comment 1•16 years ago
|
||
Seems more likely Gfx than Layout, though I could be wrong.
Component: Layout → GFX: Thebes
QA Contact: layout → thebes
Assignee | ||
Comment 3•16 years ago
|
||
10.5.4?
Assignee: nobody → vladimir
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P1
Reporter | ||
Comment 4•16 years ago
|
||
I can reproduce this on my MBP, which uses Mac OS X 10.5.5.
Assignee | ||
Updated•16 years ago
|
Priority: P1 → P3
Assignee | ||
Comment 5•16 years ago
|
||
I'm working on isolating the crash to a simple thing that I can send to apple, but here's a workaround for us. For Quartz, we don't need PAD to get correct edge behaviour, and PAD makes us take a fairly bogus path.
Attachment #339984 -
Flags: review?(roc)
That's getting kinda gross with platform #ifdefs in cross-platform code. Can we define a mode like gfxPattern::EXTEND_PAD_EDGE and map that to EXTEND_PAD or EXTEND_NONE depending on platform?
Assignee | ||
Comment 7•16 years ago
|
||
Yeah, good point.. here's that. I've got an additional patch in progress to clean up SetExtend usage in nsThebesImage (and SetFilter with the magic numbers), but that's not necessary for this.
Attachment #339984 -
Attachment is obsolete: true
Attachment #340001 -
Flags: review?(roc)
Attachment #339984 -
Flags: review?(roc)
Comment on attachment 340001 [details] [diff] [review] workaround, v2 [pushed] + // Our own private flag for setting either NONE or PAD, + // depending on what the platform does for NONE. Say a little more about what this flag means and what platforms do with it.
Attachment #340001 -
Flags: review?(roc) → review+
Assignee | ||
Comment 9•16 years ago
|
||
Checked in; this should resolve this crash. I'm pretty sure given our current usage we can't hit the crashing case again, but I'm not sure how to mark this bug -- the immediate security impact was resolved, but we should still do more analysis on the underlying cause (ideally creating a minimized testcase binary, since the crash is in CGPattern code). Going to mark this down to wanted/P3 -- can the security folks adjust security flags as appropriate?
Flags: wanted1.9.1+
Flags: blocking1.9.1-
Flags: blocking1.9.1+
Comment 10•16 years ago
|
||
For broken border-image reftests. http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1222374248.1222378342.24174.gz
Attachment #340445 -
Flags: review?
Updated•16 years ago
|
Attachment #340445 -
Flags: review? → review+
Comment 11•16 years ago
|
||
Comment on attachment 340445 [details] [diff] [review] restore xlib behavior [pushed] http://hg.mozilla.org/mozilla-central/rev/617e674f9eef
Attachment #340445 -
Attachment description: restore xlib behavior → restore xlib behavior [pushed]
Comment 12•16 years ago
|
||
Comment on attachment 340001 [details] [diff] [review] workaround, v2 [pushed] with comment changes: http://hg.mozilla.org/mozilla-central/rev/3c9f6c799fed
Attachment #340001 -
Attachment description: workaround, v2 → workaround, v2 [pushed]
Blocks: 448121
Reporter | ||
Comment 13•16 years ago
|
||
Vlad, I'd prefer if you filed a new bug on the remaining issues/analysis. A security bug was fixed here and that needs to be tracked clearly.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 14•16 years ago
|
||
A related testcase still crashes. I filed bug 458653.
Comment 15•16 years ago
|
||
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b2pre) Gecko/20081013 Minefield/3.1b2pre. I verified using the testcase in Comment 0.
Status: RESOLVED → VERIFIED
Comment 16•16 years ago
|
||
This bug needs verified/fixed keywords for tracking.
Updated•13 years ago
|
Crash Signature: [@ argb32_image_mark]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•