Closed Bug 455976 Opened 16 years ago Closed 16 years ago

Crash [@ argb32_image_mark] with border-image on very wide element

Categories

(Core :: Graphics, defect, P3)

Product:
Core
Component:
Graphics
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: vlad)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical?])

Crash Data

Attachments

(4 files, 1 obsolete file)

testcase (crashes Firefox when loaded)
1.22 KB, text/html
Details
stack trace
7.05 KB, text/plain
Details
workaround, v2 [pushed]
2.24 KB, patch
roc
: review+
Details | Diff | Splinter Review
restore xlib behavior [pushed]
1.06 KB, patch
pavlov
: review+
Details | Diff | Splinter Review 
Looks a bit scary: dies trying to derefernce the bogus address bdf7df78.
Flags: blocking1.9.1?
Whiteboard: [sg:critical?]
Attached file stack trace 

    
    

    
  
Seems more likely Gfx than Layout, though I could be wrong.
Component: Layout → GFX: Thebes
QA Contact: layout → thebes

    
    

    
  
10.5.4?
Assignee: nobody → vladimir
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P1

    
    

    
  
I can reproduce this on my MBP, which uses Mac OS X 10.5.5.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        workaround (obsolete)
        — Splinter Review
      

    


  
I'm working on isolating the crash to a simple thing that I can send to apple, but here's a workaround for us.  For Quartz, we don't need PAD to get correct edge behaviour, and PAD makes us take a fairly bogus path.

        Attachment #339984 -
        Flags: review?(roc)

    
    

    
  
That's getting kinda gross with platform #ifdefs in cross-platform code. Can we define a mode like gfxPattern::EXTEND_PAD_EDGE and map that to EXTEND_PAD or EXTEND_NONE depending on platform?

    
    

    
  


  
Yeah, good point.. here's that.  I've got an additional patch in progress to clean up SetExtend usage in nsThebesImage (and SetFilter with the magic numbers), but that's not necessary for this.

        Attachment #339984 -
        Attachment is obsolete: true

        Attachment #340001 -
        Flags: review?(roc)

        Attachment #339984 -
        Flags: review?(roc)

    
    

    
  
Comment on attachment 340001 [details] [diff] [review]
workaround, v2 [pushed]

+        // Our own private flag for setting either NONE or PAD,
+        // depending on what the platform does for NONE.

Say a little more about what this flag means and what platforms do with it.

        Attachment #340001 -
        Flags: review?(roc) → review+

    
    

    
  
Checked in; this should resolve this crash.  I'm pretty sure given our current usage we can't hit the crashing case again, but I'm not sure how to mark this bug -- the immediate security impact was resolved, but we should still do more analysis on the underlying cause (ideally creating a minimized testcase binary, since the crash is in CGPattern code).  Going to mark this down to wanted/P3 -- can the security folks adjust security flags as appropriate?
Flags: wanted1.9.1+
Flags: blocking1.9.1-
Flags: blocking1.9.1+

    
  

        Attachment #340445 -
        Flags: review? → review+

    
    

    
  
Comment on attachment 340445 [details] [diff] [review]
restore xlib behavior [pushed]

http://hg.mozilla.org/mozilla-central/rev/617e674f9eef

        Attachment #340445 -
        Attachment description: restore xlib behavior → restore xlib behavior [pushed]

    
    

    
  
Comment on attachment 340001 [details] [diff] [review]
workaround, v2 [pushed]

with comment changes:
http://hg.mozilla.org/mozilla-central/rev/3c9f6c799fed

        Attachment #340001 -
        Attachment description: workaround, v2 → workaround, v2 [pushed]

    
    

    
  
Vlad, I'd prefer if you filed a new bug on the remaining issues/analysis.  A security bug was fixed here and that needs to be tracked clearly.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED

    
    

    
  
A related testcase still crashes.  I filed bug 458653.

    
    

    
  
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b2pre) Gecko/20081013 Minefield/3.1b2pre. I verified using the testcase in Comment 0.
Status: RESOLVED → VERIFIED

    
    

    
  
This bug needs verified/fixed keywords for tracking.
Crash Signature: [@ argb32_image_mark]

    
  
Group: core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: