Crash [@ nsSVGFEDisplacementMapElement::Filter]

VERIFIED FIXED

Status

()

P2
critical
VERIFIED FIXED
10 years ago
8 years ago

People

(Reporter: jruderman, Assigned: roc)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Mac OS X
assertion, crash, testcase, verified1.9.1
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9.1 +
wanted1.9.0.x -
wanted1.8.1.x -
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:moderate][depends on 448243], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

10 years ago
Created attachment 350738 [details]
testcase (can crash Firefox when loaded)

###!!! ASSERTION: stride mismatch: 'input->mImage.mImage->Stride() == primitive->mImage.mImage->Stride()', file /Users/jruderman/central/layout/svg/base/src/nsSVGFilterInstance.cpp, line 492

Bug 448243 also triggers this assertion.  This testcase not only triggers the assertion, but also makes Firefox draw random pixels and/or dereference bogus addresses [@ nsSVGFEDisplacementMapElement::Filter].

The testcase is simply layout/reftests/svg/filters/feDisplacementMap-2.svg with one less element.
Flags: blocking1.9.1?
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
Seems to have been fixed by the checkin for bug 448243.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Whiteboard: [depends on 448243]

Updated

10 years ago
Flags: in-testsuite?
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081230 Shiretoko/3.1b3pre. Updating keyword.

verified fixed on the trunk as well using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20081230 Minefield/3.2a1pre
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
Want this for 1.9.0; not needed for 1.8 which doesn't have svg filters.
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x-
Flags: blocking1.9.0.8+
Whiteboard: [depends on 448243] → [sg:moderate][depends on 448243]
Assigning this to roc since he owns bug 448243, which this bug is fixed by.
Assignee: nobody → roc
Flags: blocking1.9.0.8+ → blocking1.9.0.9?
Flags: blocking1.9.0.10?
Flags: blocking1.9.0.12?
I don't crash with this testcase in 1.9.0.12pre, looks like we don't need this.
Flags: wanted1.9.0.x-
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.12?
Group: core-security
(Reporter)

Comment 7

9 years ago
Crashtest: http://hg.mozilla.org/mozilla-central/rev/c38d6ec28c45
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsSVGFEDisplacementMapElement::Filter]
You need to log in before you can comment on or make changes to this bug.