Closed
Bug 503237
Opened 15 years ago
Closed 13 years ago
Crash [@ imgLoader::GetCache] null pointer read
Categories
(Core :: Graphics: ImageLib, defect)
Core
Graphics: ImageLib
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: gfleischer+bugzilla, Unassigned)
Details
(Keywords: crash, testcase, Whiteboard: [sg:dos][ccbr])
Crash Data
Attachments
(2 files)
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.0.11) Gecko/2009060214 Firefox/3.0.11
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1pre) Gecko/20090708 Shiretoko/3.5.1pre
Crash with null pointer read when loadImageWithChannel is called for image.
Reproducible: Always
Reporter | ||
Comment 1•15 years ago
|
||
Reporter | ||
Comment 2•15 years ago
|
||
Updated•15 years ago
|
Attachment #387592 -
Attachment mime type: application/octet-stream → text/plain
Comment 3•15 years ago
|
||
Crashes in trunk:
http://crash-stats.mozilla.com/report/index/a35119e6-53d8-429f-ad92-0e8da2090709
0 XUL imgLoader::LoadImageWithChannel modules/libpr0n/src/imgLoader.cpp:542
1 XUL nsImageLoadingContent::LoadImageWithChannel content/base/src/nsImageLoadingContent.cpp:450
2 XUL NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179
3 XUL XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:2691
4 XUL XPC_WN_CallMethod js/src/xpconnect/src/xpcwrappednativejsops.cpp:1732
5 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1389
6 libmozjs.dylib js_Interpret js/src/jsinterp.cpp:5242
7 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1397
8 libmozjs.dylib js_InternalInvoke js/src/jsinterp.cpp:1469
9 libmozjs.dylib JS_CallFunctionValue js/src/jsapi.cpp:5199
10 XUL nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:2090
etc...
Also crashes in Firefox 3:
http://crash-stats.mozilla.com/report/index/f5737c21-d73d-4a53-8e9c-41f602090709?p=1
0 XUL GetCacheSession mozilla/modules/libpr0n/src/imgCache.cpp:140
1 XUL imgCache::Get mozilla/modules/libpr0n/src/imgCache.cpp:265
2 XUL imgLoader::LoadImageWithChannel mozilla/modules/libpr0n/src/imgLoader.cpp:577
3 XUL nsImageLoadingContent::LoadImageWithChannel mozilla/content/base/src/nsImageLoadingContent.cpp:449
4 XUL NS_InvokeByIndex_P mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179
5 XUL XPCWrappedNative::CallMethod mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2393
6 XUL XPC_WN_CallMethod mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1473
7 libmozjs.dylib js_Invoke mozilla/js/src/jsinvoke.c:1304
8 libmozjs.dylib js_Interpret mozilla/js/src/jsinterp.c:4877
9 libmozjs.dylib js_Invoke mozilla/js/src/jsinvoke.c:1320
10 libmozjs.dylib js_InternalInvoke mozilla/js/src/jsinvoke.c:1376
11 libmozjs.dylib JS_CallFunctionValue mozilla/js/src/jslong.c:5058
etc..
Comment 4•15 years ago
|
||
Looks like we need to check to see if GetURI on the channel fails, and if it does, bail out. Not entirely sure why it would fail, but I suppose we can have all sorts of reasons for failure.
Comment 5•15 years ago
|
||
We generally don't treat null derefs as security bugs.
Joe, there's a testcase :)
Group: core-security
Whiteboard: [ccbr]
Updated•15 years ago
|
Whiteboard: [ccbr] → [sg:dos][ccbr]
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ imgLoader::GetCache]
Comment 6•13 years ago
|
||
Testcase no longer exhibits crash, marking fixed.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 7•13 years ago
|
||
Not clear what fixed it, so marking worksforme.
Resolution: FIXED → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•