Closed Bug 503237 Opened 15 years ago Closed 13 years ago

Crash [@ imgLoader::GetCache] null pointer read

Categories

(Core :: Graphics: ImageLib, defect)

defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: gfleischer+bugzilla, Unassigned)

Details

(Keywords: crash, testcase, Whiteboard: [sg:dos][ccbr])

Crash Data

Attachments

(2 files)

User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.0.11) Gecko/2009060214 Firefox/3.0.11 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1pre) Gecko/20090708 Shiretoko/3.5.1pre Crash with null pointer read when loadImageWithChannel is called for image. Reproducible: Always
Attached file testcase
Attached file stacktrace from WinDbg
Attachment #387592 - Attachment mime type: application/octet-stream → text/plain
Crashes in trunk: http://crash-stats.mozilla.com/report/index/a35119e6-53d8-429f-ad92-0e8da2090709 0 XUL imgLoader::LoadImageWithChannel modules/libpr0n/src/imgLoader.cpp:542 1 XUL nsImageLoadingContent::LoadImageWithChannel content/base/src/nsImageLoadingContent.cpp:450 2 XUL NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179 3 XUL XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:2691 4 XUL XPC_WN_CallMethod js/src/xpconnect/src/xpcwrappednativejsops.cpp:1732 5 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1389 6 libmozjs.dylib js_Interpret js/src/jsinterp.cpp:5242 7 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1397 8 libmozjs.dylib js_InternalInvoke js/src/jsinterp.cpp:1469 9 libmozjs.dylib JS_CallFunctionValue js/src/jsapi.cpp:5199 10 XUL nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:2090 etc... Also crashes in Firefox 3: http://crash-stats.mozilla.com/report/index/f5737c21-d73d-4a53-8e9c-41f602090709?p=1 0 XUL GetCacheSession mozilla/modules/libpr0n/src/imgCache.cpp:140 1 XUL imgCache::Get mozilla/modules/libpr0n/src/imgCache.cpp:265 2 XUL imgLoader::LoadImageWithChannel mozilla/modules/libpr0n/src/imgLoader.cpp:577 3 XUL nsImageLoadingContent::LoadImageWithChannel mozilla/content/base/src/nsImageLoadingContent.cpp:449 4 XUL NS_InvokeByIndex_P mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179 5 XUL XPCWrappedNative::CallMethod mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2393 6 XUL XPC_WN_CallMethod mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1473 7 libmozjs.dylib js_Invoke mozilla/js/src/jsinvoke.c:1304 8 libmozjs.dylib js_Interpret mozilla/js/src/jsinterp.c:4877 9 libmozjs.dylib js_Invoke mozilla/js/src/jsinvoke.c:1320 10 libmozjs.dylib js_InternalInvoke mozilla/js/src/jsinvoke.c:1376 11 libmozjs.dylib JS_CallFunctionValue mozilla/js/src/jslong.c:5058 etc..
Status: UNCONFIRMED → NEW
Component: General → ImageLib
Ever confirmed: true
Keywords: crash, testcase
Product: Firefox → Core
QA Contact: general → imagelib
Version: unspecified → Trunk
Looks like we need to check to see if GetURI on the channel fails, and if it does, bail out. Not entirely sure why it would fail, but I suppose we can have all sorts of reasons for failure.
We generally don't treat null derefs as security bugs. Joe, there's a testcase :)
Group: core-security
Whiteboard: [ccbr]
Whiteboard: [ccbr] → [sg:dos][ccbr]
Crash Signature: [@ imgLoader::GetCache]
Testcase no longer exhibits crash, marking fixed.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Not clear what fixed it, so marking worksforme.
Resolution: FIXED → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: