Closed Bug 508860 Opened 15 years ago Closed 14 years ago

Crash [@ nsCanvasRenderingContext2D::InitializeWithSurface]

Categories

(Core :: Graphics: Canvas2D, defect)

Product:
Core
Component:
Graphics: Canvas2D
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.3a1
Tracking Flags:
Tracking Status
status1.9.2 --- beta1-fixed

People

(Reporter: jruderman, Assigned: robarnold)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files)

testcase (crashes Firefox when loaded)
255 bytes, text/html
Details
stack trace
8.06 KB, text/plain
Details
v1.0 [Checkin: Comment 6 & 7]
898 bytes, patch
vlad
: review+
Details | Diff | Splinter Review 
Looks like nsCanvasRenderingContext2D::SetDimensions passes a null surface to nsCanvasRenderingContext2D::InitializeWithSurface, which doesn't know how to deal with that.
Attached file stack trace 

    
    

    
  
afaict application NULL stuff is not exploitable on recent linux (unless the offset is higher than sys/vm/mmap_min_addr).

i have read that on arm architecture 0 is mmaped by default so this may be a problem on arm.

    
    

    
  
... i mean on recent i386/x86_64 linux

    
    

    
  


  
This seems to fix the crash.

        Attachment #393558 -
        Flags: review?(vladimir)

    
  
Status: NEW → ASSIGNED

    
  
Keywords: checkin-needed

    
    

    
  
Comment on attachment 393558 [details] [diff] [review]
v1.0
[Checkin: Comment 6 & 7]


http://hg.mozilla.org/mozilla-central/rev/bf607bae5e38

        Attachment #393558 -
        Attachment description: v1.0 → v1.0
[Checkin: Comment 6]
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: [c-n: m-1.9.2]
Target Milestone: --- → mozilla1.9.3a1

    
    

    
  
Comment on attachment 393558 [details] [diff] [review]
v1.0
[Checkin: Comment 6 & 7]


http://hg.mozilla.org/releases/mozilla-1.9.2/rev/acf72836efcb

        Attachment #393558 -
        Attachment description: v1.0
[Checkin: Comment 6] → v1.0
[Checkin: Comment 6 & 7]

          status1.9.2:
          --- → beta1-fixed
Keywords: checkin-needed
Whiteboard: [c-n: m-1.9.2]
Crash Signature: [@ nsCanvasRenderingContext2D::InitializeWithSurface]

          You need to log in
          before you can comment on or make changes to this bug.