Closed Bug 508860 Opened 16 years ago Closed 16 years ago

Crash [@ nsCanvasRenderingContext2D::InitializeWithSurface]

Categories

(Core :: Graphics: Canvas2D, defect)

Product:
Core
Component:
Graphics: Canvas2D
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.3a1
Tracking Flags:
Tracking Status
status1.9.2 --- beta1-fixed

People

(Reporter: jruderman, Assigned: robarnold)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files)

testcase (crashes Firefox when loaded)
255 bytes, text/html
Details
stack trace
8.06 KB, text/plain
Details
v1.0 [Checkin: Comment 6 & 7]
898 bytes, patch
vlad
: review+
Details | Diff | Splinter Review
Looks like nsCanvasRenderingContext2D::SetDimensions passes a null surface to nsCanvasRenderingContext2D::InitializeWithSurface, which doesn't know how to deal with that.
Attached file stack trace
afaict application NULL stuff is not exploitable on recent linux (unless the offset is higher than sys/vm/mmap_min_addr). i have read that on arm architecture 0 is mmaped by default so this may be a problem on arm.
... i mean on recent i386/x86_64 linux
This seems to fix the crash.
Attachment #393558 - Flags: review?(vladimir)
Status: NEW → ASSIGNED
Keywords: checkin-needed
Comment on attachment 393558 [details] [diff] [review] v1.0 [Checkin: Comment 6 & 7] http://hg.mozilla.org/mozilla-central/rev/bf607bae5e38
Attachment #393558 - Attachment description: v1.0 → v1.0 [Checkin: Comment 6]
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Whiteboard: [c-n: m-1.9.2]
Target Milestone: --- → mozilla1.9.3a1
Comment on attachment 393558 [details] [diff] [review] v1.0 [Checkin: Comment 6 & 7] http://hg.mozilla.org/releases/mozilla-1.9.2/rev/acf72836efcb
Attachment #393558 - Attachment description: v1.0 [Checkin: Comment 6] → v1.0 [Checkin: Comment 6 & 7]
status1.9.2: --- → beta1-fixed
Keywords: checkin-needed
Whiteboard: [c-n: m-1.9.2]
Crash Signature: [@ nsCanvasRenderingContext2D::InitializeWithSurface]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: