Crash [@ nsCanvasRenderingContext2D::InitializeWithSurface]

RESOLVED FIXED in mozilla1.9.3a1

Status

()

defect
--
critical
RESOLVED FIXED
10 years ago
8 years ago

People

(Reporter: jruderman, Assigned: robarnold)

Tracking

(Blocks 1 bug, {crash, testcase})

Trunk
mozilla1.9.3a1
x86
All
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9.2 +

Firefox Tracking Flags

(status1.9.2 beta1-fixed)

Details

(crash signature)

Attachments

(3 attachments)

Reporter

Description

10 years ago
Looks like nsCanvasRenderingContext2D::SetDimensions passes a null surface to nsCanvasRenderingContext2D::InitializeWithSurface, which doesn't know how to deal with that.
Reporter

Comment 1

10 years ago
Posted file stack trace
afaict application NULL stuff is not exploitable on recent linux (unless the offset is higher than sys/vm/mmap_min_addr).

i have read that on arm architecture 0 is mmaped by default so this may be a problem on arm.
... i mean on recent i386/x86_64 linux
Assignee

Comment 5

10 years ago
This seems to fix the crash.
Attachment #393558 - Flags: review?(vladimir)
Assignee

Updated

10 years ago
Status: NEW → ASSIGNED
Assignee

Updated

10 years ago
Keywords: checkin-needed
Comment on attachment 393558 [details] [diff] [review]
v1.0
[Checkin: Comment 6 & 7]


http://hg.mozilla.org/mozilla-central/rev/bf607bae5e38
Attachment #393558 - Attachment description: v1.0 → v1.0 [Checkin: Comment 6]
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: [c-n: m-1.9.2]
Target Milestone: --- → mozilla1.9.3a1
Comment on attachment 393558 [details] [diff] [review]
v1.0
[Checkin: Comment 6 & 7]


http://hg.mozilla.org/releases/mozilla-1.9.2/rev/acf72836efcb
Attachment #393558 - Attachment description: v1.0 [Checkin: Comment 6] → v1.0 [Checkin: Comment 6 & 7]
Keywords: checkin-needed
Whiteboard: [c-n: m-1.9.2]
Crash Signature: [@ nsCanvasRenderingContext2D::InitializeWithSurface]
You need to log in before you can comment on or make changes to this bug.