Closed
Bug 513738
Opened 15 years ago
Closed 15 years ago
crash (segfault) @ nsGIFDecoder2::GifWrite nsGIFDecoder2.cpp:1112 (memset)
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.9.3a1
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta1-fixed |
| status1.9.1 | --- | unaffected |
People
(Reporter: keeler, Assigned: alfredkayser)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical])
Attachments
(3 files, 1 obsolete file)
|
88.19 KB,
image/gif
|
Details | |
|
4.06 KB,
text/plain
|
Details | |
|
3.43 KB,
patch
|
vlad
:
superreview+
shaver
:
approval1.9.2+
|
Details | Diff | Splinter Review |
gif file that causes crash
Build Identifier: mozilla-central revision 6aab4d7bb538 Firefox crashes when viewing the attached gif file. Reproducible: Always Steps to Reproduce: 1. Load attached file. Actual Results: firefox crashes Expected Results: firefox doesn't crash Note: doesn't appear to crash 3.5, but it still crashes m-c nightlies going back at least a month.
|
Reporter | |
Comment 1•15 years ago
|
||
|
Assignee | |
Comment 2•15 years ago
|
||
Probably caused by bug 753: When a gif has local colormaps in animated frames, mColormap is not allocated correctly.
|
|
Assignee | |
Comment 3•15 years ago
|
||
Issue found: the attached image has a frame which is very large, actually too large for imgFrame, but BeginImageFrame doesn't return the error back to the state engine, which then happily tries to use the result of the failed BeginImageFrame. And indeed this is caused by bug 753. Comparable to bug 505474 where the old code uses mImageData to check if BeginImageFrame was successful, this doesn't work anymore in the new code, so adding a check for nsresult will make this more error proof.
Assignee: nobody → alfredkayser
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #397834 -
Flags: review?(vladimir)
|
||
Comment 5•15 years ago
|
||
Comment on attachment 397834 [details] [diff] [review] Fix error handling for too large frames Remove the unrelated indendentation changes and we're all good!
Attachment #397834 -
Flags: review?(vladimir) → review+
|
|
Assignee | |
Comment 6•15 years ago
|
||
Attachment #397834 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•15 years ago
|
Keywords: checkin-needed
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical]
|
||
Comment 7•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/94678be14027
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a1
|
|
||
Updated•15 years ago
|
Attachment #398090 -
Flags: approval1.9.2?
Attachment #398090 -
Flags: approval1.9.1.4?
Attachment #398090 -
Flags: approval1.9.0.15?
|
||
Updated•15 years ago
|
Attachment #398090 -
Flags: superreview?(vladimir)
|
|
||
Comment 8•15 years ago
|
||
Comment on attachment 398090 [details] [diff] [review] Removed the whitespace fix. As a security bug, per our new policy, this patch needs explicit superview from a second person. It should *not* have landed on trunk without that superview. Please be mindful of that in the future. (Reed, you should know better.) http://www.mozilla.org/hacking/reviewers.html Tagging vlad for superview.
|
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical] → [sg:critical][needs sr=vlad]
Attachment #398090 -
Flags: superreview?(vladimir) → superreview+
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical][needs sr=vlad] → [sg:critical]
|
||
Comment 9•15 years ago
|
||
Comment on attachment 398090 [details] [diff] [review] Removed the whitespace fix. Approved for 1.9.1.4 and 1.9.0.15, a=dveditz for release-drivers
Attachment #398090 -
Flags: approval1.9.1.4?
Attachment #398090 -
Flags: approval1.9.1.4+
Attachment #398090 -
Flags: approval1.9.0.15?
Attachment #398090 -
Flags: approval1.9.0.15+
Attachment #398090 -
Flags: approval1.9.2? → approval1.9.2+
Comment on attachment 398090 [details] [diff] [review] Removed the whitespace fix. a1.9.2=shaver
|
|
||
Comment 11•15 years ago
|
||
Patch doesn't apply on 1.9.1 or 1.9.0 due to code changes. Need new patch. 1.9.2 -- http://hg.mozilla.org/releases/mozilla-1.9.2/rev/860d8d674561
|
|
||
Updated•15 years ago
|
Attachment #398090 -
Flags: approval1.9.1.4+
Attachment #398090 -
Flags: approval1.9.0.15+
|
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical] → [sg:critical][need new patch for 1.9.1 and 1.9.0]
|
|
||
Updated•15 years ago
|
blocking1.9.1: ? → .4+
status1.9.1:
--- → wanted
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x+
Flags: blocking1.9.0.15?
Flags: blocking1.9.0.15+
Flags: blocking1.8.1.next?
|
|
Assignee | |
Comment 12•15 years ago
|
||
This patch is not needed on 1.9.1 or older, as the missing error check that is fixed in this patch is not needed there, as the old code checks on mImageFrame!=null as the condition for successful BeginImageFrame. This is not very clean, but 'it works'. See comment #3. This issue was introduced by bug 753, where mImageFrame was removed, removing the error check as well. Bug 753 has not been applied to 191 and never will.
|
|
||
Updated•15 years ago
|
Blocks: 753
blocking1.9.1: .4+ → ---
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x+
Flags: blocking1.9.0.15+
Flags: blocking1.8.1.next?
Whiteboard: [sg:critical][need new patch for 1.9.1 and 1.9.0] → [sg:critical]
|
||
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
|
|
||
Updated•15 years ago
|
Flags: wanted1.9.0.x-
Flags: wanted1.8.1.x-
|
|
||
Updated•15 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•