Open Bug 580351 Opened 14 years ago Updated 2 years ago

Invalid read of size 8 in resample_byte_h_4cpp_vector

Categories

(Core :: Widget: Cocoa, defect)

Product:
Core
Component:
Widget: Cocoa
Platform:
x86
macOS
Type:
defect

Tracking

()

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: sec-vector, testcase, valgrind, Whiteboard: [sg:vector-low (Apple)] rdar://8212792)

Attachments

(1 file)

testcase
72 bytes, application/xhtml+xml
Details
Attached file testcase 
Loading the testcase in Firefox (trunk) under Valgrind (trunk) on Mac OS X (10.6.4) causes the following warning.  It's reading 8 bytes, 4 of which are past the end of the allocation.

==3070== Invalid read of size 8
==3070==    at 0x106180444: resample_byte_h_4cpp_vector (in /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics)
==3070==    by 0x10617FF91: resample_band (in /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics)
==3070==    by 0x10617E03B: img_interpolate_read (in /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics)
==3070==    by 0x1061591DE: img_data_lock (in /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics)
==3070==    by 0x1061562EE: CGSImageDataLock (in /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics)
==3070==    by 0x124A36226: ripc_AcquireImage (in /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libRIP.A.dylib)
==3070==    by 0x124A34AA8: ripc_DrawImage (in /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libRIP.A.dylib)
==3070==    by 0x106171119: CGContextDrawImage (in /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics)
==3070==    by 0x100A37F32: DrawCellWithScaling(NSCell*, CGContext*, CGRect const&, unsigned long, CGSize, CGSize, float const (*) [3][4], NSView*, signed char) (nsNativeThemeCocoa.mm:380)
==3070==    by 0x100A38E9F: DrawCellWithSnapping(NSCell*, CGContext*, CGRect const&, CellRenderSettings, float, NSView*, signed char, float) (nsNativeThemeCocoa.mm:488)
==3070==    by 0x100A3B004: nsNativeThemeCocoa::DrawDropdown(CGContext*, CGRect const&, int, unsigned char, nsIFrame*) (nsNativeThemeCocoa.mm:939)
==3070==    by 0x100A3BC29: nsNativeThemeCocoa::DrawWidgetBackground(nsIRenderingContext*, nsIFrame*, unsigned char, nsRect const&, nsRect const&) (nsNativeThemeCocoa.mm:1720)
==3070==  Address 0x1229716c4 is 4,964 bytes inside a block of size 4,968 alloc'd
==3070==    at 0x100010D65: malloc (vg_replace_malloc.c:236)
==3070==    by 0x10618D130: CGDataProviderCreateWithCopyOfData (in /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics)
==3070==    by 0x10618CF65: CGBitmapContextCreateImage (in /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics)
==3070==    by 0x100A37E4C: DrawCellWithScaling(NSCell*, CGContext*, CGRect const&, unsigned long, CGSize, CGSize, float const (*) [3][4], NSView*, signed char) (nsNativeThemeCocoa.mm:367)
==3070==    by 0x100A38E9F: DrawCellWithSnapping(NSCell*, CGContext*, CGRect const&, CellRenderSettings, float, NSView*, signed char, float) (nsNativeThemeCocoa.mm:488)
==3070==    by 0x100A3B004: nsNativeThemeCocoa::DrawDropdown(CGContext*, CGRect const&, int, unsigned char, nsIFrame*) (nsNativeThemeCocoa.mm:939)
==3070==    by 0x100A3BC29: nsNativeThemeCocoa::DrawWidgetBackground(nsIRenderingContext*, nsIFrame*, unsigned char, nsRect const&, nsRect const&) (nsNativeThemeCocoa.mm:1720)
==3070==    by 0x1001841EC: nsCSSRendering::PaintBackgroundWithSC(nsPresContext*, nsIRenderingContext&, nsIFrame*, nsRect const&, nsRect const&, nsStyleContext*, nsStyleBorder const&, unsigned int, nsRect*) (nsCSSRendering.cpp:2156)
==3070==    by 0x100184406: nsCSSRendering::PaintBackground(nsPresContext*, nsIRenderingContext&, nsIFrame*, nsRect const&, nsRect const&, unsigned int, nsRect*) (nsCSSRendering.cpp:1474)
==3070==    by 0x10018DFF9: nsDisplayBackground::Paint(nsDisplayListBuilder*, nsIRenderingContext*) (nsDisplayList.cpp:790)
==3070==    by 0x100165082: mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*) (FrameLayerBuilder.cpp:1397)
==3070==    by 0x100BAFEDC: mozilla::layers::BasicThebesLayer::Paint(gfxContext*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, float) (BasicLayers.cpp:352)
==3070==
Whiteboard: [sg:vector-low (Apple)] rdar://8212792
Keywords: sec-vector
Keywords: sec-other
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: