Memory corruption in the GIF decoder destruction

RESOLVED FIXED in mozilla2.0b7

Status

()

defect
--
critical
RESOLVED FIXED
9 years ago
9 years ago

People

(Reporter: Ehsan, Assigned: Ehsan)

Tracking

({crash, regression})

Trunk
mozilla2.0b7
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 final+)

Details

Attachments

(1 attachment)

We use moz_xmalloc (which maps to je_malloc on jemalloc enabled builds) to allocate mGIFStruct.local_colormap, and then we free it using PR_FREEIF which maps to PRFree which in turn maps to stdlib's free.  This means that we allocate memory from one heap and try to free it on another.

If we're lucky, this means that we're leaking.  If we're not lucky, it means that we're crashing, or corrupting arbitrary memory, or worse.
Keywords: crash
Version: unspecified → Trunk
Posted patch Patch (v1)Splinter Review
Attachment #483280 - Flags: review?(joe)
This should block 2.0, and also branches if we do the same thing there as well.
blocking2.0: --- → ?
This is a regression from http://hg.mozilla.org/mozilla-central/rev/389e836517bc (bug 514033), so I guess it is not applicable to branches.
Blocks: 514033
Keywords: regression
Attachment #483280 - Flags: review?(joe) → review+
blocking2.0: ? → final+
Whiteboard: [needs landing]
http://hg.mozilla.org/mozilla-central/rev/21c846fa8e89
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: [needs landing]
Target Milestone: --- → mozilla2.0b8
Target Milestone: mozilla2.0b8 → mozilla2.0b7
You need to log in before you can comment on or make changes to this bug.