CSS style tag with "false" content generates segmentation fault

RESOLVED INVALID

Status

()

RESOLVED INVALID
7 years ago
7 years ago

People

(Reporter: suki.venkat, Unassigned)

Tracking

({stackwanted})

Trunk
All
Other
stackwanted
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

7 years ago
Created attachment 548098 [details]
bug.html

User Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Build ID: 20110628230241

Steps to reproduce:

I tried to load a HTML5 file with <style>false</style> in the head part of HTML using my addon MuLTiFlow (http://sourceforge.net/projects/multiflow/).


Actual results:

The xulrunner or any version of Firefox (-app) crashes with the following messages:

skv@skv-laptop:~/svn/multiflow/trunk$ ff5 -app application.ini -jsconsole

(firefox-bin:2473): librsvg-WARNING **: CSS parsing error

(firefox-bin:2473): librsvg-WARNING **: CSS unrecoverable error

parsing error: 1:0:could not recognize next production
Segmentation fault




Expected results:

It should have loaded the HTML5 file in the XUL window's iframe.
Can you provide a stacktrace of the crash?
Keywords: stackwanted
> librsvg-WARNING

Where does librsvg come from?  That's not part of our code, and none of the error messages you list come from our code as far as I can tell.  So what code is actually running there and why is it parsing the contents of that <style> tag?
(Reporter)

Comment 3

7 years ago
(In reply to comment #2)
> > librsvg-WARNING
> 
> Where does librsvg come from?  That's not part of our code, and none of the
> error messages you list come from our code as far as I can tell.  So what
> code is actually running there and why is it parsing the contents of that
> <style> tag?

I open the attached file using the following XP-Components code:

	var nsIFilePicker = Components.interfaces.nsIFilePicker;
	var fp = Components.classes["@mozilla.org/filepicker;1"].createInstance(nsIFilePicker);
	fp.init(window, "Open a File", nsIFilePicker.modeOpen);
	fp.appendFilters(nsIFilePicker.filterHTML);
	var res = fp.show();
I traced it to this line of the code: var res = fp.show();

You can check-out the code from:
 svn co https://multiflow.svn.sourceforge.net/svnroot/multiflow/trunk multiflow

To run XUL app you just have to do:
  firefox -app application.ini -jsconsole
Now using File menu if I Open the file then I get those errors...

BTW: I found that I have to add a <svg></svg> element to the file to reproduce that error!
(Reporter)

Comment 4

7 years ago
Created attachment 549024 [details]
If I attach this file it crashes Firefox, so I have attached it as bug.html.zip

If I attach this file it crashes Firefox, so I have attached it as bug.html.zip
(Reporter)

Comment 5

7 years ago
Oops!

It looks like much bigger bug than I thought:

This file crashes Firefox. I couldn't even upload it to BugZilla!!!
(Reporter)

Comment 6

7 years ago
If you bug.html.zip and Open bug.html then it crashes Firefox 3.6.18 and Firefox 6.0 at least but looks like a generic bug...
This sounds like a bug in Ubuntu's filepicker, trying to show a preview of the file and then crashing...  Do you get the same crash if you open a filepicker from some other application and try to select that file?
I am a librsvg maintainer, so this bug might be my fault. 

Anyway please file a bug in

https://bugzilla.gnome.org/enter_bug.cgi?product=librsvg 

with problematic svg file.

You can use rsvg-view command to reproduce the crash maybe..
If it's not a problem with the KDE filepicker, does Ubuntu come with a modified GTK file picker?
I am not sure about KDE's filepicker but normal GTK's one usually uses librsvg though gdkpixbuf-loader.
(In reply to comment #10)
> I am not sure about KDE's filepicker but normal GTK's one usually uses
> librsvg though gdkpixbuf-loader.

When there is a preview, but there is not supposed to be one when used under Firefox.
OK. I could reproduce the crash and found a fault in librsvg.

See https://bugzilla.gnome.org/show_bug.cgi?id=655472

But there is another issue in firefox because the file does not cause any crash with other applications using GTK+. So I guess firefox's filepicker recognizes the file (attachment 549024 [details]) as an SVG file.  But.. It is not realizable because the recognizer is owned by librsvg itself. Weird..
(In reply to comment #11)
> (In reply to comment #10)
> > I am not sure about KDE's filepicker but normal GTK's one usually uses
> > librsvg though gdkpixbuf-loader.
> 
> When there is a preview, but there is not supposed to be one when used under
> Firefox.

from widget/src/gtk2/nsFilePicker.cpp

138   gint preview_width = 0;
139   gint preview_height = 0;
140   GdkPixbufFormat *preview_format = gdk_pixbuf_get_file_info(image_filename,
141                                                              &preview_width,

gdk_pixbuf_get_file_info() kicks pixbuf-loader.
(In reply to comment #12)
> OK. I could reproduce the crash and found a fault in librsvg.
> 
> See https://bugzilla.gnome.org/show_bug.cgi?id=655472
> 
> But there is another issue in firefox because the file does not cause any
> crash with other applications using GTK+. So I guess firefox's filepicker
> recognizes the file (attachment 549024 [details]) as an SVG file.  But.. It
> is not realizable because the recognizer is owned by librsvg itself. Weird..

Ah I am sorry, firefox does not have any faults about this. 

Because the file contains "<svg" in the middle of the file.

from http://developer.gnome.org/gdk-pixbuf/unstable/gdk-pixbuf-Module-Interface.html#GdkPixbufModulePattern

Starting with &gdk-pixbuf; 2.8, the first byte of the mask may be '*', indicating an unanchored pattern that matches not only at the beginning, but also in the middle. Versions prior to 2.8 will interpret the '*' like an 'x'.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.