Closed
Bug 695421
Opened 13 years ago
Closed 13 years ago
Loading the web page http://backup42.zimfer.com/ crashes Gecko > 8
Categories
(Core :: Graphics: ImageLib, defect)
Core
Graphics: ImageLib
Tracking
()
VERIFIED
FIXED
mozilla9
Tracking | Status | |
---|---|---|
firefox7 | --- | unaffected |
firefox8 | --- | unaffected |
firefox9 | - | fixed |
firefox10 | - | fixed |
People
(Reporter: therubex, Assigned: bbondy)
References
()
Details
(5 keywords, Whiteboard: [qa!])
Crash Data
Attachments
(2 files)
4.75 KB,
patch
|
joe
:
review+
christian
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
4.71 KB,
patch
|
joe
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0a1) Gecko/20111018 Firefox/10.0a1 Build ID: 20111018031016 Steps to reproduce: *CRASH WARNING* Load http://backup42.zimfer.com/ *CRASH WARNING* Actual results: Crash. https://crash-stats.mozilla.com/report/index/bp-e921dc53-41d6-4a2f-b28d-1fb572111018 Expected results: Should not crash. This affects FF 9 & 10, SeaMonkey 2.6 & 2.7. FF 8 & SeaMonkey 2.5 are not affected.
Comment 1•13 years ago
|
||
Top frames: 0 xul.dll mozilla::imagelib::nsICODecoder::WriteInternal image/decoders/nsICODecoder.cpp:530 1 xul.dll mozilla::imagelib::RasterImage::WriteToDecoder image/src/RasterImage.cpp:2284 2 xul.dll mozilla::imagelib::RasterImage::DecodeSomeData image/src/RasterImage.cpp:2618 3 xul.dll mozilla::imagelib::imgDecodeWorker::Run image/src/RasterImage.cpp:2735 4 xul.dll mozilla::imagelib::RasterImage::AddSourceData image/src/RasterImage.cpp:1281 5 xul.dll mozilla::imagelib::RasterImage::WriteToRasterImage image/src/RasterImage.cpp:2833 6 xul.dll nsInputStreamTee::WriteSegmentFun xpcom/io/nsInputStreamTee.cpp:223 7 xul.dll nsPipeInputStream::ReadSegments xpcom/io/nsPipe3.cpp:799 8 xul.dll nsInputStreamTee::ReadSegments xpcom/io/nsInputStreamTee.cpp:276 9 xul.dll imgRequest::OnDataAvailable image/src/imgRequest.cpp:1149 10 xul.dll ProxyListener::OnDataAvailable image/src/imgLoader.cpp:2095 Apparently, bug 682568 fixed something in that code but there's still a crash left here.
Component: General → ImageLib
QA Contact: general → imagelib
Comment 2•13 years ago
|
||
CCing bbondy, who has worked on bug 682568.
Updated•13 years ago
|
Crash Signature: [@ mozilla::imagelib::nsICODecoder::WriteInternal(char const*, unsigned int) ]
Comment 3•13 years ago
|
||
Confirming crash on Windows. I also crash on Mac -> https://crash-stats.mozilla.com/report/index/bp-1996c682-c5c8-4f3e-90fe-a4c8f2111018
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Hardware: x86 → All
Comment 4•13 years ago
|
||
Regression window(cached m-c), Works: http://hg.mozilla.org/mozilla-central/rev/cc1e08803869 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110826 Firefox/9.0a1 ID:20110826004925 Fails: http://hg.mozilla.org/mozilla-central/rev/e8af0a8c3632 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110826 Firefox/9.0a1 ID:20110826092401 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=cc1e08803869&tochange=e8af0a8c3632 Regression window(cached m-i), Works: http://hg.mozilla.org/integration/mozilla-inbound/rev/9f11fc87eaa6 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110825 Firefox/9.0a1 ID:20110825130335 Fails: http://hg.mozilla.org/integration/mozilla-inbound/rev/f097100df8aa Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110825 Firefox/9.0a1 ID:20110825131317 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=9f11fc87eaa6&tochange=f097100df8aa Triggered by: 1f86f6af9434 Brian R. Bondy — Bug 600556 - Support Vista-style PNG ICO files. r=joe
Assignee | ||
Updated•13 years ago
|
Assignee: nobody → netzen
Updated•13 years ago
|
Comment 5•13 years ago
|
||
No crash on 64-bit Linux for me, btw. Mozilla/5.0 (X11; Linux x86_64; rv:10.0a1) Gecko/20111019 Firefox/10.0a1
Version: 10 Branch → Trunk
Updated•13 years ago
|
status-firefox7:
--- → unaffected
status-firefox8:
--- → unaffected
tracking-firefox10:
--- → ?
tracking-firefox9:
--- → ?
Keywords: regression
Updated•13 years ago
|
Keywords: crash,
crashreportid
Comment 6•13 years ago
|
||
(In reply to Marcia Knous [:marcia] from comment #3) > Confirming crash on Windows. I also crash on Mac -> The mac crash-stack ( bp-1996c682-c5c8-4f3e-90fe-a4c8f2111018 ) is completely different -- I wonder why...
Assignee | ||
Comment 7•13 years ago
|
||
The problem was with the ICO: http://backup42.zimfer.com/backup42.ico The problem was with an invalid ICO width & height specified. Note: We didn't previously render the ICO from that that site correctly in any FF version, but that was better handling than crashing/memory corruption. The fix is coming soon which will both render it correctly and fix the crash. The fix is to use the bitmap information header width and height always over what we have in the ICO format. The spec says that you should use the contained resource info over the ICO info. > The mac crash-stack ( bp-1996c682-c5c8-4f3e-90fe-a4c8f2111018 ) is > completely different -- I wonder why... There was memory corruption so that is why.
Assignee | ||
Updated•13 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 8•13 years ago
|
||
The width in the ICO image was twice what it was supposed to be, this caused problems in the 'AND mask' of the ICO. Instead we should use the width of the contained BMP resource as the spec says. FF <= 8 didn't crash but didnt' display correctly. We now don't crash and also display correctly.
Attachment #568917 -
Flags: review?(joe)
Assignee | ||
Comment 9•13 years ago
|
||
Attachment #568918 -
Flags: review?(joe)
Comment 10•13 years ago
|
||
Comment on attachment 568917 [details] [diff] [review] Fix for invalid ICO width causing crash Review of attachment 568917 [details] [diff] [review]: ----------------------------------------------------------------- ICO makes me sad :(
Attachment #568917 -
Flags: review?(joe) → review+
Updated•13 years ago
|
Attachment #568918 -
Flags: review?(joe) → review+
Assignee | ||
Comment 11•13 years ago
|
||
> ICO makes me sad :(
Tell me about it :)
Assignee | ||
Comment 12•13 years ago
|
||
Pushed to try: https://tbpl.mozilla.org/?tree=Try&rev=eff544f5e248
Assignee | ||
Updated•13 years ago
|
Target Milestone: --- → mozilla10
Assignee | ||
Comment 13•13 years ago
|
||
Pushed to inbound: http://hg.mozilla.org/integration/mozilla-inbound/rev/6a4f90ea47ae http://hg.mozilla.org/integration/mozilla-inbound/rev/dd25b9224c76
Assignee | ||
Updated•13 years ago
|
Flags: in-testsuite+
Comment 14•13 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/6a4f90ea47ae https://hg.mozilla.org/mozilla-central/rev/dd25b9224c76
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
status-firefox10:
--- → fixed
Resolution: --- → FIXED
Assignee | ||
Comment 15•13 years ago
|
||
Comment on attachment 568917 [details] [diff] [review] Fix for invalid ICO width causing crash This is a fix for a crash that is a regression introduced with rewriting the ICO file format code. It happens when there is an invalid ICO file with a large wrong width in the ICO header, but the correct width is in the BMP header. I think it is important because anyone could create a webpage that crashes your browser with such an ICO file. Risk of causing further problems: medium-low I realize it is close to migration time so it may get processed after the migration. I would like to have this fix in v9 which is the first place it was introuced. It is already fixed in v10 Nightly today.
Attachment #568917 -
Flags: approval-mozilla-aurora?
Comment 16•13 years ago
|
||
Comment on attachment 568917 [details] [diff] [review] Fix for invalid ICO width causing crash [triage comment] This looks like a good fix and would be a regression shipped in Fx9. Approved for aurora. Please land today if at all possible.
Attachment #568917 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 17•13 years ago
|
||
> Approved for aurora. Please land today if at all possible.
Is this message for someone else? I've never landed on anything other than m-i and m-c.
Assignee | ||
Comment 18•13 years ago
|
||
Sorry last message was more for policy wise than for technically how to do it. I'm doing this push to aurora now, will update shortly.
Assignee | ||
Comment 19•13 years ago
|
||
Location of image lib has changed on that branch and also PRBool -> bool. I'm going to rebuild and test it before pushing to Aurora. So I'm not sure if the cut over will happen before I'm done. But I'm doing this now.
Assignee | ||
Comment 20•13 years ago
|
||
Pushed to Aurora: http://hg.mozilla.org/releases/mozilla-aurora/rev/9b37b23dbc4a
Assignee | ||
Updated•13 years ago
|
Target Milestone: mozilla10 → mozilla9
Assignee | ||
Updated•13 years ago
|
status-firefox9:
--- → fixed
Comment 21•13 years ago
|
||
The issue is not reproducible on: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20100101 Firefox/9.0 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0a1) Gecko/20111121 Firefox/11.0a1 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0a2) Gecko/20111121 Firefox/10.0a2 Mozilla/5.0 (Windows NT 6.1; rv:9.0) Gecko/20100101 Firefox/9.0 Mozilla/5.0 (Windows NT 6.1; rv:11.0a1) Gecko/20111121 Firefox/11.0a1 Mozilla/5.0 (Windows NT 6.1; rv:10.0a2) Gecko/20111121 Firefox/10.0a2 Mozilla/5.0 (Windows NT 5.1; rv:9.0) Gecko/20100101 Firefox/9.0 Mozilla/5.0 (Windows NT 5.1; rv:11.0a1) Gecko/20111121 Firefox/11.0a1 Mozilla/5.0 (Windows NT 5.1; rv:10.0a2) Gecko/20111121 Firefox/10.0a2 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0a2) Gecko/20111121 Firefox/10.0a2 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0a1) Gecko/20111121 Firefox/11.0a1 Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20100101 Firefox/9.0 Mozilla/5.0 (X11; Linux x86_64; rv:10.0a2) Gecko/20111121 Firefox/10.0a2 Mozilla/5.0 (X11; Linux x86_64; rv:11.0a1) Gecko/20111122 Firefox/11.0a1 Setting the resolution to verified fixed.
Keywords: verified-aurora,
verified-beta
Whiteboard: [qa+] → [qa!]
Updated•13 years ago
|
Assignee | ||
Updated•12 years ago
|
Depends on: CVE-2012-3966
You need to log in
before you can comment on or make changes to this bug.
Description
•