Loading the web page http://backup42.zimfer.com/ crashes Gecko > 8

VERIFIED FIXED in Firefox 9

Status

()

Core
ImageLib
--
major
VERIFIED FIXED
6 years ago
5 years ago

People

(Reporter: therube, Assigned: bbondy)

Tracking

(5 keywords)

Trunk
mozilla9
crash, crashreportid, regression, verified-aurora, verified-beta
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox7 unaffected, firefox8 unaffected, firefox9- fixed, firefox10- fixed)

Details

(Whiteboard: [qa!], crash signature, URL)

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0a1) Gecko/20111018 Firefox/10.0a1
Build ID: 20111018031016

Steps to reproduce:

 
*CRASH WARNING*

Load   http://backup42.zimfer.com/

*CRASH WARNING*
 


Actual results:

 
Crash.

https://crash-stats.mozilla.com/report/index/bp-e921dc53-41d6-4a2f-b28d-1fb572111018
 


Expected results:

 
Should not crash.

This affects FF 9 & 10, SeaMonkey 2.6 & 2.7.
FF 8 & SeaMonkey 2.5 are not affected.
(Reporter)

Updated

6 years ago
Severity: normal → major
Component: General → General
Product: Firefox → Core

Comment 1

6 years ago
Top frames:
0 	xul.dll 	mozilla::imagelib::nsICODecoder::WriteInternal 	image/decoders/nsICODecoder.cpp:530
1 	xul.dll 	mozilla::imagelib::RasterImage::WriteToDecoder 	image/src/RasterImage.cpp:2284
2 	xul.dll 	mozilla::imagelib::RasterImage::DecodeSomeData 	image/src/RasterImage.cpp:2618
3 	xul.dll 	mozilla::imagelib::imgDecodeWorker::Run 	image/src/RasterImage.cpp:2735
4 	xul.dll 	mozilla::imagelib::RasterImage::AddSourceData 	image/src/RasterImage.cpp:1281
5 	xul.dll 	mozilla::imagelib::RasterImage::WriteToRasterImage 	image/src/RasterImage.cpp:2833
6 	xul.dll 	nsInputStreamTee::WriteSegmentFun 	xpcom/io/nsInputStreamTee.cpp:223
7 	xul.dll 	nsPipeInputStream::ReadSegments 	xpcom/io/nsPipe3.cpp:799
8 	xul.dll 	nsInputStreamTee::ReadSegments 	xpcom/io/nsInputStreamTee.cpp:276
9 	xul.dll 	imgRequest::OnDataAvailable 	image/src/imgRequest.cpp:1149
10 	xul.dll 	ProxyListener::OnDataAvailable 	image/src/imgLoader.cpp:2095


Apparently, bug 682568 fixed something in that code but there's still a crash left here.
Component: General → ImageLib
QA Contact: general → imagelib

Comment 2

6 years ago
CCing bbondy, who has worked on bug 682568.
Crash Signature: [@ mozilla::imagelib::nsICODecoder::WriteInternal(char const*, unsigned int) ]
Confirming crash on Windows. I also crash on Mac ->  https://crash-stats.mozilla.com/report/index/bp-1996c682-c5c8-4f3e-90fe-a4c8f2111018
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Hardware: x86 → All

Comment 4

6 years ago
Regression window(cached m-c),
Works:
http://hg.mozilla.org/mozilla-central/rev/cc1e08803869
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110826 Firefox/9.0a1 ID:20110826004925
Fails:
http://hg.mozilla.org/mozilla-central/rev/e8af0a8c3632
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110826 Firefox/9.0a1 ID:20110826092401
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=cc1e08803869&tochange=e8af0a8c3632


Regression window(cached m-i),
Works:
http://hg.mozilla.org/integration/mozilla-inbound/rev/9f11fc87eaa6
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110825 Firefox/9.0a1 ID:20110825130335
Fails:
http://hg.mozilla.org/integration/mozilla-inbound/rev/f097100df8aa
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110825 Firefox/9.0a1 ID:20110825131317
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=9f11fc87eaa6&tochange=f097100df8aa

Triggered by:
1f86f6af9434	Brian R. Bondy — Bug 600556 - Support Vista-style PNG ICO files. r=joe
(Assignee)

Updated

6 years ago
Assignee: nobody → netzen
No crash on 64-bit Linux for me, btw.
Mozilla/5.0 (X11; Linux x86_64; rv:10.0a1) Gecko/20111019 Firefox/10.0a1
Version: 10 Branch → Trunk
status-firefox7: --- → unaffected
status-firefox8: --- → unaffected
tracking-firefox10: --- → ?
tracking-firefox9: --- → ?
Keywords: regression
Keywords: crash, crashreportid
(In reply to Marcia Knous [:marcia] from comment #3)
> Confirming crash on Windows. I also crash on Mac -> 
The mac crash-stack ( bp-1996c682-c5c8-4f3e-90fe-a4c8f2111018 ) is completely different -- I wonder why...
(Assignee)

Comment 7

6 years ago
The problem was with the ICO: 
http://backup42.zimfer.com/backup42.ico

The problem was with an invalid ICO width & height specified. 
Note: We didn't previously render the ICO from that that site correctly in any FF version, but that was better handling than crashing/memory corruption.

The fix is coming soon which will both render it correctly and fix the crash.
The fix is to use the bitmap information header width and height always over what we have in the ICO format.  The spec says that you should use the contained resource info over the ICO info.

> The mac crash-stack ( bp-1996c682-c5c8-4f3e-90fe-a4c8f2111018 ) is 
> completely different -- I wonder why...

There was memory corruption so that is why.
(Assignee)

Updated

6 years ago
Status: NEW → ASSIGNED
(Assignee)

Comment 8

6 years ago
Created attachment 568917 [details] [diff] [review]
Fix for invalid ICO width causing crash

The width in the ICO image was twice what it was supposed to be, this caused problems in the 'AND mask' of the ICO.  Instead we should use the width of the contained BMP resource as the spec says.  FF <= 8 didn't crash but didnt' display correctly.  We now don't crash and also display correctly.
Attachment #568917 - Flags: review?(joe)
(Assignee)

Comment 9

6 years ago
Created attachment 568918 [details] [diff] [review]
reftests for ICOs with invalid wdith & height specified
Attachment #568918 - Flags: review?(joe)
Comment on attachment 568917 [details] [diff] [review]
Fix for invalid ICO width causing crash

Review of attachment 568917 [details] [diff] [review]:
-----------------------------------------------------------------

ICO makes me sad :(
Attachment #568917 - Flags: review?(joe) → review+
Attachment #568918 - Flags: review?(joe) → review+
(Assignee)

Comment 11

6 years ago
> ICO makes me sad :(

Tell me about it :)
(Assignee)

Comment 12

6 years ago
Pushed to try:
https://tbpl.mozilla.org/?tree=Try&rev=eff544f5e248
(Assignee)

Updated

6 years ago
Target Milestone: --- → mozilla10
(Assignee)

Comment 13

6 years ago
Pushed to inbound:
http://hg.mozilla.org/integration/mozilla-inbound/rev/6a4f90ea47ae
http://hg.mozilla.org/integration/mozilla-inbound/rev/dd25b9224c76
(Assignee)

Updated

6 years ago
Flags: in-testsuite+
https://hg.mozilla.org/mozilla-central/rev/6a4f90ea47ae
https://hg.mozilla.org/mozilla-central/rev/dd25b9224c76
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
status-firefox10: --- → fixed
Resolution: --- → FIXED
(Assignee)

Comment 15

6 years ago
Comment on attachment 568917 [details] [diff] [review]
Fix for invalid ICO width causing crash

This is a fix for a crash that is a regression introduced with rewriting the ICO file format code.  It happens when there is an invalid ICO file with a large wrong width in the ICO header, but the correct width is in the BMP header.
I think it is important because anyone could create a webpage that crashes your browser with such an ICO file.

Risk of causing further problems: medium-low

I realize it is close to migration time so it may get processed after the migration. I would like to have this fix in v9 which is the first place it was introuced.  It is already fixed in v10 Nightly today.
Attachment #568917 - Flags: approval-mozilla-aurora?

Comment 16

6 years ago
Comment on attachment 568917 [details] [diff] [review]
Fix for invalid ICO width causing crash

[triage comment]

This looks like a good fix and would be a regression shipped in Fx9. Approved for aurora. Please land today if at all possible.
Attachment #568917 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(Assignee)

Comment 17

6 years ago
> Approved for aurora. Please land today if at all possible.

Is this message for someone else? I've never landed on anything other than m-i and m-c.
(Assignee)

Comment 18

6 years ago
Sorry last message was more for policy wise than for technically how to do it.
I'm doing this push to aurora now, will update shortly.
(Assignee)

Comment 19

6 years ago
Location of image lib has changed on that branch and also PRBool -> bool.  I'm going to rebuild and test it before pushing to Aurora.  So I'm not sure if the cut over will happen before I'm done.  But I'm doing this now.
(Assignee)

Comment 20

6 years ago
Pushed to Aurora:
http://hg.mozilla.org/releases/mozilla-aurora/rev/9b37b23dbc4a
(Assignee)

Updated

6 years ago
Target Milestone: mozilla10 → mozilla9
(Assignee)

Updated

6 years ago
status-firefox9: --- → fixed
Whiteboard: [qa+]
The issue is not reproducible on:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20100101 Firefox/9.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0a1) Gecko/20111121 Firefox/11.0a1
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0a2) Gecko/20111121 Firefox/10.0a2

Mozilla/5.0 (Windows NT 6.1; rv:9.0) Gecko/20100101 Firefox/9.0
Mozilla/5.0 (Windows NT 6.1; rv:11.0a1) Gecko/20111121 Firefox/11.0a1
Mozilla/5.0 (Windows NT 6.1; rv:10.0a2) Gecko/20111121 Firefox/10.0a2

Mozilla/5.0 (Windows NT 5.1; rv:9.0) Gecko/20100101 Firefox/9.0
Mozilla/5.0 (Windows NT 5.1; rv:11.0a1) Gecko/20111121 Firefox/11.0a1
Mozilla/5.0 (Windows NT 5.1; rv:10.0a2) Gecko/20111121 Firefox/10.0a2

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0a2) Gecko/20111121 Firefox/10.0a2
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0a1) Gecko/20111121 Firefox/11.0a1

Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20100101 Firefox/9.0
Mozilla/5.0 (X11; Linux x86_64; rv:10.0a2) Gecko/20111121 Firefox/10.0a2
Mozilla/5.0 (X11; Linux x86_64; rv:11.0a1) Gecko/20111122 Firefox/11.0a1

Setting the resolution to verified fixed.

Updated

6 years ago
Status: RESOLVED → VERIFIED

Updated

6 years ago
Keywords: verified-aurora, verified-beta
Whiteboard: [qa+] → [qa!]

Updated

6 years ago
tracking-firefox10: ? → -
tracking-firefox9: ? → -
(Assignee)

Updated

5 years ago
Depends on: 775794
You need to log in before you can comment on or make changes to this bug.