Closed Bug 695421 Opened 13 years ago Closed 13 years ago

Loading the web page http://backup42.zimfer.com/ crashes Gecko > 8

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla9
Tracking Flags:
Tracking Status
firefox7 --- unaffected
firefox8 --- unaffected
firefox9 - fixed
firefox10 - fixed

People

(Reporter: therubex, Assigned: bbondy)

References

(
URL
)

Details

(5 keywords, Whiteboard: [qa!])

Crash Data

Attachments

(2 files)

Fix for invalid ICO width causing crash
4.75 KB, patch
joe
: review+
christian
: approval-mozilla-aurora+
Details | Diff | Splinter Review
reftests for ICOs with invalid wdith & height specified
4.71 KB, patch
joe
: review+
Details | Diff | Splinter Review 
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0a1) Gecko/20111018 Firefox/10.0a1
Build ID: 20111018031016

Steps to reproduce:

 
*CRASH WARNING*

Load   http://backup42.zimfer.com/

*CRASH WARNING*
 


Actual results:

 
Crash.

https://crash-stats.mozilla.com/report/index/bp-e921dc53-41d6-4a2f-b28d-1fb572111018
 


Expected results:

 
Should not crash.

This affects FF 9 & 10, SeaMonkey 2.6 & 2.7.
FF 8 & SeaMonkey 2.5 are not affected.
Severity: normal → major
Product: Firefox → Core
Top frames:
0 	xul.dll 	mozilla::imagelib::nsICODecoder::WriteInternal 	image/decoders/nsICODecoder.cpp:530
1 	xul.dll 	mozilla::imagelib::RasterImage::WriteToDecoder 	image/src/RasterImage.cpp:2284
2 	xul.dll 	mozilla::imagelib::RasterImage::DecodeSomeData 	image/src/RasterImage.cpp:2618
3 	xul.dll 	mozilla::imagelib::imgDecodeWorker::Run 	image/src/RasterImage.cpp:2735
4 	xul.dll 	mozilla::imagelib::RasterImage::AddSourceData 	image/src/RasterImage.cpp:1281
5 	xul.dll 	mozilla::imagelib::RasterImage::WriteToRasterImage 	image/src/RasterImage.cpp:2833
6 	xul.dll 	nsInputStreamTee::WriteSegmentFun 	xpcom/io/nsInputStreamTee.cpp:223
7 	xul.dll 	nsPipeInputStream::ReadSegments 	xpcom/io/nsPipe3.cpp:799
8 	xul.dll 	nsInputStreamTee::ReadSegments 	xpcom/io/nsInputStreamTee.cpp:276
9 	xul.dll 	imgRequest::OnDataAvailable 	image/src/imgRequest.cpp:1149
10 	xul.dll 	ProxyListener::OnDataAvailable 	image/src/imgLoader.cpp:2095


Apparently, bug 682568 fixed something in that code but there's still a crash left here.
Component: General → ImageLib
QA Contact: general → imagelib
CCing bbondy, who has worked on bug 682568.
Crash Signature: [@ mozilla::imagelib::nsICODecoder::WriteInternal(char const*, unsigned int) ]
Confirming crash on Windows. I also crash on Mac ->  https://crash-stats.mozilla.com/report/index/bp-1996c682-c5c8-4f3e-90fe-a4c8f2111018
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Hardware: x86 → All
Regression window(cached m-c),
Works:
http://hg.mozilla.org/mozilla-central/rev/cc1e08803869
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110826 Firefox/9.0a1 ID:20110826004925
Fails:
http://hg.mozilla.org/mozilla-central/rev/e8af0a8c3632
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110826 Firefox/9.0a1 ID:20110826092401
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=cc1e08803869&tochange=e8af0a8c3632


Regression window(cached m-i),
Works:
http://hg.mozilla.org/integration/mozilla-inbound/rev/9f11fc87eaa6
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110825 Firefox/9.0a1 ID:20110825130335
Fails:
http://hg.mozilla.org/integration/mozilla-inbound/rev/f097100df8aa
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110825 Firefox/9.0a1 ID:20110825131317
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=9f11fc87eaa6&tochange=f097100df8aa

Triggered by:
1f86f6af9434	Brian R. Bondy — Bug 600556 - Support Vista-style PNG ICO files. r=joe
Assignee: nobody → netzen
No crash on 64-bit Linux for me, btw.
Mozilla/5.0 (X11; Linux x86_64; rv:10.0a1) Gecko/20111019 Firefox/10.0a1
Version: 10 Branch → Trunk
(In reply to Marcia Knous [:marcia] from comment #3)
> Confirming crash on Windows. I also crash on Mac -> 
The mac crash-stack ( bp-1996c682-c5c8-4f3e-90fe-a4c8f2111018 ) is completely different -- I wonder why...
The problem was with the ICO: 
http://backup42.zimfer.com/backup42.ico

The problem was with an invalid ICO width & height specified. 
Note: We didn't previously render the ICO from that that site correctly in any FF version, but that was better handling than crashing/memory corruption.

The fix is coming soon which will both render it correctly and fix the crash.
The fix is to use the bitmap information header width and height always over what we have in the ICO format.  The spec says that you should use the contained resource info over the ICO info.

> The mac crash-stack ( bp-1996c682-c5c8-4f3e-90fe-a4c8f2111018 ) is 
> completely different -- I wonder why...

There was memory corruption so that is why.
Status: NEW → ASSIGNED
The width in the ICO image was twice what it was supposed to be, this caused problems in the 'AND mask' of the ICO.  Instead we should use the width of the contained BMP resource as the spec says.  FF <= 8 didn't crash but didnt' display correctly.  We now don't crash and also display correctly.
Attachment #568917 - Flags: review?(joe)
Comment on attachment 568917 [details] [diff] [review]
Fix for invalid ICO width causing crash

Review of attachment 568917 [details] [diff] [review]:
-----------------------------------------------------------------

ICO makes me sad :(
Attachment #568917 - Flags: review?(joe) → review+
Attachment #568918 - Flags: review?(joe) → review+
> ICO makes me sad :(

Tell me about it :)
Target Milestone: --- → mozilla10
Flags: in-testsuite+
Comment on attachment 568917 [details] [diff] [review]
Fix for invalid ICO width causing crash

This is a fix for a crash that is a regression introduced with rewriting the ICO file format code.  It happens when there is an invalid ICO file with a large wrong width in the ICO header, but the correct width is in the BMP header.
I think it is important because anyone could create a webpage that crashes your browser with such an ICO file.

Risk of causing further problems: medium-low

I realize it is close to migration time so it may get processed after the migration. I would like to have this fix in v9 which is the first place it was introuced.  It is already fixed in v10 Nightly today.
Attachment #568917 - Flags: approval-mozilla-aurora?
Comment on attachment 568917 [details] [diff] [review]
Fix for invalid ICO width causing crash

[triage comment]

This looks like a good fix and would be a regression shipped in Fx9. Approved for aurora. Please land today if at all possible.
Attachment #568917 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
> Approved for aurora. Please land today if at all possible.

Is this message for someone else? I've never landed on anything other than m-i and m-c.
Sorry last message was more for policy wise than for technically how to do it.
I'm doing this push to aurora now, will update shortly.
Location of image lib has changed on that branch and also PRBool -> bool.  I'm going to rebuild and test it before pushing to Aurora.  So I'm not sure if the cut over will happen before I'm done.  But I'm doing this now.
Target Milestone: mozilla10 → mozilla9
status-firefox9: --- → fixed
Whiteboard: [qa+]
The issue is not reproducible on:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20100101 Firefox/9.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0a1) Gecko/20111121 Firefox/11.0a1
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0a2) Gecko/20111121 Firefox/10.0a2

Mozilla/5.0 (Windows NT 6.1; rv:9.0) Gecko/20100101 Firefox/9.0
Mozilla/5.0 (Windows NT 6.1; rv:11.0a1) Gecko/20111121 Firefox/11.0a1
Mozilla/5.0 (Windows NT 6.1; rv:10.0a2) Gecko/20111121 Firefox/10.0a2

Mozilla/5.0 (Windows NT 5.1; rv:9.0) Gecko/20100101 Firefox/9.0
Mozilla/5.0 (Windows NT 5.1; rv:11.0a1) Gecko/20111121 Firefox/11.0a1
Mozilla/5.0 (Windows NT 5.1; rv:10.0a2) Gecko/20111121 Firefox/10.0a2

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0a2) Gecko/20111121 Firefox/10.0a2
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0a1) Gecko/20111121 Firefox/11.0a1

Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20100101 Firefox/9.0
Mozilla/5.0 (X11; Linux x86_64; rv:10.0a2) Gecko/20111121 Firefox/10.0a2
Mozilla/5.0 (X11; Linux x86_64; rv:11.0a1) Gecko/20111122 Firefox/11.0a1

Setting the resolution to verified fixed.
Status: RESOLVED → VERIFIED
Keywords: verified-aurora, verified-beta
Whiteboard: [qa+] → [qa!]
Depends on: CVE-2012-3966
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: