User Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0a1) Gecko/20111018 Firefox/10.0a1 Build ID: 20111018031016 Steps to reproduce: *CRASH WARNING* Load http://backup42.zimfer.com/ *CRASH WARNING* Actual results: Crash. https://crash-stats.mozilla.com/report/index/bp-e921dc53-41d6-4a2f-b28d-1fb572111018 Expected results: Should not crash. This affects FF 9 & 10, SeaMonkey 2.6 & 2.7. FF 8 & SeaMonkey 2.5 are not affected.
Top frames: 0 xul.dll mozilla::imagelib::nsICODecoder::WriteInternal image/decoders/nsICODecoder.cpp:530 1 xul.dll mozilla::imagelib::RasterImage::WriteToDecoder image/src/RasterImage.cpp:2284 2 xul.dll mozilla::imagelib::RasterImage::DecodeSomeData image/src/RasterImage.cpp:2618 3 xul.dll mozilla::imagelib::imgDecodeWorker::Run image/src/RasterImage.cpp:2735 4 xul.dll mozilla::imagelib::RasterImage::AddSourceData image/src/RasterImage.cpp:1281 5 xul.dll mozilla::imagelib::RasterImage::WriteToRasterImage image/src/RasterImage.cpp:2833 6 xul.dll nsInputStreamTee::WriteSegmentFun xpcom/io/nsInputStreamTee.cpp:223 7 xul.dll nsPipeInputStream::ReadSegments xpcom/io/nsPipe3.cpp:799 8 xul.dll nsInputStreamTee::ReadSegments xpcom/io/nsInputStreamTee.cpp:276 9 xul.dll imgRequest::OnDataAvailable image/src/imgRequest.cpp:1149 10 xul.dll ProxyListener::OnDataAvailable image/src/imgLoader.cpp:2095 Apparently, bug 682568 fixed something in that code but there's still a crash left here.
CCing bbondy, who has worked on bug 682568.
Confirming crash on Windows. I also crash on Mac -> https://crash-stats.mozilla.com/report/index/bp-1996c682-c5c8-4f3e-90fe-a4c8f2111018
Regression window(cached m-c), Works: http://hg.mozilla.org/mozilla-central/rev/cc1e08803869 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110826 Firefox/9.0a1 ID:20110826004925 Fails: http://hg.mozilla.org/mozilla-central/rev/e8af0a8c3632 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110826 Firefox/9.0a1 ID:20110826092401 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=cc1e08803869&tochange=e8af0a8c3632 Regression window(cached m-i), Works: http://hg.mozilla.org/integration/mozilla-inbound/rev/9f11fc87eaa6 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110825 Firefox/9.0a1 ID:20110825130335 Fails: http://hg.mozilla.org/integration/mozilla-inbound/rev/f097100df8aa Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110825 Firefox/9.0a1 ID:20110825131317 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=9f11fc87eaa6&tochange=f097100df8aa Triggered by: 1f86f6af9434 Brian R. Bondy — Bug 600556 - Support Vista-style PNG ICO files. r=joe
No crash on 64-bit Linux for me, btw. Mozilla/5.0 (X11; Linux x86_64; rv:10.0a1) Gecko/20111019 Firefox/10.0a1
(In reply to Marcia Knous [:marcia] from comment #3) > Confirming crash on Windows. I also crash on Mac -> The mac crash-stack ( bp-1996c682-c5c8-4f3e-90fe-a4c8f2111018 ) is completely different -- I wonder why...
The problem was with the ICO: http://backup42.zimfer.com/backup42.ico The problem was with an invalid ICO width & height specified. Note: We didn't previously render the ICO from that that site correctly in any FF version, but that was better handling than crashing/memory corruption. The fix is coming soon which will both render it correctly and fix the crash. The fix is to use the bitmap information header width and height always over what we have in the ICO format. The spec says that you should use the contained resource info over the ICO info. > The mac crash-stack ( bp-1996c682-c5c8-4f3e-90fe-a4c8f2111018 ) is > completely different -- I wonder why... There was memory corruption so that is why.
Created attachment 568917 [details] [diff] [review] Fix for invalid ICO width causing crash The width in the ICO image was twice what it was supposed to be, this caused problems in the 'AND mask' of the ICO. Instead we should use the width of the contained BMP resource as the spec says. FF <= 8 didn't crash but didnt' display correctly. We now don't crash and also display correctly.
Created attachment 568918 [details] [diff] [review] reftests for ICOs with invalid wdith & height specified
Comment on attachment 568917 [details] [diff] [review] Fix for invalid ICO width causing crash Review of attachment 568917 [details] [diff] [review]: ----------------------------------------------------------------- ICO makes me sad :(
> ICO makes me sad :( Tell me about it :)
Pushed to try: https://tbpl.mozilla.org/?tree=Try&rev=eff544f5e248
Pushed to inbound: http://hg.mozilla.org/integration/mozilla-inbound/rev/6a4f90ea47ae http://hg.mozilla.org/integration/mozilla-inbound/rev/dd25b9224c76
https://hg.mozilla.org/mozilla-central/rev/6a4f90ea47ae https://hg.mozilla.org/mozilla-central/rev/dd25b9224c76
Comment on attachment 568917 [details] [diff] [review] Fix for invalid ICO width causing crash This is a fix for a crash that is a regression introduced with rewriting the ICO file format code. It happens when there is an invalid ICO file with a large wrong width in the ICO header, but the correct width is in the BMP header. I think it is important because anyone could create a webpage that crashes your browser with such an ICO file. Risk of causing further problems: medium-low I realize it is close to migration time so it may get processed after the migration. I would like to have this fix in v9 which is the first place it was introuced. It is already fixed in v10 Nightly today.
Comment on attachment 568917 [details] [diff] [review] Fix for invalid ICO width causing crash [triage comment] This looks like a good fix and would be a regression shipped in Fx9. Approved for aurora. Please land today if at all possible.
> Approved for aurora. Please land today if at all possible. Is this message for someone else? I've never landed on anything other than m-i and m-c.
Sorry last message was more for policy wise than for technically how to do it. I'm doing this push to aurora now, will update shortly.
Location of image lib has changed on that branch and also PRBool -> bool. I'm going to rebuild and test it before pushing to Aurora. So I'm not sure if the cut over will happen before I'm done. But I'm doing this now.
Pushed to Aurora: http://hg.mozilla.org/releases/mozilla-aurora/rev/9b37b23dbc4a
The issue is not reproducible on: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20100101 Firefox/9.0 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0a1) Gecko/20111121 Firefox/11.0a1 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0a2) Gecko/20111121 Firefox/10.0a2 Mozilla/5.0 (Windows NT 6.1; rv:9.0) Gecko/20100101 Firefox/9.0 Mozilla/5.0 (Windows NT 6.1; rv:11.0a1) Gecko/20111121 Firefox/11.0a1 Mozilla/5.0 (Windows NT 6.1; rv:10.0a2) Gecko/20111121 Firefox/10.0a2 Mozilla/5.0 (Windows NT 5.1; rv:9.0) Gecko/20100101 Firefox/9.0 Mozilla/5.0 (Windows NT 5.1; rv:11.0a1) Gecko/20111121 Firefox/11.0a1 Mozilla/5.0 (Windows NT 5.1; rv:10.0a2) Gecko/20111121 Firefox/10.0a2 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0a2) Gecko/20111121 Firefox/10.0a2 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0a1) Gecko/20111121 Firefox/11.0a1 Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20100101 Firefox/9.0 Mozilla/5.0 (X11; Linux x86_64; rv:10.0a2) Gecko/20111121 Firefox/10.0a2 Mozilla/5.0 (X11; Linux x86_64; rv:11.0a1) Gecko/20111122 Firefox/11.0a1 Setting the resolution to verified fixed.
or
