Closed
Bug 704512
Opened 13 years ago
Closed 13 years ago
nsBMPDecoder::WriteInternal: Conditional jump or move depends on uninitialised value(s)
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
People
(Reporter: jaas, Assigned: joe)
Details
Seen while running a Firefox trunk x86_64 build under valgrind on Mac OS X 10.6. ==97971== Conditional jump or move depends on uninitialised value(s) ==97971== at 0x107456134: mozilla::imagelib::nsBMPDecoder::WriteInternal(char const*, unsigned int) (nsBMPDecoder.cpp:424) ==97971== by 0x1074172EB: mozilla::imagelib::Decoder::Write(char const*, unsigned int) (Decoder.cpp:112) ==97971== by 0x1074580F2: mozilla::imagelib::nsICODecoder::WriteInternal(char const*, unsigned int) (nsICODecoder.cpp:448) ==97971== by 0x1074172EB: mozilla::imagelib::Decoder::Write(char const*, unsigned int) (Decoder.cpp:112) ==97971== by 0x10741CA0D: mozilla::imagelib::RasterImage::WriteToDecoder(char const*, unsigned int) (RasterImage.cpp:2365) ==97971== by 0x10741CD32: mozilla::imagelib::RasterImage::DecodeSomeData(unsigned int) (RasterImage.cpp:2695) ==97971== by 0x10741D08E: mozilla::imagelib::imgDecodeWorker::Run() (RasterImage.cpp:2814) ==97971== by 0x10741E9A7: mozilla::imagelib::RasterImage::AddSourceData(char const*, unsigned int) (RasterImage.cpp:1491) ==97971== by 0x10741EEA2: mozilla::imagelib::RasterImage::WriteToRasterImage(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*) (RasterImage.cpp:2912) ==97971== by 0x10893033F: nsPipeInputStream::ReadSegments(unsigned int (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) (nsPipe3.cpp:799) ==97971== by 0x10744623B: imgRequest::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned int, unsigned int) (imgRequest.cpp:1166) ==97971== by 0x10742B959: ProxyListener::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned int, unsigned int) (imgLoader.cpp:2090) Marking as security-sensitive to be safe, hopefully it isn't necessary though.
Assignee | ||
Comment 1•13 years ago
|
||
Frig. Thought I'd responded to this before. Running with --track-origins would help; alternately, a reproducible testcase :)
The three pages I loaded under valgrind when I got this were: 1) the Mozilla nightly build home page 2) w3.org 3) espn.com
Comment 3•13 years ago
|
||
Looks like mBIH is uninitialized here, I don't see the constructor initializing any of its members.
Comment 4•13 years ago
|
||
mBIH is used all over here. Mostly just integer value setting but could any of the paths taken lead to a mistaken assumed length?
Assignee: nobody → joe
Whiteboard: [sg:critical]
Updated•13 years ago
|
status-firefox10:
--- → affected
status-firefox11:
--- → affected
status-firefox8:
--- → wontfix
status-firefox9:
--- → wontfix
tracking-firefox10:
--- → +
tracking-firefox11:
--- → +
tracking-firefox8:
--- → -
tracking-firefox9:
--- → -
Comment 5•13 years ago
|
||
Joe, any updates here, this one's been sitting for quite a while...
Updated•13 years ago
|
Assignee | ||
Comment 6•13 years ago
|
||
This looks exactly the same as another bug that Brian fixed a little while back.
Group: core-security
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•13 years ago
|
Whiteboard: [sg:critical]
Updated•12 years ago
|
Updated•9 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•