nsBMPDecoder::WriteInternal: Conditional jump or move depends on uninitialised value(s)

RESOLVED DUPLICATE of bug 687982

Status

()

Core
ImageLib
RESOLVED DUPLICATE of bug 687982
6 years ago
2 years ago

People

(Reporter: Josh Aas, Assigned: Joe Drew (not getting mail))

Tracking

Trunk
x86_64
Mac OS X
Points:
---

Firefox Tracking Flags

(firefox8- wontfix, firefox9- wontfix, firefox10+ affected, firefox11- fixed, firefox12- fixed)

Details

(Reporter)

Description

6 years ago
Seen while running a Firefox trunk x86_64 build under valgrind on Mac OS X 10.6.

==97971== Conditional jump or move depends on uninitialised value(s)
==97971==    at 0x107456134: mozilla::imagelib::nsBMPDecoder::WriteInternal(char const*, unsigned int) (nsBMPDecoder.cpp:424)
==97971==    by 0x1074172EB: mozilla::imagelib::Decoder::Write(char const*, unsigned int) (Decoder.cpp:112)
==97971==    by 0x1074580F2: mozilla::imagelib::nsICODecoder::WriteInternal(char const*, unsigned int) (nsICODecoder.cpp:448)
==97971==    by 0x1074172EB: mozilla::imagelib::Decoder::Write(char const*, unsigned int) (Decoder.cpp:112)
==97971==    by 0x10741CA0D: mozilla::imagelib::RasterImage::WriteToDecoder(char const*, unsigned int) (RasterImage.cpp:2365)
==97971==    by 0x10741CD32: mozilla::imagelib::RasterImage::DecodeSomeData(unsigned int) (RasterImage.cpp:2695)
==97971==    by 0x10741D08E: mozilla::imagelib::imgDecodeWorker::Run() (RasterImage.cpp:2814)
==97971==    by 0x10741E9A7: mozilla::imagelib::RasterImage::AddSourceData(char const*, unsigned int) (RasterImage.cpp:1491)
==97971==    by 0x10741EEA2: mozilla::imagelib::RasterImage::WriteToRasterImage(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*) (RasterImage.cpp:2912)
==97971==    by 0x10893033F: nsPipeInputStream::ReadSegments(unsigned int (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) (nsPipe3.cpp:799)
==97971==    by 0x10744623B: imgRequest::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned int, unsigned int) (imgRequest.cpp:1166)
==97971==    by 0x10742B959: ProxyListener::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned int, unsigned int) (imgLoader.cpp:2090)

Marking as security-sensitive to be safe, hopefully it isn't necessary though.
(Assignee)

Comment 1

6 years ago
Frig. Thought I'd responded to this before.

Running with --track-origins would help; alternately, a reproducible testcase :)
(Reporter)

Comment 2

6 years ago
The three pages I loaded under valgrind when I got this were:

1) the Mozilla nightly build home page
2) w3.org
3) espn.com
Looks like mBIH is uninitialized here, I don't see the constructor initializing any of its members.
mBIH is used all over here. Mostly just integer value setting but could any of the paths taken lead to a mistaken assumed length?
Assignee: nobody → joe
Whiteboard: [sg:critical]

Updated

6 years ago
status-firefox10: --- → affected
status-firefox11: --- → affected
status-firefox8: --- → wontfix
status-firefox9: --- → wontfix
tracking-firefox10: --- → +
tracking-firefox11: --- → +
tracking-firefox8: --- → -
tracking-firefox9: --- → -
Joe, any updates here, this one's been sitting for quite a while...
status-firefox12: --- → affected
tracking-firefox12: --- → +
Keywords: testcase-wanted
(Assignee)

Comment 6

6 years ago
This looks exactly the same as another bug that Brian fixed a little while back.
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 687982
(Assignee)

Updated

6 years ago
Whiteboard: [sg:critical]

Updated

6 years ago
status-firefox11: affected → fixed
status-firefox12: affected → fixed
tracking-firefox11: + → -
tracking-firefox12: + → -
Keywords: testcase-wanted
You need to log in before you can comment on or make changes to this bug.