Last Comment Bug 704512 - nsBMPDecoder::WriteInternal: Conditional jump or move depends on uninitialised value(s)
: nsBMPDecoder::WriteInternal: Conditional jump or move depends on uninitialise...
Status: RESOLVED DUPLICATE of bug 687982
:
Product: Core
Classification: Components
Component: ImageLib (show other bugs)
: Trunk
: x86_64 Mac OS X
: -- normal (vote)
: ---
Assigned To: Joe Drew (not getting mail)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-11-22 09:21 PST by Josh Aas
Modified: 2015-10-16 11:37 PDT (History)
7 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-
wontfix
-
wontfix
+
affected
-
fixed
-
fixed


Attachments

Description Josh Aas 2011-11-22 09:21:36 PST
Seen while running a Firefox trunk x86_64 build under valgrind on Mac OS X 10.6.

==97971== Conditional jump or move depends on uninitialised value(s)
==97971==    at 0x107456134: mozilla::imagelib::nsBMPDecoder::WriteInternal(char const*, unsigned int) (nsBMPDecoder.cpp:424)
==97971==    by 0x1074172EB: mozilla::imagelib::Decoder::Write(char const*, unsigned int) (Decoder.cpp:112)
==97971==    by 0x1074580F2: mozilla::imagelib::nsICODecoder::WriteInternal(char const*, unsigned int) (nsICODecoder.cpp:448)
==97971==    by 0x1074172EB: mozilla::imagelib::Decoder::Write(char const*, unsigned int) (Decoder.cpp:112)
==97971==    by 0x10741CA0D: mozilla::imagelib::RasterImage::WriteToDecoder(char const*, unsigned int) (RasterImage.cpp:2365)
==97971==    by 0x10741CD32: mozilla::imagelib::RasterImage::DecodeSomeData(unsigned int) (RasterImage.cpp:2695)
==97971==    by 0x10741D08E: mozilla::imagelib::imgDecodeWorker::Run() (RasterImage.cpp:2814)
==97971==    by 0x10741E9A7: mozilla::imagelib::RasterImage::AddSourceData(char const*, unsigned int) (RasterImage.cpp:1491)
==97971==    by 0x10741EEA2: mozilla::imagelib::RasterImage::WriteToRasterImage(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*) (RasterImage.cpp:2912)
==97971==    by 0x10893033F: nsPipeInputStream::ReadSegments(unsigned int (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) (nsPipe3.cpp:799)
==97971==    by 0x10744623B: imgRequest::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned int, unsigned int) (imgRequest.cpp:1166)
==97971==    by 0x10742B959: ProxyListener::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned int, unsigned int) (imgLoader.cpp:2090)

Marking as security-sensitive to be safe, hopefully it isn't necessary though.
Comment 1 Joe Drew (not getting mail) 2011-11-23 22:09:10 PST
Frig. Thought I'd responded to this before.

Running with --track-origins would help; alternately, a reproducible testcase :)
Comment 2 Josh Aas 2011-11-24 00:32:25 PST
The three pages I loaded under valgrind when I got this were:

1) the Mozilla nightly build home page
2) w3.org
3) espn.com
Comment 3 Johnny Stenback (:jst, jst@mozilla.com) 2011-12-07 17:15:52 PST
Looks like mBIH is uninitialized here, I don't see the constructor initializing any of its members.
Comment 4 Daniel Veditz [:dveditz] 2011-12-07 17:18:12 PST
mBIH is used all over here. Mostly just integer value setting but could any of the paths taken lead to a mistaken assumed length?
Comment 5 Johnny Stenback (:jst, jst@mozilla.com) 2012-01-05 13:35:34 PST
Joe, any updates here, this one's been sitting for quite a while...
Comment 6 Joe Drew (not getting mail) 2012-01-12 15:33:30 PST
This looks exactly the same as another bug that Brian fixed a little while back.

*** This bug has been marked as a duplicate of bug 687982 ***

Note You need to log in before you can comment on or make changes to this bug.