Closed Bug 719202 Opened 13 years ago Closed 13 years ago

Possible uninitialised value use in mozilla::imagelib::nsBMPDecoder::WriteInternal

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla12

People

(Reporter: jseward, Assigned: bbondy)

Details

Attachments

(1 file)

Patch v1.
851 bytes, patch
joe
: review+
Details | Diff | Splinter Review
Valgrind reports the error below during startup on x86_64-linux, when running on a 16 bit X display. Happens every startup. ----------------------------------- mozconfig: . $topsrcdir/browser/config/mozconfig mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/ff-opt ac_add_options --disable-libjpeg-turbo ac_add_options --enable-tests ac_add_options --enable-debug-symbols=yes ac_add_options --enable-optimize="-g -O -freorder-blocks" ac_add_options --disable-jemalloc ac_add_options --enable-valgrind mk_add_options MOZ_MAKE_FLAGS="-j4" ----------------------------------- the error itself: Conditional jump or move depends on uninitialised value(s) at 0x61CC6DB: mozilla::imagelib::nsBMPDecoder::WriteInternal(char const*, unsigned int) (image/decoders/nsBMPDecoder.cpp:429) by 0x61AE6E5: mozilla::imagelib::Decoder::Write(char const*, unsigned int) (image/src/Decoder.cpp:112) by 0x61CDBF2: mozilla::imagelib::nsICODecoder::WriteInternal(char const*, unsigned int) (image/decoders/nsICODecoder.cpp:448) by 0x61AE6E5: mozilla::imagelib::Decoder::Write(char const*, unsigned int) (image/src/Decoder.cpp:112) by 0x61B0483: mozilla::imagelib::RasterImage::WriteToDecoder(char const*, unsigned int) (image/src/RasterImage.cpp:2376) by 0x61B058B: mozilla::imagelib::RasterImage::DecodeSomeData(unsigned int) (image/src/RasterImage.cpp:2707) by 0x61B15F9: mozilla::imagelib::imgDecodeWorker::Run() (image/src/RasterImage.cpp:2826) by 0x61B4118: mozilla::imagelib::RasterImage::AddSourceData(char const*, unsigned int) (image/src/RasterImage.cpp:1502) by 0x61B42DC: mozilla::imagelib::RasterImage::WriteToRasterImage(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*) (image/src/RasterImage.cpp:2924) by 0x6CCD42A: nsPipeInputStream::ReadSegments(unsigned int (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) (xpcom/io/nsPipe3.cpp:799) by 0x61C14DA: imgRequest::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned int, unsigned int) (image/src/imgRequest.cpp:1097) by 0x61B80AF: ProxyListener::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned int, unsigned int) (image/src/imgLoader.cpp:2092) Uninitialised value was created by a heap allocation at 0x4029B9A: malloc (/home/sewardj/VgTRUNK/trunk/coregrind/m_replacemalloc/vg_replace_malloc.c:263) by 0x403E058: moz_xmalloc (memory/mozalloc/mozalloc.cpp:103) by 0x61CDB84: mozilla::imagelib::nsICODecoder::WriteInternal(char const*, unsigned int) (ff-opt/image/decoders/../../dist/include/mozilla/mozalloc.h:229) by 0x61AE6E5: mozilla::imagelib::Decoder::Write(char const*, unsigned int) (image/src/Decoder.cpp:112) by 0x61B0483: mozilla::imagelib::RasterImage::WriteToDecoder(char const*, unsigned int) (image/src/RasterImage.cpp:2376) by 0x61B058B: mozilla::imagelib::RasterImage::DecodeSomeData(unsigned int) (image/src/RasterImage.cpp:2707) by 0x61B15F9: mozilla::imagelib::imgDecodeWorker::Run() (image/src/RasterImage.cpp:2826) by 0x61B4118: mozilla::imagelib::RasterImage::AddSourceData(char const*, unsigned int) (image/src/RasterImage.cpp:1502) by 0x61B42DC: mozilla::imagelib::RasterImage::WriteToRasterImage(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*) (image/src/RasterImage.cpp:2924) by 0x6CCD42A: nsPipeInputStream::ReadSegments(unsigned int (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) (xpcom/io/nsPipe3.cpp:799) by 0x61C14DA: imgRequest::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned int, unsigned int) (image/src/imgRequest.cpp:1097) by 0x61B80AF: ProxyListener::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned int, unsigned int) (image/src/imgLoader.cpp:2092)
Assignee: nobody → netzen
How do we get this far into WriteInternal with an uninitialized mBIH? I guess it's possible, but seems unlikely that it missed all the previous uses. https://mxr.mozilla.org/mozilla-central/source/image/decoders/nsBMPDecoder.cpp#429 Looks like a dupe of bug 687982, but that means this should be fixed in Firefox 11 (Nightly and Aurora should have the fix at this point).
Group: core-security
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
I suspect this is also innocuous but is different. I'll verify and re-resolve if it's the same.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Attached patch Patch v1.Splinter Review
Attachment #590795 - Flags: review?(joe)
I easily reproduced and fixed, silly change needed.
Attachment #590795 - Flags: review?(joe) → review+
https://hg.mozilla.org/mozilla-central/rev/66dc5e178691
Status: REOPENED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: