Mozilla Trunk crashes on access of the image at http://www.animax.no/pictures/anirmouse/AnirMousePro2.jpg [@ MSVCRT.DLL - nsJPEGDecoder::WriteFrom]

VERIFIED FIXED in mozilla0.9.1

Status

()

Core
ImageLib
--
critical
VERIFIED FIXED
17 years ago
17 years ago

People

(Reporter: Xuân Baldauf, Assigned: Stuart Parmenter)

Tracking

({crash, topcrash})

Trunk
mozilla0.9.1
x86
Windows 98
crash, topcrash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [imglib], crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

17 years ago
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.8.1+) Gecko/20010422
BuildID:    2001042208

Mozilla crashes reproducibly on access of the image at
http://www.animax.no/pictures/anirmouse/AnirMousePro2.jpg

Reproducible: Always
Steps to Reproduce:
1. Enter http://www.animax.no/pictures/anirmouse/AnirMousePro2.jpg into the URL bar.
2. Press return


Actual Results:  Mozilla crashes (segfault)

Expected Results:  Mozilla should not crash

IE 5.5 refused to load the image, 
Netscape Navigator 4.77 seems to display the image using one pixel for each RGB
component instead of one pixel for all three RGB components.

Comment 1

17 years ago
Works for me with 2001-04-23-21 on Linux.

Pavlov checked in three patches yesterday that adresses imglib, and I think
these are likely to have fixed this bug.

Xuan Baldauf, could you try a newer build and try to see if you can verify it?
Also, what error message do you see in the console when mozilla crashes?

Comment 2

17 years ago
I should have mentioned that even though my build was built before Pavlov's
checkin, it did have these patches applied locally.
(Reporter)

Comment 3

17 years ago
I have retried to reproduce this bug with the newest mozilla build 2001042304, 
it is still reproducible.

The windows stack trace is (german)

MOZILLA verursachte einen Fehler durch eine ungültige Seite
in Modul MSVCRT.DLL bei 017f:780010d9.
Register:
EAX=00000000 CS=017f EIP=780010d9 EFLGS=00010202
EBX=00000000 SS=0187 ESP=0068f7e0 EBP=0068f810
ECX=000007f4 DS=0187 ESI=027686b0 FS=615f
EDX=00000000 ES=0187 EDI=00000000 GS=d477
Bytes bei CS:EIP:
f3 ab 85 d2 75 06 8b 44 24 08 5f c3 88 07 47 4a 
Stapelwerte:
00000000 60471609 00000000 00000000 00001fd0 0004f000 027686b0 0004f000 027686b0 
0068f858 60471202 02769cd0 0068f858 604714cb fffffffe 00000000 

The talkback ID for this crash is TB29545081G

I do not see any error message on any console under windows, because there is no 
mozilla console, how can I enable console debug under windows?

Comment 4

17 years ago
I am seeing this on winMe cvs 2001042310
Neither mine, nor Xuan's build have pavlovs patches yet, so ill check again
after compile. I thought these patches fixed crashes in linux with Gdk though.
confirming with win2k build 20010424..(CVS debug, 10min old)

Stack Trace:

memset() line 108
nsJPEGDecoder::OutputScanlines(int -2) line 528 + 27 bytes
nsJPEGDecoder::WriteFrom(nsJPEGDecoder * const 0x046331d0, nsIInputStream * 
0x03e7d8b8, unsigned int 13140, unsigned int * 0x0012f78c) line 395 + 10 bytes
imgRequest::OnDataAvailable(imgRequest * const 0x0414d618, nsIRequest * 
0x04619060, nsISupports * 0x00000000, nsIInputStream * 0x03e7d8b8, unsigned int 
0, unsigned int 13140) line 757 + 47 bytes
ProxyListener::OnDataAvailable(ProxyListener * const 0x03f50690, nsIRequest * 
0x04619060, nsISupports * 0x00000000, nsIInputStream * 0x03e7d8b8, unsigned int 
0, unsigned int 13140) line 374
ImageListener::OnDataAvailable(ImageListener * const 0x04728a68, nsIRequest * 
0x04619060, nsISupports * 0x00000000, nsIInputStream * 0x03e7d8b8, unsigned int 
0, unsigned int 13140) line 201
nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x040fca68, 
nsIRequest * 0x04619060, nsISupports * 0x00000000, nsIInputStream * 0x03e7d8b8, 
unsigned int 0, unsigned int 13140) line 259 + 46 bytes
nsHTTPFinalListener::OnDataAvailable(nsHTTPFinalListener * const 0x040fcad0, 
nsIRequest * 0x04619060, nsISupports * 0x00000000, nsIInputStream * 0x03e7d8b8, 
unsigned int 0, unsigned int 13140) line 1170 + 46 bytes
nsStreamListenerTee::OnDataAvailable(nsStreamListenerTee * const 0x045dcf98, 
nsIRequest * 0x04619060, nsISupports * 0x00000000, nsIInputStream * 0x045a4058, 
unsigned int 0, unsigned int 13140) line 56 + 51 bytes
nsHTTPServerListener::OnDataAvailable(nsHTTPServerListener * const 0x045b3618, 
nsIRequest * 0x04717b88, nsISupports * 0x04619060, nsIInputStream * 0x045a4058, 
unsigned int 1460, unsigned int 13140) line 539 + 64 bytes
nsOnDataAvailableEvent::HandleEvent() line 173 + 70 bytes
nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x0424b1c4) line 64
PL_HandleEvent(PLEvent * 0x0424b1c4) line 588 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00e6ea10) line 518 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x0004075a, unsigned int 49369, unsigned int 0, 
long 15133200) line 1069 + 9 bytes
USER32! 77e048dc()
USER32! 77e04aa7()
USER32! 77e166fd()
nsAppShellService::Run(nsAppShellService * const 0x00e92528) line 408
main1(int 2, char * * 0x003576c8, nsISupports * 0x00000000) line 1005 + 32 bytes
main(int 2, char * * 0x003576c8) line 1300 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e892a6()
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash

Comment 6

17 years ago
changing status to [imglib]
Whiteboard: [imglib]

Comment 7

17 years ago
Color seperated JPEG, 4 channels:

Image: AnirMousePro2.jpg
  Format: JPEG (Joint Photographic Experts Group JFIF format)
  Type: color separated
  Class: DirectClass
  Geometry: 2036x3060
  Depth: 8
  Matte: False
  Colors: 179560
  Profile-iptc: 472 bytes
  Filesize: 1778kb
  Interlace: None
  Background Color: gray100
  Border Color: #dfdfdf00
  Matte Color: gray74
  Compression: JPEG
  Comment: File written by Adobe Photoshop¨ 4.0
  Signature: 4335ad3c70e992cb88aeeaf52d215d27
  Tainted: False
  User Time: 2.5u
  Elapsed Time: 0:04

Independent JPEG Group's DJPEG, version 6b  27-Mar-1998
Copyright (C) 1998, Thomas G. Lane
Start of Image
Miscellaneous marker 0xed, length 486
Comment, length 37:
File written by Adobe Photoshop\250 4.0\000
Adobe APP14 marker: version 100, flags 0x0000 0x0000, transform 2
Define Quantization Table 0  precision 0
Define Quantization Table 1  precision 0
Start Of Frame 0xc0: width=2036, height=3060, components=4
    Component 1: 1hx1v q=0
    Component 2: 1hx1v q=1
    Component 3: 1hx1v q=1
    Component 4: 1hx1v q=0
Define Restart Interval 255
Define Huffman Table 0x00
Define Huffman Table 0x01
Define Huffman Table 0x10
Define Huffman Table 0x11
Start Of Scan: 4 components
    Component 1: dc=0 ac=0
    Component 2: dc=1 ac=1
    Component 3: dc=1 ac=1
    Component 4: dc=0 ac=0
  Ss=0, Se=63, Ah=0, Al=0

Comment 8

17 years ago
Move to ImageLib component.
Assignee: mjudge → pavlov
Component: Image Conversion Library → ImageLib
*** Bug 78349 has been marked as a duplicate of this bug. ***

Comment 10

17 years ago
Adding topcrash keyword and [@ MSVCRT.DLL - nsJPEGDecoder::WriteFrom] to summary 
for tracking, this is one of the topcrashers showing up under the MSVCRT.DLL 
(MSVCRT.DLL + 0x10d9) stack signature in Talkback data.  Here's a stacktrace:

Incident ID 29595923 
MSVCRT.DLL + 0x10d9 (0x780010d9) 
nsJPEGDecoder::WriteFrom 
[d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\jpeg\nsJPEGDecoder.cpp,
line 443] 
imgRequest::OnDataAvailable 
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequest.cpp, line 759] 
ProxyListener::OnDataAvailable 
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgLoader.cpp, line 374] 
nsFileChannel::OnDataAvailable 
[d:\builds\seamonkey\mozilla\netwerk\protocol\file\src\nsFileChannel.cpp, line 
503]

nsOnDataAvailableEvent::HandleEvent 
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerProxy.cpp,
line 183] 
PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 589] 
PL_ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, 
line 522] 
_md_EventReceiverProc [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 
1070] 
KERNEL32.DLL + 0x248f7 (0xbff848f7) 
0x00688b5a 
0x00058f64 

According to today's Talkback topcrash report, the last build I see crashing 
with this stack is 2001042509.  Can QA see if this is still a problem with the 
latest builds?
Keywords: topcrash
Summary: Mozilla crashes on access of the image at http://www.animax.no/pictures/anirmouse/AnirMousePro2.jpg → Mozilla Trunk crashes on access of the image at http://www.animax.no/pictures/anirmouse/AnirMousePro2.jpg [@ MSVCRT.DLL - nsJPEGDecoder::WriteFrom]
(Assignee)

Updated

17 years ago
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.1
(Assignee)

Comment 11

17 years ago
Created attachment 33154 [details] [diff] [review]
Patch to fix the crash
(Assignee)

Comment 12

17 years ago
I've filed bug 78860 on the fact that we don't display jpegs unless they have 1 
or 3 components.

Comment 13

17 years ago
sr=tor
r=hixie
(Assignee)

Comment 15

17 years ago
fix checked in.
Status: ASSIGNED → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED
(Assignee)

Comment 16

17 years ago
*** Bug 78744 has been marked as a duplicate of this bug. ***

Comment 17

17 years ago
Can't seem to get to test file so verifying fix checked into lxr.mozilla.org
Status: RESOLVED → VERIFIED
Crash Signature: [@ MSVCRT.DLL - nsJPEGDecoder::WriteFrom]
Crash Signature: [@ MSVCRT.DLL - nsJPEGDecoder::WriteFrom]
You need to log in before you can comment on or make changes to this bug.