81818 - content-type header and content mismatch causes crash in gkcontent - Trunk [@ nsImageDocument::UpdateTitle]

Status: VERIFIED FIXED

(Core :: DOM: HTML Parser, defect)

Description

[Ferdinand]

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:0.9+) Gecko/20010519
BuildID:    cvs 2001190508

when opening a page that has image/gif as content-type in http header, while it
actually is html, mozilla crashes.

Reproducible: Always
Steps to Reproduce:
1. Open the url (which gives image/gif header on text/html file)
2. mozilla crashes instantly in gkcontent


Actual Results:  crash

Expected Results:  some better way to deal with this...
i understand its weird server behaviour, but crashing is bad.

php code that will cause crash too:
<?php
  header("Content-Type: image/gif");
  echo "<html><body></body></html>\n";
?>

Comment 1

[harishd]

Here is the stack trace:

nsImageDocument::UpdateTitle() line 501 + 11 bytes
nsImageDocument::EndLayout(nsISupports * 0x00000000, unsigned int 0) line 436
ImageListener::OnStopRequest(ImageListener * const 0x00718800, nsIRequest * 
0x007153c0, nsISupports * 0x00000000, unsigned int 0) line 187
nsDocumentOpenInfo::OnStopRequest(nsDocumentOpenInfo * const 0x0247a7e0, 
nsIRequest * 0x007153c0, nsISupports * 0x00000000, unsigned int 0) line 255
nsStreamListenerTee::OnStopRequest(nsStreamListenerTee * const 0x02390810, 
nsIRequest * 0x007153c0, nsISupports * 0x00000000, unsigned int 0) line 25
nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x007153c4, nsIRequest * 
0x0247ca80, nsISupports * 0x00000000, unsigned int 0) line 2038
nsOnStopRequestEvent::HandleEvent() line 159
nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x023a6074) line 64
PL_HandleEvent(PLEvent * 0x023a6074) line 590 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x0124ba90) line 520 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x00080394, unsigned int 49451, unsigned in


Johnny, this could be related to your recent change!

---> if (!valUni[0]) {
       key.AssignWithConversion("ImageTitleWithoutDimensions");
       rv = bundle->GetStringFromName(key.GetUnicode(), getter_Copies(valUni));
     }
Reassigning to jst.

Comment 2

[Johnny Stenback (:jst)]

Attachment: Proposed fix.

Comment 3

[Johnny Stenback (:jst)]

The patch I just attached fixes this crash that was introduced by scc's string
renaming changes (chcecked in from my account, see checkin comment), this is a
crash that needs to be fixed and the fix is easy and safe, there's no reason not
to check this in for mozilla0.9.1, nominating.

The attached patch also contains one minor optimization that avoids one alloc,
string copy and free operation when setting the title of an image document.

scc, sr=?

Comment 4

[chris hofmann]

a=chofmann

Comment 5

[Scott Collins]

sr=scc, nice catch jst ... and sorry for the trouble

Comment 6

[Johnny Stenback (:jst)]

np

Fix checked in.

Comment 7

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

*** Bug 82742 has been marked as a duplicate of this bug. ***

Comment 8

[bsharma]

Verified on
build: 2001-05-29-20-Trunk
platform: Win NT

The browser does not crashes.

Comment 9

[Jay Patel [:jay]]

Adding topcrash keyword and Trunk [@ nsImageDocument::UpdateTitle] to summary
for tracking.  This *was* a topcrasher according to Talkback, but to confirm the
verified fixed status and resolution, this crash last occurred with build
2001052622.