Closed
Bug 895023
Opened 12 years ago
Closed 12 years ago
crash in mozilla::image::VectorImage::GetIntrinsicRatio(nsSize*), with "display:none" on root node in SVG as an image
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
VERIFIED
FIXED
mozilla25
People
(Reporter: adnan, Assigned: dholbert)
References
Details
(5 keywords)
Crash Data
Attachments
(3 files, 3 obsolete files)
|
1.34 KB,
image/svg+xml
|
Details | |
|
106 bytes,
text/html
|
Details | |
|
4.96 KB,
patch
|
seth
:
review+
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
helper SVG file (to be used as an image)
User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.22 Safari/537.36
Steps to reproduce:
Loaded a page that had multiple .svg files embedded through CSS. Trial and error pointed to a particular .svg as the culprit. Long story short, display="none" was present in the <svg> tag. Removing display="none" from <svg display="none"> fixed the crash issue.
Actual results:
Browser crashed.
Expected results:
Page should have loaded as it would in FF21, or any other browser.
|
||
Comment 1•12 years ago
|
||
Can you attach the testcase that causes it to crash please using the Add an Attachment button?
|
Reporter | |
Comment 2•12 years ago
|
||
SVG will load fine on it's own, but when it is present in an HTML document, browser crashes.
|
|
Reporter | |
Comment 3•12 years ago
|
||
Not entirely sure what a testcase is, so hopefully the responsible file and description are help enough.
|
|
||
Comment 4•12 years ago
|
||
|
|
||
Comment 5•12 years ago
|
||
You mean like this? It doesn't crash for me.
|
|
Reporter | |
Comment 6•12 years ago
|
||
Like so. I should have been more clear. My apologies :(
|
Assignee | |
Comment 7•12 years ago
|
||
I can reproduce.
Here's a testcase using <img>.
|
|
Assignee | |
Comment 8•12 years ago
|
||
Crash report: bp-56d9ea20-2131-46c5-86cf-1cc0f2130717
It's a null-deref crash, so probably not exploitable, thankfully.
Status: UNCONFIRMED → NEW
Crash Signature: [@ mozilla::image::VectorImage::GetIntrinsicRatio(nsSize*)]
Ever confirmed: true
OS: Windows 8 → All
Hardware: x86_64 → All
Summary: display="none" in <svg> tag crashes browser → crash in mozilla::image::VectorImage::GetIntrinsicRatio(nsSize*), with display="none" in SVG as an image
Version: 22 Branch → Trunk
|
|
Assignee | |
Comment 9•12 years ago
|
||
I can reproduce in Nightly as well as in the current release (Firefox 22). --> Setting "affected" flags on those branches & everything in between.
status-firefox22:
--- → affected
status-firefox23:
--- → affected
status-firefox24:
--- → affected
status-firefox25:
--- → affected
|
|
Assignee | |
Updated•12 years ago
|
tracking-firefox25:
--- → ?
|
|
||
Updated•12 years ago
|
Attachment #777327 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 10•12 years ago
|
||
Looks like we're crashing because |rootFrame| is null.
Probably a regression from http://hg.mozilla.org/mozilla-central/rev/da9e03172d00 (bug 842850) which removed the null-check.
|
|
Assignee | |
Updated•12 years ago
|
Attachment #777279 -
Attachment description: svg file that crashes Firefox 22 → helper SVG file (to be used as an image)
|
|
Assignee | |
Updated•12 years ago
|
Attachment #777338 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•12 years ago
|
Blocks: 842850
Keywords: regression
|
|
Assignee | |
Updated•12 years ago
|
Assignee: nobody → dholbert
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 11•12 years ago
|
||
Here's a fix with two reftests-that-are-basically-crashtests -- one with <img> and one with background-image.
(I made them reftests that compare against "about:blank", just to be sure we don't paint random junk or the actual SVG content or anything.)
Attachment #777416 -
Flags: review?(seth)
|
|
Assignee | |
Comment 12•12 years ago
|
||
(oops; I copypasted the wrong license block into the testcases. Fixed.)
Attachment #777416 -
Attachment is obsolete: true
Attachment #777416 -
Flags: review?(seth)
Attachment #777419 -
Flags: review?(seth)
|
|
Assignee | |
Comment 13•12 years ago
|
||
|
|
Assignee | |
Updated•12 years ago
|
Summary: crash in mozilla::image::VectorImage::GetIntrinsicRatio(nsSize*), with display="none" in SVG as an image → crash in mozilla::image::VectorImage::GetIntrinsicRatio(nsSize*), with "display:none" on root node in SVG as an image
|
||
Comment 14•12 years ago
|
||
Looking at this bug in Firefox 22 crashes Firefox, I assume from the attachments. So I can't open this bug except in Nightly.
|
|
Assignee | |
Comment 15•12 years ago
|
||
Liz: I suspect you have BugzillaJS, configured to display image attachments inline in Bugzilla pages. In that configuration, viewing this bug page will crash (due to this very bug), in Firefox 22 through Nightly. (Not sure why it didn't crash for you in nightly -- I'd expect it would have. Perhaps BugzillaJS got disabled when you switched to Nightly?)
|
|
||
Comment 16•12 years ago
|
||
Daniel: That is exactly it! And I'm running Nightly with no add-ons.
|
||
Comment 17•12 years ago
|
||
Unless this is a high volume crash we're not going to track but will take a low risk uplift as high as we can depending on when it's ready.
Keywords: reproducible
|
||
Comment 18•12 years ago
|
||
Comment on attachment 777419 [details] [diff] [review]
fix v1a
Review of attachment 777419 [details] [diff] [review]:
-----------------------------------------------------------------
Heh, interesting test case! The fix looks good.
Attachment #777419 -
Flags: review?(seth) → review+
|
|
Assignee | |
Comment 19•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
|
|
Assignee | |
Comment 20•12 years ago
|
||
Comment on attachment 777419 [details] [diff] [review]
fix v1a
[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 842850
User impact if declined: Crash (from null deref) when viewing certain SVG images.
Testing completed (on m-c, etc.): Local testing (& just landed on m-c, so this should be getting nightly testing starting tomorrow).
Risk to taking this patch (and alternatives if risky): Low. This just restores some null-checks that were accidentally removed as part of the regressing patch.
String or IDL/UUID changes made by this patch: none
Attachment #777419 -
Flags: approval-mozilla-beta?
Attachment #777419 -
Flags: approval-mozilla-aurora?
|
||
Updated•12 years ago
|
|
|
||
Updated•12 years ago
|
Attachment #777419 -
Flags: approval-mozilla-beta?
Attachment #777419 -
Flags: approval-mozilla-beta+
Attachment #777419 -
Flags: approval-mozilla-aurora?
Attachment #777419 -
Flags: approval-mozilla-aurora+
|
||
Comment 21•12 years ago
|
||
|
||
Comment 23•12 years ago
|
||
Verified fixed on:
Build:
Firefox for Android 23.0b8_build2
Firefox for Android 24.0a2(2013-07-24)
Firefox for Android 25.0a1(2013-07-24)
Device: LG Nexus 4 (Android 4.2.2)/Samsung Galaxy TAB (Android 4.0.4)
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•