Closed
Bug 966630
Opened 10 years ago
Closed 10 years ago
WebGL crash [@mozilla::gl::GLContext::fCompressedTexImage2D / gleEvaluateTextureImageChange]
Categories
(Core :: Graphics: CanvasWebGL, defect)
Tracking
()
VERIFIED
FIXED
mozilla31
People
(Reporter: posidron, Assigned: u480271)
References
Details
(Keywords: crash, sec-high, testcase, Whiteboard: [adv-main29+][adv-esr24.5+])
Crash Data
Attachments
(4 files)
882 bytes,
text/html
|
Details | |
4.29 KB,
text/plain
|
Details | |
2.24 KB,
patch
|
bjacob
:
review+
jgilbert
:
review+
abillings
:
approval-mozilla-beta+
abillings
:
approval-mozilla-esr24+
|
Details | Diff | Splinter Review |
1.77 KB,
patch
|
jgilbert
:
review+
abillings
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
Reporter | ||
Comment 1•10 years ago
|
||
Comment 2•10 years ago
|
||
Doesn't seem to be the driver (crashes on Windows and Mac).
Keywords: sec-high
Comment 3•10 years ago
|
||
Dan, does this fall under the "refactoring so that we don't have to do them one by one"?
Assignee: nobody → dglastonbury
I've fixed this in the work I've done for 966624, so adding a dependency. Instead of crashing, now detects invalid level. From console: "Error: WebGL: compressedTexImage2D: level > maximum texture level"
Depends on: 966624
Fixed by Bug 966624.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Updated•10 years ago
|
status-firefox30:
--- → fixed
Target Milestone: --- → mozilla30
I tested again the following and all are affected: * aurora * ff-27 * ff-24esr
Flags: needinfo?(dglastonbury)
Updated•10 years ago
|
status-firefox27:
--- → wontfix
status-firefox28:
--- → affected
status-firefox29:
--- → affected
status-firefox-esr24:
--- → affected
Comment 9•10 years ago
|
||
We should get this fixed on Aurora, Beta, and ESR24.
Updated•10 years ago
|
Comment 10•10 years ago
|
||
Can we get a nom for uplift in Bug 966624 in order to for the fix to make into into ESR24?
Comment 11•10 years ago
|
||
Dan - Can you handle the nom and uplift for ESR24?
Flags: needinfo?(dglastonbury)
Assignee | ||
Comment 12•10 years ago
|
||
I'm not comfortable uplifting the patches from Bug 966624 to ESR24. I'll look at creating a fix for just this specific issue.
Flags: needinfo?(dglastonbury)
Assignee | ||
Comment 13•10 years ago
|
||
Patch to fix the issue in ESR 24 instead of uplifting the whole refactoring of texture image parameters.
Attachment #8405996 -
Flags: review?(bjacob)
Assignee | ||
Comment 14•10 years ago
|
||
Comment on attachment 8405996 [details] [diff] [review] Patch for FF ESR 24 [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: User impact if declined: Ability to crash browser with bad WebGL parameters Fix Landed on Version: FF30 Risk to taking this patch (and alternatives if risky): This patch is very small and easy to code review. The risk is negligible. String or UUID changes made by this patch: See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8405996 -
Flags: approval-mozilla-esr24?
Updated•10 years ago
|
Attachment #8405996 -
Flags: approval-mozilla-esr24? → approval-mozilla-esr24+
Comment 15•10 years ago
|
||
Approved for ESR assuming it passed review.
Comment 17•10 years ago
|
||
Comment on attachment 8405996 [details] [diff] [review] Patch for FF ESR 24 Review of attachment 8405996 [details] [diff] [review]: ----------------------------------------------------------------- ::: content/canvas/src/WebGLContextValidate.cpp @@ +512,5 @@ > + * expecting. > + */ > + > + if (level > 31) > + level = 31; Good, and here is another justification for this good change: GLsizei is int32_t, so it can't exceed 2^31 - 1, so, even if we allowed NPOT cubemaps, there can't be a texture level > 30 (or else, texture mipmap completeness rules are violated, and we fake the sampling as a black texture).
Attachment #8405996 -
Flags: review?(bjacob) → review+
Attachment #8405996 -
Flags: review?(jgilbert)
Flags: needinfo?(dglastonbury)
Updated•10 years ago
|
Attachment #8405996 -
Flags: review?(jgilbert) → review+
Assignee | ||
Comment 18•10 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #16) > What about beta29? This patch can be applied to Beta 29.
Assignee | ||
Comment 19•10 years ago
|
||
Comment on attachment 8405996 [details] [diff] [review] Patch for FF ESR 24 [Approval Request Comment] Bug caused by (feature/regressing bug #): User impact if declined: Ability to crash browser with bad WebGL parameters Testing completed (on m-c, etc.): Risk to taking this patch (and alternatives if risky): This patch is very small and easy to code review. The risk is negligible. String or IDL/UUID changes made by this patch:
Attachment #8405996 -
Flags: approval-mozilla-beta?
Updated•10 years ago
|
Attachment #8405996 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Assignee | ||
Comment 20•10 years ago
|
||
Ported patch for ESR24 to Aurora.
Attachment #8406629 -
Flags: review?(jgilbert)
Assignee | ||
Comment 21•10 years ago
|
||
Comment on attachment 8406629 [details] [diff] [review] Aurora patch [Approval Request Comment] Bug caused by (feature/regressing bug #): User impact if declined: Ability to crash firefox with bad WebGL parameters. Testing completed (on m-c, etc.): Risk to taking this patch (and alternatives if risky): Very low risk. Patch is easy to code review. String or IDL/UUID changes made by this patch:
Attachment #8406629 -
Flags: approval-mozilla-aurora?
Comment 22•10 years ago
|
||
I'm confused, I thought this was fixed on Aurora by bug 966624? Does that mean that trunk (31) needs this fix as well?
Updated•10 years ago
|
Attachment #8406629 -
Flags: review?(jgilbert) → review+
Assignee | ||
Comment 23•10 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #22) > I'm confused, I thought this was fixed on Aurora by bug 966624? Does that > mean that trunk (31) needs this fix as well? Between comment 5 and my testing yesterday the bug regressed in m-c trunk.
Assignee | ||
Comment 24•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/b300ff71f9b0
Assignee | ||
Comment 25•10 years ago
|
||
Bear with me because I'm new to this, but who does the check-in of patch to ESR24, Aurora and Beta? Am I supposed to? And why in my name against the a? for Aurora?
Comment 26•10 years ago
|
||
(In reply to Dan Glastonbury :djg :kamidphish from comment #25) > Bear with me because I'm new to this, but who does the check-in of patch to > ESR24, Aurora and Beta? Am I supposed to? And why in my name against the a? > for Aurora? Your name is against the a? because you nominated it for Aurora approval? Either you check it in or you get a sheriff like Ryan to do so.
Updated•10 years ago
|
Attachment #8406629 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 27•10 years ago
|
||
esr24: https://hg.mozilla.org/releases/mozilla-esr24/rev/06567ddea1d6
Comment 28•10 years ago
|
||
landed on mozilla-central https://hg.mozilla.org/mozilla-central/rev/b300ff71f9b0
Updated•10 years ago
|
status-firefox31:
--- → fixed
Target Milestone: mozilla30 → mozilla31
Comment 29•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/5d9bf448a9a9 https://hg.mozilla.org/releases/mozilla-beta/rev/17432cc5074d https://hg.mozilla.org/releases/mozilla-b2g28_v1_3/rev/6d9cfa6f24dd https://hg.mozilla.org/releases/mozilla-b2g26_v1_2/rev/6a8a4bc602c6
status-b2g-v1.2:
--- → fixed
status-b2g-v1.3:
--- → fixed
status-b2g-v1.4:
--- → fixed
status-b2g-v2.0:
--- → fixed
Updated•10 years ago
|
status-b2g-v1.3T:
--- → fixed
Updated•10 years ago
|
status-b2g-v1.3T:
fixed → ---
Whiteboard: [adv-main29+][adv-esr24.5+]
Updated•10 years ago
|
status-b2g-v1.3T:
--- → fixed
Comment 30•10 years ago
|
||
Confirmed crash on ASan Fx29, 2013-12-19. Verified fix on ASan Fx29, Fx30, Fx31, 2014-04-17.
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•