Closed Bug 413931 Opened 17 years ago Closed 17 years ago

Crash [@nsGIFDecoder2::DoLzw] when loading GIF file, part 2

Categories

(Core :: Graphics: ImageLib, defect, P2)

Product:
Core
Component:
Graphics: ImageLib
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9beta3

People

(Reporter: martijn.martijn, Assigned: alfredkayser)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(2 files, 4 obsolete files)

Correct version
2.10 KB, patch
Details | Diff | Splinter Review
This is the specific GIF image that caused this crash
1.01 KB, image/gif
Details 
I had this image stored on my computer. No idea how I got it. Perhaps, I downloaded it from a bug where that image was crashing too in older builds or something.

http://crash-stats.mozilla.com/report/index/e457fab3-cade-11dc-a0db-001a4bd46e84
Frame  	Signature  	Source
0 	nsGIFDecoder2::DoLzw(unsigned char const*) 	mozilla/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp:614
1 	nsGIFDecoder2::GifWrite(unsigned char const*, unsigned int) 	mozilla/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp:769
2 	ReadDataOut 	mozilla/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp:190
3 	nsPipeInputStream::ReadSegments(unsigned int (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) 	mozilla/xpcom/io/nsPipe3.cpp:799
4 	nsGIFDecoder2::WriteFrom(nsIInputStream*, unsigned int, unsigned int*) 	mozilla/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp:262
5 	imgRequest::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned int, unsigned int) 	mozilla/modules/libpr0n/src/imgRequest.cpp:861
6 	ProxyListener::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned int, unsigned int) 	mozilla/modules/libpr0n/src/imgLoader.cpp:877

This wasn't fixed by bug 413373, because I crash in the 2008-01-24 build, but not with the testcase from bug 413373.


This regressed between 2007-06-25 and 2007-06-26:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-06-25+04&maxdate=2007-06-26+09&cvsroot=%2Fcvsroot
So I guess a regression from bug 196295.
Another fix to prevent crashes on malformed LZW data in GIF's.
Attachment #299063 - Attachment is obsolete: true
Attachment #299130 - Flags: superreview?(tor)
Attachment #299130 - Flags: review?(pavlov)
Note, the patch is a local diff as I don't have cvs access today
Assignee: nobody → alfredkayser
Attachment #299130 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #299131 - Flags: superreview?(tor)
Attachment #299131 - Flags: review?(pavlov)
Attachment #299131 - Flags: approval1.9?
Attachment #299130 - Flags: superreview?(tor)
Attachment #299130 - Flags: review?(pavlov)
Comment on attachment 299130 [details] [diff] [review]
Quick fix to prevent crashes on array out of bounds

this diff seems to have some issues..
Attachment #299130 - Attachment is obsolete: false
Attachment #299131 - Flags: review?(pavlov) → review+
This evening (CET time) I will try to upload a real cvs diff
Attachment #299131 - Flags: superreview?(tor) → superreview+
Flags: blocking1.9?
Keywords: checkin-needed
Comment on attachment 299131 [details] [diff] [review]
V2: Remove the cruft from the patch file

a=beltzner for 1.9
Attachment #299131 - Flags: approval1.9? → approval1.9+
Attached patch V3: correct cvs diff version (obsolete) — Splinter Review 

        Attachment #299130 -
        Attachment is obsolete: true

        Attachment #299131 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Correct versionSplinter Review
      

    


  

        Attachment #299246 -
        Attachment is obsolete: true

    
    

    
  
Can we get this image in the testsuite as well?
Flags: in-testsuite?
Flags: blocking1.9?
Flags: blocking1.9+
Priority: -- → P2

    
    

    
  
Checking in modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp;
/cvsroot/mozilla/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp,v  <--  nsGIFDecoder2.cpp
new revision: 1.96; previous revision: 1.95
done
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Keywords: checkin-needed
OS: Windows XP → All
Hardware: PC → All
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9 M11
Depends on: 414185

    
    

    
  
So who's going to add a crashtest for this (search the tree for examples)?  Alfred?

    
    

    
  
Who can put the file of https://bugzilla.mozilla.org/attachment.cgi?id=299702 into the testsuite?

    
    

    
  
I wrote a simple reftest/crashtest the image, but ran into a problem. See bug 414185 for details (marked blocking this one).

Alfred: Is you last attachment the same image as the first attachment in this bug?

    
    

    
  
Yes, it is. There are no other images which display the same bug.

    
    

    
  
There is another image here, that was fixed by this patch:
http://martijn.martijn.googlepages.com/200px-Rotating_earth_large.gif
But it's a bit large.

    
    

    
  
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3pre) Gecko/2008012704 Minefield/3.0b3pre
Status: RESOLVED → VERIFIED
Crash Signature: [@nsGIFDecoder2::DoLzw]

        Attachment #299702 -
        Attachment is patch: false

        Attachment #299702 -
        Attachment mime type: text/plain → image/gif

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: