found another crash via bughunter reported up from mozilla-central to beta. Was able to reproduce this on a trunk m-c debug build on windows 7 based on trunk no idea if this is one of the known bugs so filing Steps to reproduce: Load http://www.hamienet.com/catl6950.html skia::ConvolveHorizontally_SSE2 skia::ConvolveHorizontally mozilla::image::Downscaler::CommitRow mozilla::image::nsGIFDecoder2::OutputRow mozilla::image::nsGIFDecoder2::DoLzw one report was marked as exploitable-> high

from irc: 6:59 <seth> I hope it's not from those patches we uplifted to fix the previous bug =((( 07:01 <seth> yeah, sounds like it might be a regression from that uplift then, but worth verifying 07:01 <seth> that would really be the thing to check 07:02 <seth> if we can confirm that we can prolly fix it quickly ..building a beta build now to confirm

(In reply to Carsten Book [:Tomcat] from comment #1) > ..building a beta build now to confirm confirmed, beta build crashed too (tests on a new mac 10.11 debug build), so i guess its a regression Process: firefox-bin [45496] Path: /sheriffs/*/NightlyDebug.app/Contents/MacOS/./firefox-bin Identifier: org.mozilla.nightlydebug Version: 43.0 (4315.12.8) Code Type: X86-64 (Native) Parent Process: ??? [1] Responsible: Terminal [459] User ID: 502 Date/Time: 2015-12-08 16:45:50.026 +0100 OS Version: Mac OS X 10.11.1 (15B42) Report Version: 11 Anonymous UUID: 69A95C98-72C9-37AF-067D-60C64901294F Time Awake Since Boot: 33000 seconds System Integrity Protection: enabled Crashed Thread: 35 ImgDecoder #5 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000 Thread 35 Crashed:: ImgDecoder #5 0 XUL 0x00000001023fba73 mozilla::image::Downscaler::CommitRow() + 627 (Downscaler.cpp:202) 1 XUL 0x00000001023fb797 mozilla::image::Deinterlacer::PropagatePassToDownscaler(mozilla::image::Downscaler&) + 87 (Deinterlacer.cpp:38) 2 XUL 0x0000000102421ff9 mozilla::image::nsGIFDecoder2::OutputRow() + 761 (nsGIFDecoder2.cpp:490) 3 XUL 0x0000000102422563 mozilla::image::nsGIFDecoder2::DoLzw(unsigned char const*) + 915 (nsGIFDecoder2.cpp:575) 4 XUL 0x0000000102422dcd mozilla::image::nsGIFDecoder2::WriteInternal(char const*, unsigned int) + 1693 (nsGIFDecoder2.cpp:759) 5 XUL 0x00000001023f9b53 mozilla::image::Decoder::Write(char const*, unsigned int) + 147 (Decoder.cpp:183) 6 XUL 0x00000001023f8f34 mozilla::image::Decoder::Decode(mozilla::image::IResumable*) + 212 (Decoder.h:203) 7 XUL 0x00000001023f8c2c mozilla::image::DecodePool::Decode(mozilla::image::Decoder*) + 28 (DecodePool.cpp:458) 8 XUL 0x0000000102406ead mozilla::image::DecodePoolWorker::Run() + 445 (nsRefPtr.h:56) 9 XUL 0x00000001015fec07 nsThread::ProcessNextEvent(bool, bool*) + 1479 (nsCOMPtr.h:403) 10 XUL 0x000000010163ccf3 NS_ProcessNextEvent(nsIThread*, bool) + 51 (nsThreadUtils.cpp:277) 11 XUL 0x00000001019dd0ff mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) + 415 (MessagePump.cpp:355) 12 XUL 0x00000001019a707c MessageLoop::Run() + 60 (message_loop.cc:520) 13 XUL 0x00000001015fcad5 nsThread::ThreadFunc(void*) + 357 (nsThread.cpp:381) 14 libnss3.dylib 0x00000001013356e9 _pt_root + 281 (ptthread.c:215) 15 libsystem_pthread.dylib 0x00007fff8b4b69b1 _pthread_body + 131 16 libsystem_pthread.dylib 0x00007fff8b4b692e _pthread_start + 168 17 libsystem_pthread.dylib 0x00007fff8b4b4385 thread_start + 13

See Bug 1229825 - AddressSanitizer: heap-buffer-overflow in mozilla::image::Deinterlacer::PropagatePassToDownscaler

putting the assertion into a comment for search goodness... Assertion failure: mCurrentInLine < mOriginalSize.height (Past end of input), at /builds/slave/m-cen-m64-d-000000000000000000/build/src/image/Downscaler.cpp:201

This has been a pain to track down because the site doesn't reliably crash every time. However, force-reloading a few times was usually enough to make a build crash if it was going to. https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=85b3e7100079de30cf23737c9ed2a1be6da13b12&tochange=6126225bbb9311e8279825af2457790d9f4d8e66 Looks like a straight-up regression from bug 1194058. I've also verified that the site doesn't crash on ESR38.5, which would seem to bolster that.

Tracked for FF44 since it's a sec-high.

Recent regression, sec-high, tracking for 43+. Wontfix for 43 as this isn't bad enough to drive a dot release.

After debugging this appears to be the same problem as bug 1229825. The patch in that bug fixes it for me.

Resolved fixed based on comment 10. Please let me know if that is not the case.

I'm not sure. http://www.bottari.pl appears to be a problem. But I'll comment in Bug 1224200.

Reproduced with Nightly debug from 2015-12-15, under Mac OS X 10.11.1 ⇒ “Assertion failure: mCurrentInLine < mOriginalSize.height (Past end of input), at /builds/slave/m-cen-m64-d-000000000000000000/build/src/image/Downscaler.cpp:201” (as in comment 5) is displayed via Terminal and with Nightly from 2015-12-15, under Windows 10 64-bit, I get a crash with [@ skia::ConvolveVertically_SSE2_impl<T> ] signature [1]. Verified fixed with 46.0b11 (Build ID: 20160414152344) and esr45 tinderbox build (Build ID: 20160420001509), across platforms [2]. [1] bp-9c89a36e-1998-4d2d-ad51-847272160420 [2] Windows 10 64-bit, Mac OS X 10.11.1 and Ubuntu 14.04 64-bit