Closed
Bug 331284
Opened 19 years ago
Closed 19 years ago
Crash with animated GIF, XUL, and float: right
Categories
(Core :: Layout, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Unassigned)
References
Details
(4 keywords, Whiteboard: [sg:critical] deleted object (fixed by 282173))
Attachments
(1 file)
|
(deleted),
application/xhtml+xml
|
Details |
[sg:critical] because:
* |this| is 0xdadadaNN in one of the stacks I see with the reduced testcase.
* Before reducing the testcase, I saw a random hex address at the top of the stack once or twice.
* I heard that crashes with animated GIF stuff on the stack are likely to be security holes.
|
Reporter | |
Updated•19 years ago
|
Whiteboard: [sg:critical]
|
|
Reporter | |
Comment 1•19 years ago
|
||
|
|
Reporter | |
Comment 2•19 years ago
|
||
This testcase causes crashes with many signatures, including:
[@ nsIFrame::Invalidate]
[@ nsStyleContext::GetStyleData]
[@ nsCachedStyleData::GetStyleData]
[@ nsImageFrame::SourceRectToDest]
[@ nsImageFrame::OnStartContainer]
Will bug 282173 fix this, like it is expected to fix bug 268575 and bug 324936?
|
||
Comment 3•19 years ago
|
||
Well, all my float crasher bugs were made dependant on bug 282173, so I guess this one should too.
Depends on: 282173
|
|
Reporter | |
Updated•19 years ago
|
Blocks: randomclasses
|
|
Reporter | |
Comment 4•19 years ago
|
||
2006-04-08 mac trunk build: crashes
2006-04-10 mac trunk build: does not crash
-> FIXED by BuildFloatList removal.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
||
Comment 5•18 years ago
|
||
This testcase also crashes FF2/ff1.5.0.x, referencing deleted objects
Flags: blocking1.8.1?
Flags: blocking1.8.0.6?
Whiteboard: [sg:critical] → [sg:critical] deleted object (fixed by 282173)
|
||
Updated•18 years ago
|
Flags: blocking1.8.1? → blocking1.8.1+
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.0.6? → blocking1.8.0.6+
|
||
Comment 8•18 years ago
|
||
https://bugzilla.mozilla.org/attachment.cgi?id=215842
ff2b2 no crash winxp, linux, macppc
verified fixed 1.8
Keywords: fixed1.8.1 → verified1.8.1
|
||
Updated•18 years ago
|
Keywords: fixed1.8.0.7 → verified1.8.0.7
|
|
||
Comment 9•18 years ago
|
||
verified 1.8.0.7, no crash
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7pre) Gecko/20060821 Firefox/1.5.0.7pre
Status: RESOLVED → VERIFIED
|
|
||
Updated•17 years ago
|
Group: security
Flags: in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•