Closed
Bug 332386
Opened 19 years ago
Closed 18 years ago
.ico favicon crashes FF [@ nsBMPDecoder::ProcessData]
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: Peter6, Assigned: pavlov)
References
()
Details
(Keywords: crash, helpwanted, regression, Whiteboard: [sg:critical] 1.9+ only)
Crash Data
Attachments
(2 files)
(deleted),
image/x-icon
|
Details | |
(deleted),
patch
|
vlad
:
superreview+
|
Details | Diff | Splinter Review |
and build after
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20060324 Firefox/1.6a1 ID:2006032404 [cairo]
repro:
1.Open Firefox
2.Immediately select an item from the menubar (eg bookmarks)
result:
Immediate crash, so bad that I can't use any build after this.
Tried in -safe-mode, less crashes, but it still happens
used extensions:
Adblock Plus 0.6.1.2
Console² 0.3.4
Cookie Button 0.8.5
DOM Inspector 1.9a1
JavaScript Options 1.2.4
Nightly Tester Tools 0.8b3.rev590
Tab Sidebar 2.0a1.rev543
Talkback 1.6a1
talkback server is down, so I can't check what is causing this.
TB17097400E TB17097250Z TB17096036K TB17095741Z TB17095465Q TB17095440Y TB17095023H TB17094968Z
regressionwindow:
works in 20060324 0537pst nightly build
fails in 20060325 0643pst nightly build
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&filetype=match&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2006-03-24+04%3A30%3A00&maxdate=2006-03-25+06%3A43%3A00&cvsroot=%2Fcvsroot
Reporter | ||
Comment 1•19 years ago
|
||
This one happens with a cairo build and if i use my current bookmarks_history.sqlite
It all works fine with a pacifica build.
a regression from Bug 331298 maybe Stuart ?
This is probably yet another win2k-only thebes issue.
Summary: crash when selecting an item from the menubar → crash when selecting bookmarks menu.
Reporter | ||
Updated•19 years ago
|
Component: Menus → GFX: Thebes
Product: Firefox → Core
Reporter | ||
Comment 2•19 years ago
|
||
(i picked one that seems usefull)
incident ID: 17095440
Stack Signature nsBMPDecoder::ProcessData 96d91016
Product ID FirefoxTrunk
Build ID 2006033005
Trigger Time 2006-03-31 09:41:27.0
Platform Win32
Operating System Windows NT 5.0 build 2195
Module firefox.exe + (000e2708)
URL visited
User Comments crash
Since Last Crash 44 sec
Total Uptime 8282 sec
Trigger Reason Access violation
Source File, Line No. c:\builds\tinderbox\fx-trunk-cairo\winnt_5.2_depend\mozilla\modules\libpr0n\decoders\bmp\nsbmpdecoder.cpp, line 244
Stack Trace
nsBMPDecoder::ProcessData nsBMPDecoder::ProcessData nsPNGDecoder::WriteFrom warning_callback g_TOKEN_Directories
imgCacheValidator::OnStartRequest nsBaseChannel::AsyncOpen nsLoadGroup::Cancel nsLoadGroup::Suspend nsInputStreamReadyEvent::nsInputStreamReadyEvent 0x778b0c24
Keywords: talkbackid
Summary: crash when selecting bookmarks menu. → crash when selecting bookmarks menu.[@ nsBMPDecoder::ProcessData]
Comment 3•19 years ago
|
||
I see that you have Tab Sidebar installed.
Maybe this has got something to do with bug 332453?
Reporter | ||
Comment 4•19 years ago
|
||
(In reply to comment #3)
> I see that you have Tab Sidebar installed.
> Maybe this has got something to do with bug 332453?
>
Nah, i tried with a completly new default install.
My guess is that it is one(or more) of the favicons in my main bookmarks folder
Reporter | ||
Comment 5•19 years ago
|
||
right, i found the cause.
It was one of the icons in the bookamrks_history.sqlite
I created a new folder and moved the first 5 bookmarks in there to see which one (of about 30) caused the trouble.
After a restart I went to bookmarks ... and no crash :-)
So I went to the folder I created and found out the bookmarks I moved were lost.
The backup sqlite didn't contain these 5 bookmarks...
resolving (but not with a smile)
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
Reporter | ||
Comment 6•19 years ago
|
||
Open linked url
URL: http://www.dcmr.nl/
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Summary: crash when selecting bookmarks menu.[@ nsBMPDecoder::ProcessData] → evil favicon crashes FF [@ nsBMPDecoder::ProcessData]
Reporter | ||
Comment 7•19 years ago
|
||
the favicon causing the problem with cairo builds
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20060407 Firefox/3.0a1
Happens on Linux too.
OS: Windows 2000 → All
Reporter | ||
Comment 9•19 years ago
|
||
The problems seems to be the.ico, not the way it is made
crash on http://thumper.kicks-ass.org/wordpress/chatzilla-on-xulrunner/ aswell
Summary: evil favicon crashes FF [@ nsBMPDecoder::ProcessData] → .ico favicon crashes FF [@ nsBMPDecoder::ProcessData]
Updated•18 years ago
|
QA Contact: menus → thebes
Assignee | ||
Updated•18 years ago
|
Keywords: helpwanted
Comment 10•18 years ago
|
||
This is a heap buffer overflow (write) on nsBMPDecoder::mDecoded here:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp&rev=1.30&root=/cvsroot&mark=162-168#148
|mDecoded| was allocated 64 bytes but |alpha| is 64 and we write to cnt*4+3.
Breakpoint 1, nsBMPDecoder::ProcessData(char const*, unsigned) (this=0x89a5170, aBuffer=0x8308952 "\020", aCount=218) at nsBMPDecoder.cpp:473
473 mDecoded = (PRUint8*)calloc(mBpr, 1);
(gdb) p mBpr
$1 = 64
(gdb) c
Continuing.
Breakpoint 2, nsBMPDecoder::WriteRLERows(unsigned) (this=0x89a5170, rows=1) at nsBMPDecoder.cpp:152
152 PRUint8* pos = mAlpha;
(gdb) n
155 nsresult rv = mFrame->GetAlphaBytesPerRow(&alpha);
(gdb)
156 NS_ENSURE_SUCCESS(rv, rv);
(gdb) list
151 PRUint8 bit;
152 PRUint8* pos = mAlpha;
153
154 // First pack the alpha data
155 nsresult rv = mFrame->GetAlphaBytesPerRow(&alpha);
156 NS_ENSURE_SUCCESS(rv, rv);
157 for (cnt = 0; cnt < alpha; cnt++) {
158 PRUint8 byte = 0;
159 for (bit = 128; bit; bit >>= 1)
160 byte |= *pos++ & bit;
(gdb)
161 mAlpha[cnt] = byte;
162 #ifdef MOZ_CAIRO_GFX
163 #ifdef IS_LITTLE_ENDIAN
164 mDecoded[(cnt * 4) + 3] = byte ? 255 : 0;
165 #else
166 mDecoded[(cnt * 4)] = byte ? 255 : 0;
167 #endif
168 #endif
169 }
170
(gdb) p alpha
$2 = 64
Updated•18 years ago
|
Flags: blocking1.9?
Comment 11•18 years ago
|
||
Gah! how many times are we going to keep writing buffer overflows into libpr0n decoders? That's it, no more images on the web!
Assignee: nobody → pavlov
Status: REOPENED → NEW
Flags: blocking1.8.0.8-
Flags: blocking1.7.14-
Flags: blocking-aviary1.0.9-
Whiteboard: [sg:critical] 1.9+ only
Assignee | ||
Comment 12•18 years ago
|
||
Attachment #235494 -
Flags: superreview?(vladimir)
Attachment #235494 -
Flags: review?
Comment on attachment 235494 [details] [diff] [review]
fix?
ok?
Attachment #235494 -
Flags: superreview?(vladimir) → superreview+
Assignee | ||
Updated•18 years ago
|
Status: NEW → RESOLVED
Closed: 19 years ago → 18 years ago
Resolution: --- → FIXED
Updated•18 years ago
|
Flags: blocking1.9?
Reporter | ||
Comment 14•18 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20060908 Minefield/3.0a1 ID:2006090823 [cairo]
verified on trunk
Assignee | ||
Updated•18 years ago
|
Attachment #235494 -
Flags: review?
Updated•18 years ago
|
Group: security
Updated•17 years ago
|
Flags: wanted1.8.1.x-
Updated•13 years ago
|
Crash Signature: [@ nsBMPDecoder::ProcessData]
You need to log in
before you can comment on or make changes to this bug.
Description
•