and build after Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20060324 Firefox/1.6a1 ID:2006032404 [cairo] repro: 1.Open Firefox 2.Immediately select an item from the menubar (eg bookmarks) result: Immediate crash, so bad that I can't use any build after this. Tried in -safe-mode, less crashes, but it still happens used extensions: Adblock Plus 0.6.1.2 Console² 0.3.4 Cookie Button 0.8.5 DOM Inspector 1.9a1 JavaScript Options 1.2.4 Nightly Tester Tools 0.8b3.rev590 Tab Sidebar 2.0a1.rev543 Talkback 1.6a1 talkback server is down, so I can't check what is causing this. TB17097400E TB17097250Z TB17096036K TB17095741Z TB17095465Q TB17095440Y TB17095023H TB17094968Z regressionwindow: works in 20060324 0537pst nightly build fails in 20060325 0643pst nightly build http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&filetype=match&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2006-03-24+04%3A30%3A00&maxdate=2006-03-25+06%3A43%3A00&cvsroot=%2Fcvsroot

This one happens with a cairo build and if i use my current bookmarks_history.sqlite It all works fine with a pacifica build. a regression from Bug 331298 maybe Stuart ? This is probably yet another win2k-only thebes issue.

(i picked one that seems usefull) incident ID: 17095440 Stack Signature nsBMPDecoder::ProcessData 96d91016 Product ID FirefoxTrunk Build ID 2006033005 Trigger Time 2006-03-31 09:41:27.0 Platform Win32 Operating System Windows NT 5.0 build 2195 Module firefox.exe + (000e2708) URL visited User Comments crash Since Last Crash 44 sec Total Uptime 8282 sec Trigger Reason Access violation Source File, Line No. c:\builds\tinderbox\fx-trunk-cairo\winnt_5.2_depend\mozilla\modules\libpr0n\decoders\bmp\nsbmpdecoder.cpp, line 244 Stack Trace nsBMPDecoder::ProcessData nsBMPDecoder::ProcessData nsPNGDecoder::WriteFrom warning_callback g_TOKEN_Directories imgCacheValidator::OnStartRequest nsBaseChannel::AsyncOpen nsLoadGroup::Cancel nsLoadGroup::Suspend nsInputStreamReadyEvent::nsInputStreamReadyEvent 0x778b0c24

I see that you have Tab Sidebar installed. Maybe this has got something to do with bug 332453?

(In reply to comment #3) > I see that you have Tab Sidebar installed. > Maybe this has got something to do with bug 332453? > Nah, i tried with a completly new default install. My guess is that it is one(or more) of the favicons in my main bookmarks folder

right, i found the cause. It was one of the icons in the bookamrks_history.sqlite I created a new folder and moved the first 5 bookmarks in there to see which one (of about 30) caused the trouble. After a restart I went to bookmarks ... and no crash :-) So I went to the folder I created and found out the bookmarks I moved were lost. The backup sqlite didn't contain these 5 bookmarks... resolving (but not with a smile)

Open linked url

the favicon causing the problem with cairo builds

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20060407 Firefox/3.0a1 Happens on Linux too.

The problems seems to be the.ico, not the way it is made crash on http://thumper.kicks-ass.org/wordpress/chatzilla-on-xulrunner/ aswell

This is a heap buffer overflow (write) on nsBMPDecoder::mDecoded here: http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp&rev=1.30&root=/cvsroot&mark=162-168#148 |mDecoded| was allocated 64 bytes but |alpha| is 64 and we write to cnt*4+3. Breakpoint 1, nsBMPDecoder::ProcessData(char const*, unsigned) (this=0x89a5170, aBuffer=0x8308952 "\020", aCount=218) at nsBMPDecoder.cpp:473 473 mDecoded = (PRUint8*)calloc(mBpr, 1); (gdb) p mBpr $1 = 64 (gdb) c Continuing. Breakpoint 2, nsBMPDecoder::WriteRLERows(unsigned) (this=0x89a5170, rows=1) at nsBMPDecoder.cpp:152 152 PRUint8* pos = mAlpha; (gdb) n 155 nsresult rv = mFrame->GetAlphaBytesPerRow(&alpha); (gdb) 156 NS_ENSURE_SUCCESS(rv, rv); (gdb) list 151 PRUint8 bit; 152 PRUint8* pos = mAlpha; 153 154 // First pack the alpha data 155 nsresult rv = mFrame->GetAlphaBytesPerRow(&alpha); 156 NS_ENSURE_SUCCESS(rv, rv); 157 for (cnt = 0; cnt < alpha; cnt++) { 158 PRUint8 byte = 0; 159 for (bit = 128; bit; bit >>= 1) 160 byte |= *pos++ & bit; (gdb) 161 mAlpha[cnt] = byte; 162 #ifdef MOZ_CAIRO_GFX 163 #ifdef IS_LITTLE_ENDIAN 164 mDecoded[(cnt * 4) + 3] = byte ? 255 : 0; 165 #else 166 mDecoded[(cnt * 4)] = byte ? 255 : 0; 167 #endif 168 #endif 169 } 170 (gdb) p alpha $2 = 64

Gah! how many times are we going to keep writing buffer overflows into libpr0n decoders? That's it, no more images on the web!

Comment on attachment 235494 [details] [diff] [review] fix? ok?

Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20060908 Minefield/3.0a1 ID:2006090823 [cairo] verified on trunk