Ken Bass Reporter
	Description • 18 years ago

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3

Click the about JPEG (which is a small file, but large pixels).

Reproducible: Always

Steps to Reproduce:
1. Simply visit the URL I specified
2.
3.
Actual Results:  
Crash

Expected Results:  
Display the image or provide an error.

	Ferdinand
	Comment 1 • 18 years ago

On trunk, I see a SIGABRT come from here:
http://lxr.mozilla.org/mozilla/source/gfx/thebes/src/gfxImageSurface.cpp#46

The image is 20,000 x 20,000 pixels, and it seems to me that we're trying to allocate an unsigned char[20000 * 20000 * 4] array.

	Hermann Schwab
	Comment 3 • 18 years ago

The duped bug was about Branch, and Seamonkey, not about Trunk

Bug 375732 – Huge graphic crashes SeaMonkey, but not Firefox

I don't see that crash on Seamonkey Branch on Win98, both 1.0.8 and 1.1.1
I get the error message as it should be:
The image “http://www.danamania.com/temp/dontloadthis.jpg” cannot be displayed, because it contains errors.

	:Mook
	Comment 4 • 18 years ago

Crashes on Windows too, slightly different point.
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/jpeg/nsJPEGDecoder.cpp&rev=1.70&mark=481#454
|this| looks totally bogus (a refcount of 0x01fafbd8...) this=0x01f0ec74

What's odd is that it's caller seems to have a valid |this|:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/jpeg/nsJPEGDecoder.cpp&rev=1.70&mark=357#350
refcount=1 this=0x01e5d3c8

I am not sure if that should be a new bug or not.  bug 293986 might also be related.

	Ryan VanderMeulen [:RyanVM]
	Comment 5 • 17 years ago

Attaching the image in question for perpetuity's sake

	Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)
	Comment 6 • 17 years ago

I'm going to guess this is related to, or perhaps a dupe of, bug 371135