Closed Bug 77328 Opened 24 years ago Closed 24 years ago

Mozilla Trunk crashes on access of the image at http://www.animax.no/pictures/anirmouse/AnirMousePro2.jpg [@ MSVCRT.DLL - nsJPEGDecoder::WriteFrom]

Categories

(Core :: Graphics: ImageLib, defect)

x86
Windows 98
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla0.9.1

People

(Reporter: baldauf--2015--bugzilla.mozilla.org, Assigned: pavlov)

References

()

Details

(Keywords: crash, topcrash, Whiteboard: [imglib])

Crash Data

Attachments

(1 file)

From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.8.1+) Gecko/20010422 BuildID: 2001042208 Mozilla crashes reproducibly on access of the image at http://www.animax.no/pictures/anirmouse/AnirMousePro2.jpg Reproducible: Always Steps to Reproduce: 1. Enter http://www.animax.no/pictures/anirmouse/AnirMousePro2.jpg into the URL bar. 2. Press return Actual Results: Mozilla crashes (segfault) Expected Results: Mozilla should not crash IE 5.5 refused to load the image, Netscape Navigator 4.77 seems to display the image using one pixel for each RGB component instead of one pixel for all three RGB components.
Works for me with 2001-04-23-21 on Linux. Pavlov checked in three patches yesterday that adresses imglib, and I think these are likely to have fixed this bug. Xuan Baldauf, could you try a newer build and try to see if you can verify it? Also, what error message do you see in the console when mozilla crashes?
I should have mentioned that even though my build was built before Pavlov's checkin, it did have these patches applied locally.
I have retried to reproduce this bug with the newest mozilla build 2001042304, it is still reproducible. The windows stack trace is (german) MOZILLA verursachte einen Fehler durch eine ungültige Seite in Modul MSVCRT.DLL bei 017f:780010d9. Register: EAX=00000000 CS=017f EIP=780010d9 EFLGS=00010202 EBX=00000000 SS=0187 ESP=0068f7e0 EBP=0068f810 ECX=000007f4 DS=0187 ESI=027686b0 FS=615f EDX=00000000 ES=0187 EDI=00000000 GS=d477 Bytes bei CS:EIP: f3 ab 85 d2 75 06 8b 44 24 08 5f c3 88 07 47 4a Stapelwerte: 00000000 60471609 00000000 00000000 00001fd0 0004f000 027686b0 0004f000 027686b0 0068f858 60471202 02769cd0 0068f858 604714cb fffffffe 00000000 The talkback ID for this crash is TB29545081G I do not see any error message on any console under windows, because there is no mozilla console, how can I enable console debug under windows?
I am seeing this on winMe cvs 2001042310 Neither mine, nor Xuan's build have pavlovs patches yet, so ill check again after compile. I thought these patches fixed crashes in linux with Gdk though.
confirming with win2k build 20010424..(CVS debug, 10min old) Stack Trace: memset() line 108 nsJPEGDecoder::OutputScanlines(int -2) line 528 + 27 bytes nsJPEGDecoder::WriteFrom(nsJPEGDecoder * const 0x046331d0, nsIInputStream * 0x03e7d8b8, unsigned int 13140, unsigned int * 0x0012f78c) line 395 + 10 bytes imgRequest::OnDataAvailable(imgRequest * const 0x0414d618, nsIRequest * 0x04619060, nsISupports * 0x00000000, nsIInputStream * 0x03e7d8b8, unsigned int 0, unsigned int 13140) line 757 + 47 bytes ProxyListener::OnDataAvailable(ProxyListener * const 0x03f50690, nsIRequest * 0x04619060, nsISupports * 0x00000000, nsIInputStream * 0x03e7d8b8, unsigned int 0, unsigned int 13140) line 374 ImageListener::OnDataAvailable(ImageListener * const 0x04728a68, nsIRequest * 0x04619060, nsISupports * 0x00000000, nsIInputStream * 0x03e7d8b8, unsigned int 0, unsigned int 13140) line 201 nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x040fca68, nsIRequest * 0x04619060, nsISupports * 0x00000000, nsIInputStream * 0x03e7d8b8, unsigned int 0, unsigned int 13140) line 259 + 46 bytes nsHTTPFinalListener::OnDataAvailable(nsHTTPFinalListener * const 0x040fcad0, nsIRequest * 0x04619060, nsISupports * 0x00000000, nsIInputStream * 0x03e7d8b8, unsigned int 0, unsigned int 13140) line 1170 + 46 bytes nsStreamListenerTee::OnDataAvailable(nsStreamListenerTee * const 0x045dcf98, nsIRequest * 0x04619060, nsISupports * 0x00000000, nsIInputStream * 0x045a4058, unsigned int 0, unsigned int 13140) line 56 + 51 bytes nsHTTPServerListener::OnDataAvailable(nsHTTPServerListener * const 0x045b3618, nsIRequest * 0x04717b88, nsISupports * 0x04619060, nsIInputStream * 0x045a4058, unsigned int 1460, unsigned int 13140) line 539 + 64 bytes nsOnDataAvailableEvent::HandleEvent() line 173 + 70 bytes nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x0424b1c4) line 64 PL_HandleEvent(PLEvent * 0x0424b1c4) line 588 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00e6ea10) line 518 + 9 bytes _md_EventReceiverProc(HWND__ * 0x0004075a, unsigned int 49369, unsigned int 0, long 15133200) line 1069 + 9 bytes USER32! 77e048dc() USER32! 77e04aa7() USER32! 77e166fd() nsAppShellService::Run(nsAppShellService * const 0x00e92528) line 408 main1(int 2, char * * 0x003576c8, nsISupports * 0x00000000) line 1005 + 32 bytes main(int 2, char * * 0x003576c8) line 1300 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e892a6()
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
changing status to [imglib]
Whiteboard: [imglib]
Color seperated JPEG, 4 channels: Image: AnirMousePro2.jpg Format: JPEG (Joint Photographic Experts Group JFIF format) Type: color separated Class: DirectClass Geometry: 2036x3060 Depth: 8 Matte: False Colors: 179560 Profile-iptc: 472 bytes Filesize: 1778kb Interlace: None Background Color: gray100 Border Color: #dfdfdf00 Matte Color: gray74 Compression: JPEG Comment: File written by Adobe Photoshop¨ 4.0 Signature: 4335ad3c70e992cb88aeeaf52d215d27 Tainted: False User Time: 2.5u Elapsed Time: 0:04 Independent JPEG Group's DJPEG, version 6b 27-Mar-1998 Copyright (C) 1998, Thomas G. Lane Start of Image Miscellaneous marker 0xed, length 486 Comment, length 37: File written by Adobe Photoshop\250 4.0\000 Adobe APP14 marker: version 100, flags 0x0000 0x0000, transform 2 Define Quantization Table 0 precision 0 Define Quantization Table 1 precision 0 Start Of Frame 0xc0: width=2036, height=3060, components=4 Component 1: 1hx1v q=0 Component 2: 1hx1v q=1 Component 3: 1hx1v q=1 Component 4: 1hx1v q=0 Define Restart Interval 255 Define Huffman Table 0x00 Define Huffman Table 0x01 Define Huffman Table 0x10 Define Huffman Table 0x11 Start Of Scan: 4 components Component 1: dc=0 ac=0 Component 2: dc=1 ac=1 Component 3: dc=1 ac=1 Component 4: dc=0 ac=0 Ss=0, Se=63, Ah=0, Al=0
Move to ImageLib component.
Assignee: mjudge → pavlov
Component: Image Conversion Library → ImageLib
*** Bug 78349 has been marked as a duplicate of this bug. ***
Adding topcrash keyword and [@ MSVCRT.DLL - nsJPEGDecoder::WriteFrom] to summary for tracking, this is one of the topcrashers showing up under the MSVCRT.DLL (MSVCRT.DLL + 0x10d9) stack signature in Talkback data. Here's a stacktrace: Incident ID 29595923 MSVCRT.DLL + 0x10d9 (0x780010d9) nsJPEGDecoder::WriteFrom [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\jpeg\nsJPEGDecoder.cpp, line 443] imgRequest::OnDataAvailable [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequest.cpp, line 759] ProxyListener::OnDataAvailable [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgLoader.cpp, line 374] nsFileChannel::OnDataAvailable [d:\builds\seamonkey\mozilla\netwerk\protocol\file\src\nsFileChannel.cpp, line 503] nsOnDataAvailableEvent::HandleEvent [d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerProxy.cpp, line 183] PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 589] PL_ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 522] _md_EventReceiverProc [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 1070] KERNEL32.DLL + 0x248f7 (0xbff848f7) 0x00688b5a 0x00058f64 According to today's Talkback topcrash report, the last build I see crashing with this stack is 2001042509. Can QA see if this is still a problem with the latest builds?
Keywords: topcrash
Summary: Mozilla crashes on access of the image at http://www.animax.no/pictures/anirmouse/AnirMousePro2.jpg → Mozilla Trunk crashes on access of the image at http://www.animax.no/pictures/anirmouse/AnirMousePro2.jpg [@ MSVCRT.DLL - nsJPEGDecoder::WriteFrom]
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.1
Attached patch Patch to fix the crash (deleted) — Splinter Review
I've filed bug 78860 on the fact that we don't display jpegs unless they have 1 or 3 components.
sr=tor
r=hixie
fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
*** Bug 78744 has been marked as a duplicate of this bug. ***
Can't seem to get to test file so verifying fix checked into lxr.mozilla.org
Status: RESOLVED → VERIFIED
Crash Signature: [@ MSVCRT.DLL - nsJPEGDecoder::WriteFrom]
Crash Signature: [@ MSVCRT.DLL - nsJPEGDecoder::WriteFrom]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: