Closed Bug 967820 Opened 11 years ago Closed 11 years ago

Faulty: crash in ImageContainer::AddRef under LayerTransactionParent::RecvUpdate

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla30

People

(Reporter: bjacob, Assigned: bjacob)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Faulty session 11 years ago Benoit Jacob [:bjacob] (mostly away) (deleted), text/plain		Details

Benoit Jacob [:bjacob] (mostly away)

Assignee

Description

•

11 years ago

Attached file Faulty session (deleted) — Details

Found by Christoph Diehl's "Faulty" fuzzer, see bug 777067

Benoit Jacob [:bjacob] (mostly away)

Assignee

Comment 1

•

11 years ago

Note: found while running css-gradients reftests

Benoit Jacob [:bjacob] (mostly away)

Assignee

Comment 2

•

11 years ago

This ImageContainer contains garbage; don't know what kind of memory corruption that is. Could be use-after-free followed by that memory being reused by something else (the refcount is not 0xa5a5a5a5). Classification: PLayerTransaction, memory corruption, hard.

Benoit Jacob [:bjacob] (mostly away)

Assignee

Updated

•

11 years ago

Depends on: PReinterpretCast

Benoit Jacob [:bjacob] (mostly away)

Assignee

Comment 3

•

11 years ago

Fixed by the landing of PLayerTransaction type checks before casting layers, bug 968833.

Assignee: nobody → bjacob

Status: NEW → RESOLVED

Closed: 11 years ago

Resolution: --- → FIXED

Ekanan Ketunuti

Updated

•

11 years ago

Target Milestone: --- → mozilla30

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Faulty: crash in ImageContainer::AddRef under LayerTransactionParent::RecvUpdate

Categories

(Core :: Graphics, defect)

Tracking

()

People

(Reporter: bjacob, Assigned: bjacob)

References

(Blocks 1 open bug)

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Updated

Comment 3

Updated

Attachment

General

Description

File Name

Content Type