Bug 140416

Summary: firefox crashes on streaming jpeg image
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Marcus Meissner <meissner>
Component: FirefoxAssignee: E-mail List <bnc-team-mozilla>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: federico, gnome-bugs
Version: Final   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: debug.log
simple testcase

Description Marcus Meissner 2005-12-20 21:25:33 UTC 
Hi,

the following code snippet (in a html file) crashes firefox.

<img src="http://www.airport-nuernberg.de/_/tools/webcam.html?_FRAME=64&refresh=0&datei=webcam-0-0.jpg">


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1445741824 (LWP 11363)]
0x55a27800 in gdk_rgb_init () from /opt/gnome/lib/libgdk-x11-2.0.so.0
(gdb) bt
#0  0x55a27800 in gdk_rgb_init () from /opt/gnome/lib/libgdk-x11-2.0.so.0
#1  0x55a29fd8 in gdk_rgb_find_color () from /opt/gnome/lib/libgdk-x11-2.0.so.0
#2  0x081acf0f in operator!=<char> ()
#3  0x081ada8f in operator!=<char> ()
#4  0x086d9b58 in nsCOMTypeInfo<nsIBinaryInputStream>::GetIID ()
#5  0x0820eaf5 in nsCOMPtr<nsIBidirectionalEnumerator>::nsCOMPtr ()
#6  0x083e37bc in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr ()
#7  0x083d8ad3 in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr ()
#8  0x083da5f3 in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr ()
#9  0x083e6f3a in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr ()
#10 0x083d8d9d in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr ()
#11 0x083e37bc in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr ()
#12 0x083d8ad3 in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr ()
#13 0x083da5f3 in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr ()
#14 0x083e6f3a in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr ()
#15 0x083d8d9d in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr ()
#16 0x083e37bc in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr ()
#17 0x083e2e42 in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr ()
#18 0x083e67d9 in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr ()
#19 0x083e765c in nsCOMPtr<nsIObjectInputStream>::nsCOMPtr ()
#20 0x0821559b in nsCOMPtr<nsIBidirectionalEnumerator>::nsCOMPtr ()
#21 0x08368f61 in nsCOMTypeInfo<nsICollection>::GetIID ()
#22 0x0836b89e in nsCOMTypeInfo<nsICollection>::GetIID ()
#23 0x0836eedf in nsCOMTypeInfo<nsICollection>::GetIID ()
#24 0x0836f8b5 in nsCOMTypeInfo<nsICollection>::GetIID ()
#25 0x0836fc5f in nsCOMTypeInfo<nsICollection>::GetIID ()
#26 0x08369002 in nsCOMTypeInfo<nsICollection>::GetIID ()
#27 0x081fe29b in nsCOMPtr<nsISupports>::nsCOMPtr ()
#28 0x081fa4a8 in nsCOMPtr<nsISupports>::nsCOMPtr ()
#29 0x081fa4e3 in nsCOMPtr<nsISupports>::nsCOMPtr ()
#30 0x5583fe60 in gtk_marshal_VOID__UINT_STRING () from /opt/gnome/lib/libgtk-x11-2.0.so.0
#31 0x55b49d19 in g_closure_invoke () from /opt/gnome/lib/libgobject-2.0.so.0
#32 0x55b59816 in g_signal_stop_emission () from /opt/gnome/lib/libgobject-2.0.so.0
#33 0x55b5abee in g_signal_emit_valist () from /opt/gnome/lib/libgobject-2.0.so.0
#34 0x55b5b1f5 in g_signal_emit () from /opt/gnome/lib/libgobject-2.0.so.0
#35 0x559323b4 in gtk_widget_activate () from /opt/gnome/lib/libgtk-x11-2.0.so.0
#36 0x5583e845 in gtk_main_do_event () from /opt/gnome/lib/libgtk-x11-2.0.so.0
#37 0x55a313fd in gdk_window_clear_area_e () from /opt/gnome/lib/libgdk-x11-2.0.so.0
#38 0x55a314df in gdk_window_process_all_updates () from /opt/gnome/lib/libgdk-x11-2.0.so.0
#39 0x55a31565 in gdk_window_process_all_updates () from /opt/gnome/lib/libgdk-x11-2.0.so.0
#40 0x55ba7941 in g_child_watch_add () from /opt/gnome/lib/libglib-2.0.so.0
#41 0x55ba535c in g_main_context_dispatch () from /opt/gnome/lib/libglib-2.0.so.0
#42 0x55ba87cb in g_main_context_check () from /opt/gnome/lib/libglib-2.0.so.0
#43 0x55ba8ae7 in g_main_loop_run () from /opt/gnome/lib/libglib-2.0.so.0
#44 0x5583d861 in gtk_main () from /opt/gnome/lib/libgtk-x11-2.0.so.0
#45 0x081fdb1a in nsCOMPtr<nsISupports>::nsCOMPtr ()
#46 0x086f0180 in nsCOMTypeInfo<nsIBinaryInputStream>::GetIID ()
#47 0x080810db in ?? ()
#48 0x00000002 in ?? ()
#49 0xffffb834 in ?? ()
#50 0x086f88d0 in _IO_stdin_used ()
#51 0xffffb808 in ?? ()
#52 0x5611fea0 in __libc_start_main () from /lib/tls/libc.so.6
#53 0x5611fea0 in __libc_start_main () from /lib/tls/libc.so.6
#54 0x08081031 in ?? ()
(gdb) x /i $eip
0x55a27800 <gdk_rgb_init+5120>: movzbl 0x2(%edx),%eax
(gdb) print $edx
$1 = 0
(gdb) 

(sorry, debuginfo on amd64 does not really work)

also happened with 10.1 Alpha3Plus snapshot.
Comment 1 Marcus Meissner 2005-12-21 13:05:08 UTC 
Created attachment 61545 [details]
debug.log

debugging session on current autobuild state
with debuginfo and line numbers.
Comment 2 Wolfgang Rosenauer 2005-12-22 09:30:40 UTC 
Do you have an public URL where this is done?
Comment 3 Wolfgang Rosenauer 2005-12-22 09:32:43 UTC 
So it happens for you with 1.0.7 on 10.0 and 1.5 on 10.1alpha?
Comment 4 Wolfgang Rosenauer 2005-12-22 10:20:14 UTC 
hmm, upstream Firefox 1.5 doesn't crash. I don't think that our patches are to blame but maybe some gtk issue.
Comment 5 Wolfgang Rosenauer 2005-12-22 10:22:57 UTC 
Created attachment 61686 [details]
simple testcase
Comment 6 Federico Mena Quintero 2005-12-22 16:11:45 UTC 
It's a Mozilla bug.  See the bottom of the log in comment #1; mImageBits is 0.  It ends up passing "buf = 0" to gdkrgb.
Comment 7 Wolfgang Rosenauer 2005-12-22 18:23:27 UTC 
OK, do you have an idea why the upstream binary doesn't show this behaviour? Could it be because it's linked against older versions of gtk etc.?
Comment 8 Federico Mena Quintero 2005-12-22 18:59:43 UTC 
No idea.  But GTK+ is not the problem here - it is getting passed a null pointer instead of a valid buffer.

If you are testing that particular image, you could set a conditional breakpoint in gdk_draw_rgb_image_core() when rowstride==1032.  Compare the stack traces for our version and the upstream version, and see what changed.
Comment 9 Marcus Meissner 2006-02-20 15:13:01 UTC 
looks like the nsImageGTK destructor was called, but the
UpdateCachedImage() was called after that
Comment 10 Robert O'Callahan 2006-02-27 02:18:59 UTC 
I've filed upstream bug 328684:
https://bugzilla.mozilla.org/show_bug.cgi?id=328684
with a possible patch. I need some upstream feedback to be sure it's the right patch.
Comment 11 Robert O'Callahan 2006-03-02 03:29:13 UTC 
My patch was accepted upstream. We can take it for our FF1.5 releases if we want to. Whether we do or not, this is fixed.
Comment 12 Wolfgang Rosenauer 2006-03-02 05:06:28 UTC 
I have it already in my local tree, thanks ;-)
It will be submitted with next checkin for beta7