registry team mailing list archive

[Bug Watch Updater <231719@xxxxxxxxxxxxxxxxxx>]

Launchpad has imported 29 comments from the remote bug at
https://bugzilla.mozilla.org/show_bug.cgi?id=390768.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2007-08-03T10:07:21+00:00 Quintenbernaert wrote:

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; nl; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; nl; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6

Firefox crashes when I open a large PNG on the url
(http://apollo.sese.asu.edu/METRIC_PREVIEW/AS15-M-0081/AS15-M-0081.html).


Reproducible: Always

Steps to Reproduce:
1) Go to http://apollo.sese.asu.edu/METRIC_PREVIEW/AS15-M-0081/AS15-M-0081.html
2) Click "Large PNG, 8.8 m/p (251 MB)"
Actual Results:  
I see the first line/lines of pixels and then Firefox crashes.

Expected Results:  
Load the image.

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/0

------------------------------------------------------------------------
On 2007-08-03T10:13:11+00:00 Quintenbernaert wrote:

Firefox 3 alpha 6 says the image contains errors and it doesn't crash.

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/1

------------------------------------------------------------------------
On 2007-08-03T17:16:13+00:00 Adam Guthrie wrote:

Can you get a stacktrace for the crash?
http://kb.mozillazine.org/Talkback

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/2

------------------------------------------------------------------------
On 2007-08-04T01:49:59+00:00 Matspal wrote:

Created attachment 275211
stack

XError calls exit in response to an XCreatePixmap error...

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/3

------------------------------------------------------------------------
On 2007-08-04T01:56:17+00:00 Matspal wrote:

We have bugs filed on this, eg bug 348463 and bug 210931.

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/4

------------------------------------------------------------------------
On 2007-11-26T14:12:43+00:00 Bsb-sanger wrote:

On a mac with Firefox 2.0.0.9, I get the same behaviour. The two bugs
referenced above were reported on Linux with GTK, so I am a bit puzzled.
I attach a test-case png which always kills firefox on my mac as well as
on Linux when trying to zoom in. A stack trace is also included. The
command line spits out this:

/Applications/Firefox.app/Contents/MacOS/run-mozilla.sh: line 424:  9222
Segmentation fault      "$prog" ${1+"$@"}

Is this a bug in Apples rendering? Safari shows the picture nicely...

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/5

------------------------------------------------------------------------
On 2007-11-26T14:15:30+00:00 Bsb-sanger wrote:

Created attachment 290214
Stack trace of Firefox 2.0.0.9 crash on Mac

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/6

------------------------------------------------------------------------
On 2007-11-26T14:16:39+00:00 Bsb-sanger wrote:

Sorry, just realized the PNG is too large to show. Try this url:

http://www.sanger.ac.uk/cgi-
bin/software/analysis/logomat-m.cgi?pfamid=PF04735

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/7

------------------------------------------------------------------------
On 2007-11-26T15:46:30+00:00 Timeless-bemail wrote:

benjamin: file a new bug. this bug is *only* for Gtk. Your crash in
apple's code could either be a bug in apple's code, or a bug in some of
our mac code, but it needs to be tracked differently.

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/8

------------------------------------------------------------------------
On 2008-03-27T18:24:09+00:00 Daniel Holbert wrote:

I see this bug using Ubuntu 8.04, using FF3 and FF2, at these places:
 a) the URL in comment 7
 b) http://www.howtoforge.com
 c) attachment 310818  (a wide PNG taken from howtoforge.com)
 d) http://tech.yahoo.com/blogs/

I initially posted about this in bug 369971 comment 24 through 37, but
I'm directing further info to this bug page, because what I'm seeing is
Linux-specific and PNG-specific.

If it matters, my libgtk2.0-0 package is version 2.0-0_2.12.9-2ubuntu1

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/9

------------------------------------------------------------------------
On 2008-03-27T18:39:05+00:00 Matspal wrote:

Daniel, bug 424333 now has a patch for trunk too... does that help?

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/10

------------------------------------------------------------------------
On 2008-03-27T19:59:06+00:00 Daniel Holbert wrote:

Nope.  I tested
   attachment 310818  (evil howtoforge PNG)
along with
   attachment 310964  (gif that crashes FF, from bug 424333)
and they both still crash (thought the gif takes ~5 seconds)

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/11

------------------------------------------------------------------------
On 2008-03-27T21:47:20+00:00 Daniel Holbert wrote:

Oops -- I think I was running the wrong build when I posted comment 11.

I just tested it with the patch correctly applied, and while the patch
*does* fix attachment 310964 (gif from bug 424333) on my machine, it
doesn't fix attachment 310818 or howtoforge.com or tech.yahoo.com/blogs.

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/12

------------------------------------------------------------------------
On 2008-03-27T23:55:11+00:00 Daniel Holbert wrote:

Created attachment 312155
Stack trace of Trunk crash on Linux (Ubuntu 8.04)

Here's a stack trace I caught in GDB for the linux crash on attachment
310818.

If I continue from this point, I immediately hit the _Xerror call.

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/13

------------------------------------------------------------------------
On 2008-03-28T01:09:01+00:00 Daniel Holbert wrote:

I can actually scale the howtoforge image down to 8189px wide and still
produce the crash. (but at 8188px wide, we don't crash)

Then, keeping the 8189px width, I can also scale it vertically down to
2px tall and still produce the crash.  (but at 1px, or at 2px by 8188px,
we don't crash)

So what's the significance of 8189px?  It's *almost* 2^13:
    2^13 = 8192 = 8189 + 3

So I think we're hitting some byte-count boundary, or something...

e.g. if we're hypothetically using 4 bits per pixel of width, that puts us at
    8188 * 4 = 32752 = (2^15 - 16) => no crash
    8189 * 4 = 32756 = (2^15 - 12) => crash
so we could be dealing with a signed 16-bit number (i.e. 15 bits of value) which is offset by 16 for some reason, and which is overflowing & causing the crash.

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/14

------------------------------------------------------------------------
On 2008-03-28T01:15:27+00:00 Daniel Holbert wrote:

Created attachment 312172
reduced PNG testcase (crashes firefox on some systems)

Here's a black 2px-high 8189px-wide PNG which crashes both Firefox 2 and
trunk builds.  (per my last comment)

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/15

------------------------------------------------------------------------
On 2008-03-28T01:20:18+00:00 Daniel Holbert wrote:

For convenience, here's that last testcase as a data-url:
http://preview.tinyurl.com/398gxr


Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/16

------------------------------------------------------------------------
On 2008-03-28T01:21:08+00:00 Daniel Holbert wrote:

Requesting blocking1.9, as this affects trunk (along with branch) and
seems fairly serious.

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/17

------------------------------------------------------------------------
On 2008-03-28T04:06:15+00:00 Daniel Holbert wrote:

Comment on attachment 312172
reduced PNG testcase (crashes firefox on some systems)

On my laptop, which is also running Ubuntu 8.04, I only get the crash
with the URL from comment 7 -- not with the reduced testcase, the
howtoforge.com site, or the tech.yahoo.com/blogs site.

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/18

------------------------------------------------------------------------
On 2008-04-01T21:17:08+00:00 Vladimir Vukicevic wrote:

Swapping this based on roc's comments -- it's not a regression, but we
should fix it at some point.

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/19

------------------------------------------------------------------------
On 2008-07-06T03:03:39+00:00 Tonglebeak wrote:

*** Bug 436833 has been marked as a duplicate of this bug. ***

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/53

------------------------------------------------------------------------
On 2008-07-06T03:09:21+00:00 Tonglebeak wrote:

*** Bug 436037 has been marked as a duplicate of this bug. ***

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/54

------------------------------------------------------------------------
On 2008-07-23T10:36:49+00:00 alain.tuor wrote:

same issue with www.directnet.com (quite critical, it's for Credit Suisse
online banking)


Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/55

------------------------------------------------------------------------
On 2008-07-28T18:27:34+00:00 Stransky wrote:

*** Bug 448276 has been marked as a duplicate of this bug. ***

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/56

------------------------------------------------------------------------
On 2008-07-28T19:01:43+00:00 Stransky wrote:

In 1.8, it's handled here:

nsresult nsImageGTK::Init(PRInt32 aWidth, PRInt32 aHeight,
                          PRInt32 aDepth, nsMaskRequirements aMaskRequirements)
{

  [snip]

  // X Protocol limits us to image dimensions less than 32767
  // unless we want to go through lots of pain and suffering.
  if (aWidth > SHRT_MAX || aHeight > SHRT_MAX)
    return NS_ERROR_FAILURE;

  [snip]

}

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/57

------------------------------------------------------------------------
On 2008-07-31T16:27:42+00:00 Matti-mversen wrote:

*** Bug 448653 has been marked as a duplicate of this bug. ***

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/58

------------------------------------------------------------------------
On 2009-06-05T18:49:24+00:00 Matspal wrote:

The patch in attachment 381814 in bug 424333 fixes this bug (and duplicates)
for me.

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/59

------------------------------------------------------------------------
On 2009-08-18T23:37:20+00:00 Jst wrote:

Should this bug be closed then, or is there something still remaining
here?

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/60

------------------------------------------------------------------------
On 2009-08-19T01:18:29+00:00 Matspal wrote:

Nothing remaining here besides the issues in bug 424333 as far as I
know.

*** This bug has been marked as a duplicate of bug 424333 ***

Reply at: https://bugs.launchpad.net/firefox/+bug/231719/comments/61


** Changed in: firefox
       Status: Invalid => Unknown

** Changed in: firefox
   Importance: Unknown => Critical

-- 
[MASTER] FF crash with BadAlloc on png's/images with large dimensions
https://bugs.launchpad.net/bugs/231719
You received this bug notification because you are a member of Registry
Administrators, which is the registrant for Debian.