Bug#591512: Same bug upstream in seamonkey 2.0.6

BERTRAND Joel joel.bertrand at systella.fr
Wed Aug 4 15:39:03 UTC 2010


	Hello,

	I have reproduced the same bug with seamonkey 2.0.6. Backtrace is :

Core was generated by 
`/export/home/bertrand/seamonkey/install/lib/seamonkey-2.0.6/seamonkey-bin'.
Program terminated with signal 10, Bus error.
#0  read_tag_XYZType (src=0xff8687b8, index=..., tag_id=1918392666)
     at ../../../../comm-1.9.1/mozilla/gfx/qcms/iccread.c:322
322                     if (type != XYZ_TYPE)
(gdb) bt
#0  read_tag_XYZType (src=0xff8687b8, index=..., tag_id=1918392666)
     at ../../../../comm-1.9.1/mozilla/gfx/qcms/iccread.c:322
#1  0xf581455c in qcms_profile_from_memory (mem=<value optimized out>,
     size=7261) at ../../../../comm-1.9.1/mozilla/gfx/qcms/iccread.c:707
#2  0xf5803a28 in nsJPEGDecoder::ProcessData (this=0xeaa77800,
     data=0xeae68004 
"\2*5*h*\233*\317+\2+6+i+\235+\321,\5,9,n,\242,\327-\f-A-v-\253-\341.\26.L.\202.\267.\356/$/Z/\221/\307/\376\60\65\60l0\244\60\333\61\22\61J1\202\61\272\61\362\62*2c2\233\62\324\63\r3F3\177\63\270\63\361\64+4e4\236\64\330\65\23\65M5\207\65\302\65\375\66\67\66r6\256\66\351\67$7`7\234\67\327\70\24\70P8\214\70\310\71\5\71B9\177\71\274\71\371:6:t:\262:\357;-;k;\252;\350<'<e<\244<\343=\"=a=\241=\340> 
 >`>\240>\340?!?a?\242?\342@#@d@"...,
     count=<value optimized out>, writeCount=0xff8689b4)
     at 
../../../../../../comm-1.9.1/mozilla/modules/libpr0n/decoders/jpeg/nsJPEGDecoder.cpp:344

#3  0xf5803c64 in ReadDataOut (in=0xeab4b6a8, closure=0xeaa77800,
     fromRawSegment=0xeae68004 
"\2*5*h*\233*\317+\2+6+i+\235+\321,\5,9,n,\242,\327-\f-A-v-\253-\341.\26.L.\202.\267.\356/$/Z/\221/\307/\376\60\65\60l0\244\60\333\61\22\61J1\202\61\272\61\362\62*2c2\233\62\324\63\r3F3\177\63\270\63\361\64+4e4\236\64\330\65\23\65M5\207\65\302\65\375\66\67\66r6\256\66\351\67$7`7\234\67\327\70\24\70P8\214\70\310\71\5\71B9\177\71\274\71\371:6:t:\262:\357;-;k;\252;\350<'<e<\244<\343=\"=a=\241=\340> 
 >`>\240>\340?!?a?\242?\342@#@d@"...,
     toOffset=4096, count=4096, writeCount=0xff8689b4)
     at 
../../../../../../comm-1.9.1/mozilla/modules/libpr0n/decoders/jpeg/nsJPEG---Type 
<return> to continue, or q <return> to quit---
Decoder.cpp:253
#4  0xf7de17dc in nsInputStreamTee::WriteSegmentFun (in=0xeab4b6a8,
     closure=0xeab4ee80,
     fromSegment=0xeae68004 
"\2*5*h*\233*\317+\2+6+i+\235+\321,\5,9,n,\242,\327-\f-A-v-\253-\341.\26.L.\202.\267.\356/$/Z/\221/\307/\376\60\65\60l0\244\60\333\61\22\61J1\202\61\272\61\362\62*2c2\233\62\324\63\r3F3\177\63\270\63\361\64+4e4\236\64\330\65\23\65M5\207\65\302\65\375\66\67\66r6\256\66\351\67$7`7\234\67\327\70\24\70P8\214\70\310\71\5\71B9\177\71\274\71\371:6:t:\262:\357;-;k;\252;\350<'<e<\244<\343=\"=a=\241=\340> 
 >`>\240>\340?!?a?\242?\342@#@d@"..., offset=4096,
     count=4096, writeCount=0xff8689b4)
     at ../../../../comm-1.9.1/mozilla/xpcom/io/nsInputStreamTee.cpp:102
#5  0xf7de5354 in nsPipeInputStream::ReadSegments (this=0xeab4b6a8,
     writer=0xf7de17b4 
<nsInputStreamTee::WriteSegmentFun(nsIInputStream*, void*, char const*, 
unsigned int, unsigned int, unsigned int*)>, closure=0xeab4ee80,
     count=6562, readCount=0xff868c14)
     at ../../../../comm-1.9.1/mozilla/xpcom/io/nsPipe3.cpp:799
#6  0xf7de1620 in nsInputStreamTee::ReadSegments (this=0xeab4ee80,
     writer=0xf5803c4c <ReadDataOut>, closure=0xeaa77800, count=6562,
     bytesRead=0xff868c14)
     at ../../../../comm-1.9.1/mozilla/xpcom/io/nsInputStreamTee.cpp:156
#7  0xf5802d48 in nsJPEGDecoder::WriteFrom (this=0xeaa77800, 
inStr=0xeab4ee80,
     count=10658, writeCount=0xff868c14)
     at 
../../../../../../comm-1.9.1/mozilla/modules/libpr0n/decoders/jpeg/nsJPEG---Type 
<return> to continue, or q <return> to quit---
Decoder.cpp:271
#8  0xf57fbb94 in imgRequest::OnDataAvailable (this=0xeab4b600,
     aRequest=0xead8650c, ctxt=0x0, inStr=0xeab4ee80, sourceOffset=0,
     count=10658)
     at 
../../../../../comm-1.9.1/mozilla/modules/libpr0n/src/imgRequest.cpp:995
#9  0xf57f66ec in ProxyListener::OnDataAvailable (this=0xf5bf2ed0,
     aRequest=0xead8650c, ctxt=0x0, inStr=0xeab4ee80, sourceOffset=0,
     count=10658)
     at 
../../../../../comm-1.9.1/mozilla/modules/libpr0n/src/imgLoader.cpp:1603
#10 0xf5944f50 in nsStreamListenerTee::OnDataAvailable (this=0xeab4e7e0,
     request=0xead8650c, context=0x0, input=0xeab4b6a8, offset=0, 
count=10658)
     at 
../../../../../comm-1.9.1/mozilla/netwerk/base/src/nsStreamListenerTee.cpp:97
#11 0xf599b63c in nsHttpChannel::OnDataAvailable (this=0xead864e0,
     request=0xead7c750, ctxt=0x0, input=0xeab4b6a8, offset=0, count=10658)
     at 
../../../../../../comm-1.9.1/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp:5047
#12 0xf592b6a4 in nsInputStreamPump::OnStateTransfer (this=0xead7c750)
     at 
../../../../../comm-1.9.1/mozilla/netwerk/base/src/nsInputStreamPump.cpp:508
#13 0xf592b86c in nsInputStreamPump::OnInputStreamReady (this=0xead7c750,
     stream=0xeab4b6a8)
     at 
../../../../../comm-1.9.1/mozilla/netwerk/base/src/nsInputStreamPump.cpp:---Type 
<return> to continue, or q <return> to quit---
398
#14 0xf7de62a0 in nsInputStreamReadyEvent::Run (this=0xead9e600)
     at ../../../../comm-1.9.1/mozilla/xpcom/io/nsStreamUtils.cpp:111
#15 0xf7dfc6f4 in nsThread::ProcessNextEvent (this=0xf667ef20, mayWait=1,
     result=0xff868ffc)
     at ../../../../comm-1.9.1/mozilla/xpcom/threads/nsThread.cpp:521
#16 0xf7dc5da4 in NS_ProcessNextEvent_P (thread=0xf667ef20, mayWait=1)
     at nsThreadUtils.cpp:247
#17 0xf4ef41e0 in nsBaseAppShell::Run (this=0xf2288570)
     at 
../../../../../comm-1.9.1/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:170
#18 0xf419cc2c in nsAppStartup::Run (this=0xf21485f0)
     at 
../../../../../../comm-1.9.1/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:193
#19 0xf7e6ede8 in XRE_main (argc=<value optimized out>,
     argv=<value optimized out>, aAppData=<value optimized out>)
     at ../../../../comm-1.9.1/mozilla/toolkit/xre/nsAppRunner.cpp:3321
#20 0x000116cc in main (argc=1, argv=0xff8696a4)
     at ../../../comm-1.9.1/suite/app/nsSuiteApp.cpp:103
Current language:  auto; currently c
(gdb)

Faulty subroutine is :

#define XYZ_TYPE   0x58595a20 // 'XYZ '
#define CURVE_TYPE 0x63757276 // 'curv'
#define LUT16_TYPE 0x6d667432 // 'mft2'
#define LUT8_TYPE  0x6d667431 // 'mft1'

static struct XYZNumber read_tag_XYZType(struct mem_source *src, struct 
tag_index index, uint32_t tag_id)
{
     struct XYZNumber num = {0};
     struct tag *tag = find_tag(index, tag_id);
     if (tag) {
         uint32_t offset = tag->offset;

         uint32_t type = read_u32(src, offset);
         if (type != XYZ_TYPE)
             invalid_source(src, "unexpected type, expected XYZ");
         num.X = read_s15Fixed16Number(src, offset+8);
         num.Y = read_s15Fixed16Number(src, offset+12);
         num.Z = read_s15Fixed16Number(src, offset+16);
     } else {
         invalid_source(src, "missing xyztag");
     }
     return num;
}

I don't understand why type or define are not aligned.

	Regards,

	JKB





More information about the pkg-mozilla-maintainers mailing list