[Webkit-unassigned] [Bug 117832] New: [Win] Crash when scrolling page with images.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jun 20 06:27:58 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=117832

           Summary: [Win] Crash when scrolling page with images.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
               URL: http://http://www.apple.com/apple-events/june-2013/
        OS/Version: Unspecified
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: peavo at outlook.com


I sometimes get a crash when scrolling pages with gif images.

The crash happens at line 226 in WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp (buffer.setRGBA(currentAddress, ...)), because currentAddress points to an invalid address (close to 0x0).
The address is invalid because the m_bytes member of the local variable buffer (type ImageFrame) is NULL, and currentAddress is an offset of the m_bytes value.

Here is the stack:

>	WebKit.dll!WebCore::GIFImageDecoder::haveDecodedRow(unsigned int frameIndex, const WTF::Vector<unsigned char,0,WTF::CrashOnOverflow> & rowBuffer, unsigned int width, unsigned int rowNumber, unsigned int repeatCount, bool writeTransparentPixels)  Line 226 + 0x27 bytes	C++
     WebKit.dll!GIFLZWContext::outputRow()  Line 152 + 0x2e bytes    C++
     WebKit.dll!GIFLZWContext::doLZW(const unsigned char * block, unsigned int bytesInBlock)  Line 306 + 0x7 bytes    C++
     WebKit.dll!GIFFrameContext::decode(const unsigned char * data, unsigned int length, WebCore::GIFImageDecoder * client, bool * frameDecoded)  Line 340 + 0x11 bytes    C++
     WebKit.dll!GIFImageReader::decode(WebCore::GIFImageDecoder::GIFQuery query, unsigned int haltAtFrame)  Line 371 + 0x27 bytes    C++
     WebKit.dll!WebCore::GIFImageDecoder::decode(unsigned int haltAtFrame, WebCore::GIFImageDecoder::GIFQuery query)  Line 333 + 0x11 bytes    C++
     WebKit.dll!WebCore::GIFImageDecoder::frameBufferAtIndex(unsigned int index)  Line 125    C++
     WebKit.dll!WebCore::ImageSource::createFrameAtIndex(unsigned int index)  Line 144 + 0xb bytes    C++
     WebKit.dll!WebCore::BitmapImage::cacheFrame(unsigned int index)  Line 137 + 0x21 bytes    C++
     WebKit.dll!WebCore::BitmapImage::frameIsCompleteAtIndex(unsigned int index)  Line 310    C++
     WebKit.dll!WebCore::BitmapImage::startAnimation(bool catchUpIfNecessary)  Line 452 + 0x17 bytes    C++
     WebKit.dll!WebCore::BitmapImage::draw(WebCore::GraphicsContext * context, const WebCore::FloatRect & dst, const WebCore::FloatRect & src, WebCore::ColorSpace styleColorSpace, WebCore::CompositeOperator op, WebCore::BlendMode blendMode, WebCore::RespectImageOrientationEnum shouldRespectImageOrientation)  Line 80    C++
     WebKit.dll!WebCore::BitmapImage::draw(WebCore::GraphicsContext * context, const WebCore::FloatRect & dst, const WebCore::FloatRect & src, WebCore::ColorSpace styleColorSpace, WebCore::CompositeOperator op, WebCore::BlendMode blendMode)  Line 70    C++
     WebKit.dll!WebCore::Image::drawTiled(WebCore::GraphicsContext * ctxt, const WebCore::FloatRect & destRect, const WebCore::FloatPoint & srcPoint, const WebCore::FloatSize & scaledTileSize, WebCore::ColorSpace styleColorSpace, WebCore::CompositeOperator op, WebCore::BlendMode blendMode)  Line 128 + 0x64 bytes    C++
     WebKit.dll!WebCore::GraphicsContext::drawTiledImage(WebCore::Image * image, WebCore::ColorSpace styleColorSpace, const WebCore::IntRect & destRect, const WebCore::IntPoint & srcPoint, const WebCore::IntSize & tileSize, WebCore::CompositeOperator op, bool useLowQualityScale, WebCore::BlendMode blendMode)  Line 532 + 0x44 bytes    C++
     WebKit.dll!WebCore::RenderBoxModelObject::paintFillLayerExtended(const WebCore::PaintInfo & paintInfo, const WebCore::Color & color, const WebCore::FillLayer * bgLayer, const WebCore::LayoutRect & rect, WebCore::BackgroundBleedAvoidance bleedAvoidance, WebCore::InlineFlowBox * box, const WebCore::LayoutSize & boxSize, WebCore::CompositeOperator op, WebCore::RenderObject * backgroundObject)  Line 988    C++
     WebKit.dll!WebCore::RenderBox::paintFillLayers(const WebCore::PaintInfo & paintInfo, const WebCore::Color & c, const WebCore::FillLayer * fillLayer, const WebCore::LayoutRect & rect, WebCore::BackgroundBleedAvoidance bleedAvoidance, WebCore::CompositeOperator op, WebCore::RenderObject * backgroundObject)  Line 1390 + 0x32 bytes    C++
     WebKit.dll!WebCore::RenderBox::paintBackground(const WebCore::PaintInfo & paintInfo, const WebCore::LayoutRect & paintRect, WebCore::BackgroundBleedAvoidance bleedAvoidance)  Line 1140 + 0x2d bytes    C++
     WebKit.dll!WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset)  Line 1117    C++
     WebKit.dll!WebCore::RenderBlock::paintObject(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset)  Line 3233    C++
     WebKit.dll!WebCore::RenderBlock::paint(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset)  Line 2973    C++
     WebKit.dll!WebCore::RenderLayer::paintBackgroundForFragments(const WTF::Vector<WebCore::LayerFragment,1,WTF::CrashOnOverflow> & layerFragments, WebCore::GraphicsContext * context, WebCore::GraphicsContext * transparencyLayerContext, const WebCore::LayoutRect & transparencyPaintDirtyRect, bool haveTransparency, const WebCore::RenderLayer::LayerPaintingInfo & localPaintingInfo, unsigned int paintBehavior, WebCore::RenderObject * subtreePaintRootForRenderer)  Line 4176    C++
     WebKit.dll!WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext * context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, unsigned int paintFlags)  Line 3931 + 0x33 bytes    C++
     WebKit.dll!WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext * context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, unsigned int paintFlags)  Line 3701 + 0x13 bytes    C++
     WebKit.dll!WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext * context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, unsigned int paintFlags)  Line 3684    C++
     WebKit.dll!WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer *,0,WTF::CrashOnOverflow> * list, WebCore::GraphicsContext * context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, unsigned int paintFlags)  Line 4028    C++
     WebKit.dll!WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext * context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, unsigned int paintFlags)  Line 3955    C++
     WebKit.dll!WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext * context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, unsigned int paintFlags)  Line 3701 + 0x13 bytes    C++
     WebKit.dll!WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext * context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, unsigned int paintFlags)  Line 3684    C++
     WebKit.dll!WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer *,0,WTF::CrashOnOverflow> * list, WebCore::GraphicsContext * context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, unsigned int paintFlags)  Line 4028    C++
     WebKit.dll!WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext * context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, unsigned int paintFlags)  Line 3955    C++
     WebKit.dll!WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext * context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, unsigned int paintFlags)  Line 3701 + 0x13 bytes    C++
     WebKit.dll!WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext * context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, unsigned int paintFlags)  Line 3684    C++
     WebKit.dll!WebCore::RenderLayer::paint(WebCore::GraphicsContext * context, const WebCore::LayoutRect & damageRect, unsigned int paintBehavior, WebCore::RenderObject * subtreePaintRoot, WebCore::RenderRegion * region, unsigned int paintFlags)  Line 3496    C++
     WebKit.dll!WebCore::FrameView::paintContents(WebCore::GraphicsContext * p, const WebCore::IntRect & rect)  Line 3552    C++
     WebKit.dll!WebCore::ScrollView::paint(WebCore::GraphicsContext * context, const WebCore::IntRect & rect)  Line 1095    C++
     WebKit.dll!WebView::paintIntoBackingStore(WebCore::FrameView * frameView, HDC__ * bitmapDC, const WebCore::IntRect & dirtyRect, WebView::WindowsToPaint windowsToPaint)  Line 1185    C++
     WebKit.dll!WebView::updateBackingStore(WebCore::FrameView * frameView, HDC__ * dc, bool backingStoreCompletelyDirty, WebView::WindowsToPaint windowsToPaint)  Line 1015 + 0x14 bytes    C++
     WebKit.dll!WebView::scrollBackingStore(WebCore::FrameView * frameView, int dx, int dy, const WebCore::IntRect & scrollViewRect, const WebCore::IntRect & clipRect)  Line 918    C++
     WebKit.dll!WebChromeClient::scroll(const WebCore::IntSize & delta, const WebCore::IntRect & scrollViewRect, const WebCore::IntRect & clipRect)  Line 485 + 0x35 bytes    C++
     WebKit.dll!WebCore::Chrome::scroll(const WebCore::IntSize & scrollDelta, const WebCore::IntRect & rectToScroll, const WebCore::IntRect & clipRect)  Line 100    C++
     WebKit.dll!WebCore::FrameView::scrollContentsFastPath(const WebCore::IntSize & scrollDelta, const WebCore::IntRect & rectToScroll, const WebCore::IntRect & clipRect)  Line 1722    C++
     WebKit.dll!WebCore::ScrollView::scrollContents(const WebCore::IntSize & scrollDelta)  Line 686 + 0x2a bytes    C++
     WebKit.dll!WebCore::ScrollView::scrollTo(const WebCore::IntSize & newOffset)  Line 394    C++
     WebKit.dll!WebCore::FrameView::scrollTo(const WebCore::IntSize & newOffset)  Line 3021    C++
     WebKit.dll!WebCore::ScrollView::setScrollOffset(const WebCore::IntPoint & offset)  Line 373 + 0x15 bytes    C++
     WebKit.dll!WebCore::ScrollableArea::scrollPositionChanged(const WebCore::IntPoint & position)  Line 147    C++
     WebKit.dll!WebCore::ScrollableArea::setScrollOffsetFromAnimation(const WebCore::IntPoint & offset)  Line 190 + 0x8 bytes    C++
     WebKit.dll!WebCore::ScrollAnimator::notifyPositionChanged(const WebCore::FloatSize & delta)  Line 142 + 0x22 bytes    C++
     WebKit.dll!WebCore::ScrollAnimator::scroll(WebCore::ScrollbarOrientation orientation, WebCore::ScrollGranularity __formal, float step, float multiplier)  Line 71 + 0x28 bytes    C++
     WebKit.dll!WebCore::ScrollAnimator::handleWheelEvent(const WebCore::PlatformWheelEvent & e)  Line 112 + 0x1f bytes    C++
     WebKit.dll!WebCore::ScrollableArea::handleWheelEvent(const WebCore::PlatformWheelEvent & wheelEvent)  Line 176 + 0x4a bytes    C++
     WebKit.dll!WebCore::FrameView::wheelEvent(const WebCore::PlatformWheelEvent & wheelEvent)  Line 4084 + 0xc bytes    C++
     WebKit.dll!WebCore::EventHandler::handleWheelEvent(const WebCore::PlatformWheelEvent & e)  Line 2472 + 0x10 bytes    C++
     WebKit.dll!WebView::mouseWheel(unsigned int wParam, long lParam, bool isMouseHWheel)  Line 1762    C++
     WebKit.dll!WebView::WebViewWndProc(HWND__ * hWnd, unsigned int message, unsigned int wParam, long lParam)  Line 2233    C++

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list