UNCONFIRMED 115623
Crash in Image Decoder due to large gifs 
https://bugs.webkit.org/show_bug.cgi?id=115623
Summary Crash in Image Decoder due to large gifs
gordon
Reported 2013-05-05 23:11:02 PDT
It crashes while playing with the browser for a while, with the following back trace: #0 0x7a61730c in setRGBA (a=255, b=<optimized out>, g=<optimized out>, r=255, dest=<optimized out>, this=<optimized out>) at /home/cswei/project/playbook/webkit/Source/WebCore/platform/image-decoders/ImageDecoder.h:197 #1 WebCore::GIFImageDecoder::haveDecodedRow (this=0x7dd6d940, frameIndex=<optimized out>, rowBuffer=..., width=<optimized out>, rowNumber=0, repeatCount=1, writeTransparentPixels=false) at webkit/Source/WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp:236 It is because the decoded GIF size > 5M.
Attachments
The decoded GIF size > 5M, reserve the initialized frame, when the current frame is the last frame (1.22 MB, patch)
2013-05-05 23:46 PDT, gordon 		kling: review-
kling: commit-queue-
DetailsFormatted DiffDiff
The decoded GIF size > 5M, reserve the initialized frame (1.22 MB, patch)
2013-05-06 20:40 PDT, gordon 		no flags
DetailsFormatted DiffDiff
The decoded GIF size > 5M, reserve the initialized frame (1.22 MB, patch)
2013-05-07 19:12 PDT, gordon 		benjamin: review-
benjamin: commit-queue-
DetailsFormatted DiffDiff
If the decoded GIF size > 5M, preserve the re-initialized frame (1.92 MB, patch)
2013-05-08 03:34 PDT, gordon 		no flags
DetailsFormatted DiffDiff
If the decoded GIF size > 5M, preserve the frame data. (2.90 KB, patch)
2013-05-09 20:53 PDT, gordon 		no flags
DetailsFormatted DiffDiff
If the decoded GIF size > 5M, preserve the frame data. (2.93 KB, patch)
2013-05-10 03:57 PDT, gordon 		no flags
DetailsFormatted DiffDiff
If the decoded GIF size > 5M, preserve the frame data. (2.93 KB, patch)
2013-05-10 03:58 PDT, gordon 		benjamin: review-
benjamin: commit-queue-
DetailsFormatted DiffDiff
If the decoded GIF size > 5M, preserve the re-initialized frame (1.92 MB, patch)
2013-05-12 19:14 PDT, gordon 		beidson: review-
DetailsFormatted DiffDiff
Show Obsolete (7) View All Add attachment proposed patch, testcase, etc.
gordon
Comment 1 2013-05-05 23:46:14 PDT
Created attachment 200606 [details] The decoded GIF size > 5M, reserve the initialized frame, when the current frame is the last frame
Andreas Kling
Comment 2 2013-05-06 06:41:55 PDT
Comment on attachment 200606 [details] The decoded GIF size > 5M, reserve the initialized frame, when the current frame is the last frame View in context: https://bugs.webkit.org/attachment.cgi?id=200606&action=review > Source/WebCore/ChangeLog:8 > + Crash in Image Decoder due to large gifs > + https://bugs.webkit.org/show_bug.cgi?id=115623 > + > + Reviewed by NOBODY (OOPS!). > + > + Test: fast/images/animated-large-image-crash.html You need to explain what the bug is, and why you are fixing it this way.
gordon
Comment 3 2013-05-06 20:40:47 PDT
Created attachment 200867 [details] The decoded GIF size > 5M, reserve the initialized frame
gordon
Comment 4 2013-05-07 19:12:05 PDT
Created attachment 201016 [details] The decoded GIF size > 5M, reserve the initialized frame
Benjamin Poulain
Comment 5 2013-05-07 20:33:21 PDT
Comment on attachment 201016 [details] The decoded GIF size > 5M, reserve the initialized frame View in context: https://bugs.webkit.org/attachment.cgi?id=201016&action=review > LayoutTests/ChangeLog:12 > + If the decoded GIF is larger than 5M, > + we clear the the frame buffer except the current and after frame. > + However, if the current frame is the last frame of the GIF, > + and the first frame has been re-initialized for next time, > + then should not clear first frame, it should be reserved. This does not explain the test. Especially since it will decode either only the first frame or no frame at all. > LayoutTests/ChangeLog:16 > + * fast/images/resources/gif-large.gif: Added. Do you own the rights on this? Better create a new test image yourself. > Source/WebCore/ChangeLog:13 > + If the decoded GIF is larger than 5M, > + we clear the the frame buffer except the current and after frame. > + However, if the current frame is the last frame of the GIF, > + and the first frame has been re-initialized for next time, > + then should not clear first frame, it should be reserved. > + Test: fast/images/animated-large-image-crash.html This does not explain the reason of the crash. > Source/WebCore/platform/image-decoders/gif/GIFImageReader.h:270 > + > + size_t currentFrame() const > + { > + return m_currentDecodingFrame; > + } > + Why do you suddenly expose this publicly?
gordon
Comment 6 2013-05-08 03:34:54 PDT
Created attachment 201051 [details] If the decoded GIF size > 5M, preserve the re-initialized frame Thank you for your comments。 > + Why do you suddenly expose this publicly? I use it to calculate how many frames have been re-initialized, so it should be public.
Rob Buis
Comment 7 2013-05-09 08:27:17 PDT
Comment on attachment 201051 [details] If the decoded GIF size > 5M, preserve the re-initialized frame View in context: https://bugs.webkit.org/attachment.cgi?id=201051&action=review > Source/WebCore/ChangeLog:4 > + https://bugs.webkit.org/show_bug.cgi?id=115623 Is there a PR? Can you try to get an internal review first?
Rob Buis
Comment 8 2013-05-09 08:29:01 PDT
(In reply to comment #7) > (From update of attachment 201051 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=201051&action=review > > > Source/WebCore/ChangeLog:4 > > + https://bugs.webkit.org/show_bug.cgi?id=115623 > > Is there a PR? Can you try to get an internal review first? Nm, I saw that Benjamin already reviewed it, so you still have to address his issues. I'd also still like to know if there is a PR since that is valuable information if we look at he landed commit a few months later.
gordon
Comment 9 2013-05-09 19:56:42 PDT
Thank you. PR:328689
gordon
Comment 10 2013-05-09 20:53:46 PDT
Created attachment 201317 [details] If the decoded GIF size > 5M, preserve the frame data. Crash in Image Decoder on Master_41 due to gifs.
gordon
Comment 11 2013-05-10 03:57:45 PDT
Created attachment 201331 [details] If the decoded GIF size > 5M, preserve the frame data. Crash in Image Decoder on Master_41 due to gifs.
gordon
Comment 12 2013-05-10 03:58:59 PDT
Created attachment 201332 [details] If the decoded GIF size > 5M, preserve the frame data. Crash in Image Decoder on Master_41 due to gifs.
Benjamin Poulain
Comment 13 2013-05-10 23:48:32 PDT
Comment on attachment 201332 [details] If the decoded GIF size > 5M, preserve the frame data. You should put back the test, this should be tested. My concern about your previous test was just about the rights. You can just create your own animated gif to solve that.
gordon
Comment 14 2013-05-11 21:41:36 PDT
Sorry, I can't upload this test. Because it will block other build, such as QT. This patch just fix the BlackBerry, because the previous patch has been "r-"
gordon
Comment 15 2013-05-12 19:14:46 PDT
Created attachment 201519 [details] If the decoded GIF size > 5M, preserve the re-initialized frame > + Why do you suddenly expose this publicly? I use it to calculate how many frames have been re-initialized, so it should be public.
Charles Wei
Comment 16 2013-05-13 17:42:17 PDT
+Benjamin, Brent to raise the awareness for review.
Alexey Proskuryakov
Comment 17 2013-10-30 09:31:51 PDT
(In reply to comment #14) > Sorry, I can't upload this test. Because it will block other build, such as QT. A test can be skipped on other ports by adding an entry to TestExpectations file.
cand
Comment 18 2014-06-13 09:36:32 PDT
I confirm this bug on r169702, on Google's homepage no less! I also confirm that gosun's last patch (I only applied the gif/* parts, as the assert change in ImageDecoder would conflict with a cairo patch) fixes it. This is just sad that a serious bug like this can stay open for over a year.
Brady Eidson
Comment 19 2016-05-16 22:43:00 PDT
Comment on attachment 201519 [details] If the decoded GIF size > 5M, preserve the re-initialized frame Patch no longer applies to trunk. If this is still an issue, needs a new patch.
Note You need to log in before you can comment on or make changes to this bug.