Bug 13529

Summary: swf-mozilla will crash firefox when access www.tudou.com
Product: swfdec Reporter: Zhengpeng Hou <zhengpeng.hou>
Component: pluginAssignee: swfdec ml <swfdec>
Status: RESOLVED FIXED QA Contact: swfdec ml <swfdec>
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Zhengpeng Hou 2007-12-04 22:26:44 UTC 
swfdec-0.5.4 will crash firefox when access www.tudou.com, a video shared
website from China.


the output from terminal:
[freeflying@localhost files]$ firefox
OIL: ERROR liboiltest.c 403: oil_test_check_impl(): function
sad8x8_8xn_u8_psadbw in class sad8x8_8xn_u8 failed check (246609 > 0) ||
(outside=0)
Unsupported movie property style with value ""
Unsupported movie property id with value "playerObject"
Unsupported movie property name with value "playerObject"
Unsupported movie property quality with value "high"
Unsupported movie property allowfullscreen with value "true"
Unsupported movie property allowscriptaccess with value "always"
unhandled event 19
Loading stream: http://www.tudou.com/static/bin/player_071130.swf
Unsupported movie property wmode with value "opaque"
Unsupported movie property allowfullscreen with value "true"
unhandled event 19
Loading stream:
http://www.tudou.com/static/bin/frontpage_player.swf?iid=11994270
SWFDEC: ERROR: swfdec_image.c(125): tag_func_define_bits_jpeg: No global JPEG
tables available
SWFDEC: ERROR: swfdec_image.c(125): tag_func_define_bits_jpeg: No global JPEG
tables available
SWFDEC: ERROR: swfdec_sprite_movie.c(288): swfdec_sprite_movie_perform_place:
using non-implemented clip events 1024
Loading stream: http://www.tudou.com/player/v.php?id=12018990&1196833313
Loading stream:
http://adcontrol.tudou.com/adcontrol/adcontrol?itemId=12018990&juid=ajuqua00lb2&channelId=3&sourceId=11000&rand=65773286
Loading stream: http://img01.p2v.tudou.com/poster/2007/10/1195119657155.jpg
Loading stream: http://img01.p2v.tudou.com/poster/2007/8/1188800828662.jpg
Loading stream: http://adplay.tudou.com/adcontrol/adplay?75227976
Loading stream: http://img01.p2v.tudou.com/poster/2007/8/1188800828662.jpg

(gecko:7307): Swfdec-CRITICAL **: swfdec_buffer_queue_pull: assertion `length >
0' failed
0c5d68d7-78d3-e664-7bc7d99e-44dec256 is dumped

OS information:
Linux localhost 2.6.22.9-desktop586-2mdv #1 SMP Fri Nov 16 14:02:33 EST 2007 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz GNU/Linux
firefox:
mozilla-firefox-2.0.0.8-1mdv2008.0
swfdec:
libswfdec0.5-0.5.4-1mdv2008.0
swfdec-0.5.4-1mdv2008.0
swfdec-mozilla-0.5.4-1mdv2008.0
Comment 1 Riccardo Magliocchetti 2007-12-09 08:44:20 UTC 
Managed to get the same trace with git ddc4d3c38d035cfa50fc37580e15fa34b5c1755b with this url: http://make.blip.tv/?utm_source=featured&utm_medium=featured


Loading stream: http://panther2.video.blip.tv/Make-MakeASecretCompartmentBook616.jpg

(gecko:3663): Swfdec-CRITICAL **: swfdec_buffer_queue_pull: assertion `length > 0' failed

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb70fe8d0 (LWP 3663)]
swfdec_resource_loader_target_parse (target=0x140d6c60, loader=0x1452cc80)
    at swfdec_resource.c:288
---Type <return> to continue, or q <return> to quit---
288	      parsed += buffer->length;
(gdb) 
(gdb) bt full
#0  swfdec_resource_loader_target_parse (target=0x140d6c60, loader=0x1452cc80)
    at swfdec_resource.c:288
	resource = (SwfdecResource *) 0x140d6c60
	buffer = (SwfdecBuffer *) 0x0
	dec = (SwfdecDecoder *) 0x11f594b8
	status = SWFDEC_STATUS_OK
	parsed = 65536
	__PRETTY_FUNCTION__ = "swfdec_resource_loader_target_parse"
#1  0xad40be61 in swfdec_loader_target_parse (target=0x140d6c60, 
    loader=0x1452cc80) at swfdec_loadertarget.c:105
	__PRETTY_FUNCTION__ = "swfdec_loader_target_parse"
#2  0xad40a64e in swfdec_loader_process (loaderp=0x1452cc80, unused=0x0)
    at swfdec_loader.c:234
	__PRETTY_FUNCTION__ = "swfdec_loader_process"
#3  0xad41d087 in swfdec_player_perform_external_actions (player=0xa7ba8c0)
    at swfdec_player.c:502
	i = 1
	__PRETTY_FUNCTION__ = "swfdec_player_perform_external_actions"
#4  0xad41f760 in swfdec_player_iterate (timeout=0xa7baa74)
    at swfdec_player.c:1264
	player = (SwfdecPlayer *) 0xa7ba8c0
	walk = <value optimized out>
	__PRETTY_FUNCTION__ = "swfdec_player_iterate"
---Type <return> to continue, or q <return> to quit---
#5  0xad41e091 in swfdec_player_do_advance (player=0xa7ba8c0, msecs=20, 
    audio_samples=0) at swfdec_player.c:1335
	timeout = (SwfdecTimeout *) 0xa7baa74
	target_time = 3863526912
	frames_now = 882
	__PRETTY_FUNCTION__ = "swfdec_player_do_advance"
#6  0xad44219d in swfdec_marshal_VOID__ULONG_UINT (closure=0xb074c20, 
    return_value=0x0, n_param_values=3, param_values=0xbfca4fd4, 
    invocation_hint=0xbfca4edc, marshal_data=0xad41de20)
    at swfdec_marshal.c:285
	data1 = (gpointer) 0xa7ba8c0
	data2 = <value optimized out>
	__PRETTY_FUNCTION__ = "swfdec_marshal_VOID__ULONG_UINT"
#7  0xb75d9f39 in ?? () from /usr/lib/libgobject-2.0.so.0
Comment 2 Benjamin Otte 2007-12-10 02:25:04 UTC 
This bug was triggered by loading images greater than 65536 bytes.
It's fixed as of git 2834170dc1d8acbae5ae5a32653b34f88952167e.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.