New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 8 users

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2009
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment
link

Issue 6062: Chrome: Crash Report - Stack Signature: WebCore::GIFImageDecoder::haveDecodedRow

Reported by mberkowitz@chromium.org, Jan 7 2009 Project Member

Issue description

The full crash report details can be found at:

http://go/crash-staging/reportview?product=Chromium&version=2.0.156.0-7582&signature=WebCore%3A%3AGIFImageDecoder%3A%3AhaveDecodedRow(unsigned+int%2Cunsigned+char+*%2Cunsigned+char+*%2Cunsigned+int%2Cunsigned+int%2Cbool)-2AE3DD3

Meta information:

Files 	Download minidump
Client ID: 	lIjrmgkae1N+dnLrP8GmPPzUC4M=
(Show all crashes by this client for this version)
Report Time (UTC): 	2009/01/06 06:22:27, Tue
(Show all crashes by this date for this version)
Uptime: 	48 sec
User Comments: 	ChromeBot: build=buildbot_7582_ext,
url=http://www.buienradar.nl/, proxy=2,
full_dump=http://go/chromebot/dump?build=buildbot_7582_ext&id=626da8d1-0c33-43d3-b990-9123766a2ed6-full
Product Name: 	Chromium
Product Version: 	2.0.156.0-7582
OS Name: 	Windows NT
OS Version: 	5.1.2600 Service Pack 2
CPU Architecture: 	x86
CPU Info: 	GenuineIntel family 6 model 3 stepping 3
rept: 	crash svc
ptype: 	renderer
plat: 	Win32

Stack Trace:

0x02c93cee 	[chrome.dll 	- gifimagedecoder.cpp:380] 
WebCore::GIFImageDecoder::haveDecodedRow(unsigned int,unsigned char
*,unsigned char *,unsigned int,unsigned int,bool)
0x02c940fc 	[chrome.dll 	- gifimagereader.cpp:163] 
GIFImageReader::output_row()
0x02c943f6 	[chrome.dll 	- gifimagereader.cpp:351] 
GIFImageReader::do_lzw(unsigned char const *)
0x02c94575 	[chrome.dll 	- gifimagereader.cpp:441] 
GIFImageReader::read(unsigned char const *,unsigned
int,WebCore::GIFImageDecoder::GIFQuery,unsigned int)
0x02c9367e 	[chrome.dll 	- gifimagedecoder.cpp:227] 
WebCore::GIFImageDecoder::decode(WebCore::GIFImageDecoder::GIFQuery,unsigned int)
0x02c9377c 	[chrome.dll 	- gifimagedecoder.cpp:183] 
WebCore::GIFImageDecoder::frameBufferAtIndex(unsigned int)
0x02a44dca 	[chrome.dll 	- imagesourceskia.cpp:178] 
WebCore::ImageSource::createFrameAtIndex(unsigned int)
0x02a495dc 	[chrome.dll 	- bitmapimage.cpp:126] 
WebCore::BitmapImage::cacheFrame(unsigned int)
0x02a49777 	[chrome.dll 	- bitmapimage.cpp:222] 
WebCore::BitmapImage::frameIsCompleteAtIndex(unsigned int)
0x02a498dd 	[chrome.dll 	- bitmapimage.cpp:292] 
WebCore::BitmapImage::startAnimation(bool)
0x02b471f3 	[chrome.dll 	- imageskia.cpp:436] 
WebCore::BitmapImage::draw(WebCore::GraphicsContext *,WebCore::FloatRect
const &,WebCore::FloatRect const &,WebCore::CompositeOperator)
0x02a8e6da 	[chrome.dll 	- graphicscontext.cpp:429] 
WebCore::GraphicsContext::drawImage(WebCore::Image *,WebCore::FloatRect
const &,WebCore::FloatRect const &,WebCore::CompositeOperator,bool)
0x02a8e839 	[chrome.dll 	- graphicscontext.cpp:291] 
WebCore::GraphicsContext::drawImage(WebCore::Image *,WebCore::IntRect const
&,WebCore::CompositeOperator,bool)
0x02af97a3 	[chrome.dll 	- renderimage.cpp:409] 
WebCore::RenderImage::paintReplaced(WebCore::RenderObject::PaintInfo &,int,int)
0x02b8c187 	[chrome.dll 	- renderreplaced.cpp:140] 
WebCore::RenderReplaced::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02b6be93 	[chrome.dll 	- inlinebox.cpp:154] 
WebCore::InlineBox::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02bd25a3 	[chrome.dll 	- inlineflowbox.cpp:663] 
WebCore::InlineFlowBox::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02b92ae8 	[chrome.dll 	- rootinlinebox.cpp:179] 
WebCore::RootInlineBox::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02b87590 	[chrome.dll 	- renderflow.cpp:434] 
WebCore::RenderFlow::paintLines(WebCore::RenderObject::PaintInfo &,int,int)
0x02b12387 	[chrome.dll 	- renderblock.cpp:1603] 
WebCore::RenderBlock::paintContents(WebCore::RenderObject::PaintInfo &,int,int)
0x02b172ac 	[chrome.dll 	- renderblock.cpp:1693] 
WebCore::RenderBlock::paintObject(WebCore::RenderObject::PaintInfo &,int,int)
0x02b0eeef 	[chrome.dll 	- renderblock.cpp:1517] 
WebCore::RenderBlock::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02b0d7e8 	[chrome.dll 	- renderblock.cpp:1757] 
WebCore::RenderBlock::paintFloats(WebCore::RenderObject::PaintInfo
&,int,int,bool)
0x02b17328 	[chrome.dll 	- renderblock.cpp:1707] 
WebCore::RenderBlock::paintObject(WebCore::RenderObject::PaintInfo &,int,int)
0x02b7dc0a 	[chrome.dll 	- rendertablecell.cpp:649] 
WebCore::RenderTableCell::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02b8000d 	[chrome.dll 	- rendertablesection.cpp:970] 
WebCore::RenderTableSection::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02ab038d 	[chrome.dll 	- rendertable.cpp:482] 
WebCore::RenderTable::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02b105ad 	[chrome.dll 	- renderblock.cpp:1629] 
WebCore::RenderBlock::paintChildren(WebCore::RenderObject::PaintInfo &,int,int)
0x02b12391 	[chrome.dll 	- renderblock.cpp:1605] 
WebCore::RenderBlock::paintContents(WebCore::RenderObject::PaintInfo &,int,int)
0x02b172ac 	[chrome.dll 	- renderblock.cpp:1693] 
WebCore::RenderBlock::paintObject(WebCore::RenderObject::PaintInfo &,int,int)
0x02b0eeef 	[chrome.dll 	- renderblock.cpp:1517] 
WebCore::RenderBlock::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02b105ad 	[chrome.dll 	- renderblock.cpp:1629] 
WebCore::RenderBlock::paintChildren(WebCore::RenderObject::PaintInfo &,int,int)
0x02b12391 	[chrome.dll 	- renderblock.cpp:1605] 
WebCore::RenderBlock::paintContents(WebCore::RenderObject::PaintInfo &,int,int)
0x02b172ac 	[chrome.dll 	- renderblock.cpp:1693] 
WebCore::RenderBlock::paintObject(WebCore::RenderObject::PaintInfo &,int,int)
0x02b0eeef 	[chrome.dll 	- renderblock.cpp:1517] 
WebCore::RenderBlock::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02b105ad 	[chrome.dll 	- renderblock.cpp:1629] 
WebCore::RenderBlock::paintChildren(WebCore::RenderObject::PaintInfo &,int,int)
0x02b12391 	[chrome.dll 	- renderblock.cpp:1605] 
WebCore::RenderBlock::paintContents(WebCore::RenderObject::PaintInfo &,int,int)
0x02b172ac 	[chrome.dll 	- renderblock.cpp:1693] 
WebCore::RenderBlock::paintObject(WebCore::RenderObject::PaintInfo &,int,int)
0x02b7dc0a 	[chrome.dll 	- rendertablecell.cpp:649] 
WebCore::RenderTableCell::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02b8000d 	[chrome.dll 	- rendertablesection.cpp:970] 
WebCore::RenderTableSection::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02ab038d 	[chrome.dll 	- rendertable.cpp:482] 
WebCore::RenderTable::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02b105ad 	[chrome.dll 	- renderblock.cpp:1629] 
WebCore::RenderBlock::paintChildren(WebCore::RenderObject::PaintInfo &,int,int)
0x02b12391 	[chrome.dll 	- renderblock.cpp:1605] 
WebCore::RenderBlock::paintContents(WebCore::RenderObject::PaintInfo &,int,int)
0x02b172ac 	[chrome.dll 	- renderblock.cpp:1693] 
WebCore::RenderBlock::paintObject(WebCore::RenderObject::PaintInfo &,int,int)
0x02b7dc0a 	[chrome.dll 	- rendertablecell.cpp:649] 
WebCore::RenderTableCell::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02b8000d 	[chrome.dll 	- rendertablesection.cpp:970] 
WebCore::RenderTableSection::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02ab038d 	[chrome.dll 	- rendertable.cpp:482] 
WebCore::RenderTable::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02b105ad 	[chrome.dll 	- renderblock.cpp:1629] 
WebCore::RenderBlock::paintChildren(WebCore::RenderObject::PaintInfo &,int,int)
0x02b12391 	[chrome.dll 	- renderblock.cpp:1605] 
WebCore::RenderBlock::paintContents(WebCore::RenderObject::PaintInfo &,int,int)
0x02b172ac 	[chrome.dll 	- renderblock.cpp:1693] 
WebCore::RenderBlock::paintObject(WebCore::RenderObject::PaintInfo &,int,int)
0x02b7dc0a 	[chrome.dll 	- rendertablecell.cpp:649] 
WebCore::RenderTableCell::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02b8000d 	[chrome.dll 	- rendertablesection.cpp:970] 
WebCore::RenderTableSection::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02ab038d 	[chrome.dll 	- rendertable.cpp:482] 
WebCore::RenderTable::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02b105ad 	[chrome.dll 	- renderblock.cpp:1629] 
WebCore::RenderBlock::paintChildren(WebCore::RenderObject::PaintInfo &,int,int)
0x02b12391 	[chrome.dll 	- renderblock.cpp:1605] 
WebCore::RenderBlock::paintContents(WebCore::RenderObject::PaintInfo &,int,int)
0x02b172ac 	[chrome.dll 	- renderblock.cpp:1693] 
WebCore::RenderBlock::paintObject(WebCore::RenderObject::PaintInfo &,int,int)
0x02b7dc0a 	[chrome.dll 	- rendertablecell.cpp:649] 
WebCore::RenderTableCell::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02b8000d 	[chrome.dll 	- rendertablesection.cpp:970] 
WebCore::RenderTableSection::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02ab038d 	[chrome.dll 	- rendertable.cpp:482] 
WebCore::RenderTable::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02b105ad 	[chrome.dll 	- renderblock.cpp:1629] 
WebCore::RenderBlock::paintChildren(WebCore::RenderObject::PaintInfo &,int,int)
0x02b12391 	[chrome.dll 	- renderblock.cpp:1605] 
WebCore::RenderBlock::paintContents(WebCore::RenderObject::PaintInfo &,int,int)
0x02b172ac 	[chrome.dll 	- renderblock.cpp:1693] 
WebCore::RenderBlock::paintObject(WebCore::RenderObject::PaintInfo &,int,int)
0x02b0eeef 	[chrome.dll 	- renderblock.cpp:1517] 
WebCore::RenderBlock::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02b105ad 	[chrome.dll 	- renderblock.cpp:1629] 
WebCore::RenderBlock::paintChildren(WebCore::RenderObject::PaintInfo &,int,int)
0x02b12391 	[chrome.dll 	- renderblock.cpp:1605] 
WebCore::RenderBlock::paintContents(WebCore::RenderObject::PaintInfo &,int,int)
0x02b172ac 	[chrome.dll 	- renderblock.cpp:1693] 
WebCore::RenderBlock::paintObject(WebCore::RenderObject::PaintInfo &,int,int)
0x02b0eeef 	[chrome.dll 	- renderblock.cpp:1517] 
WebCore::RenderBlock::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02b105ad 	[chrome.dll 	- renderblock.cpp:1629] 
WebCore::RenderBlock::paintChildren(WebCore::RenderObject::PaintInfo &,int,int)
0x02b12391 	[chrome.dll 	- renderblock.cpp:1605] 
WebCore::RenderBlock::paintContents(WebCore::RenderObject::PaintInfo &,int,int)
0x02b172ac 	[chrome.dll 	- renderblock.cpp:1693] 
WebCore::RenderBlock::paintObject(WebCore::RenderObject::PaintInfo &,int,int)
0x02b0eeef 	[chrome.dll 	- renderblock.cpp:1517] 
WebCore::RenderBlock::paint(WebCore::RenderObject::PaintInfo &,int,int)
0x02a968d2 	[chrome.dll 	- renderlayer.cpp:1785] 
WebCore::RenderLayer::paintLayer(WebCore::RenderLayer
*,WebCore::GraphicsContext *,WebCore::IntRect const
&,bool,WebCore::PaintRestriction,WebCore::RenderObject *,bool,bool)
0x02a96a51 	[chrome.dll 	- renderlayer.cpp:1812] 
WebCore::RenderLayer::paintLayer(WebCore::RenderLayer
*,WebCore::GraphicsContext *,WebCore::IntRect const
&,bool,WebCore::PaintRestriction,WebCore::RenderObject *,bool,bool)
0x02a971ce 	[chrome.dll 	- renderlayer.cpp:1623] 
WebCore::RenderLayer::paint(WebCore::GraphicsContext *,WebCore::IntRect
const &,WebCore::PaintRestriction,WebCore::RenderObject *)
0x02a70b15 	[chrome.dll 	- frameview.cpp:1232] 
WebCore::FrameView::paintContents(WebCore::GraphicsContext
*,WebCore::IntRect const &)
0x02a42bf8 	[chrome.dll 	- scrollview.cpp:684] 
WebCore::ScrollView::paint(WebCore::GraphicsContext *,WebCore::IntRect const &)
0x027f891b 	[chrome.dll 	- webframe_impl.cc:1440] 
WebFrameImpl::Paint(skia::PlatformCanvasWin *,gfx::Rect const &)
0x02733a37 	[chrome.dll 	- render_widget.cc:366] 
RenderWidget::PaintRect(gfx::Rect const &,base::SharedMemory *)
0x02735ab7 	[chrome.dll 	- render_widget.cc:408] 
RenderWidget::DoDeferredPaint()
0x02736353 	[chrome.dll 	- render_widget.cc:297] 
RenderWidget::OnPaintRectAck()
0x02733788 	[chrome.dll 	- ipc_message.h:125] 
IPC::Message::Dispatch<RenderWidget>(IPC::Message const *,RenderWidget
*,void ( RenderWidget::*)(void))
0x0273643e 	[chrome.dll 	- render_widget.cc:157] 
RenderWidget::OnMessageReceived(IPC::Message const &)
0x027312e3 	[chrome.dll 	- render_view.cc:400] 
RenderView::OnMessageReceived(IPC::Message const &)
0x02702ec3 	[chrome.dll 	- message_router.cc:39] 
MessageRouter::RouteMessage(IPC::Message const &)
0x02702e7f 	[chrome.dll 	- message_router.cc:30] 
MessageRouter::OnMessageReceived(IPC::Message const &)
0x02723a34 	[chrome.dll 	- render_thread.cc:174] 
RenderThread::OnMessageReceived(IPC::Message const &)
0x0261a316 	[chrome.dll 	- task.h:312] 
RunnableMethod<CancelableRequest<CallbackRunner<Tuple2<int,SkBitmap *> >
>,void ( CancelableRequest<CallbackRunner<Tuple2<int,SkBitmap *> >
>::*)(Tuple2<int,SkBitmap *> const &),Tuple1<Tuple2<int,SkBitmap *> > >::Run()
0x024127cf 	[chrome.dll 	- message_loop.cc:308] 	MessageLoop::RunTask(Task *)
0x02413329 	[chrome.dll 	- message_loop.cc:408] 	MessageLoop::DoWork()
0x02427f90 	[chrome.dll 	- message_pump_default.cc:50] 
base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x02412ea6 	[chrome.dll 	- message_loop.cc:197] 	MessageLoop::RunInternal()
0x0241303f 	[chrome.dll 	- message_loop.cc:180] 	MessageLoop::RunHandler()
0x024138dc 	[chrome.dll 	- message_loop.cc:154] 	MessageLoop::Run()
0x02997d39 	[chrome.dll 	- thread.cc:153] 	base::Thread::ThreadMain()
0x0241b81c 	[chrome.dll 	- platform_thread_win.cc:26] 	`anonymous
namespace'::ThreadFunc(void *)
0x7c80b682 	[kernel32.dll 	+ 0x0000b682] 	BaseThreadStart
 

Comment 1 by cpu@chromium.org, Jan 7 2009

Comment 2 by cpu@chromium.org, Jan 7 2009

Labels: Security

Comment 3 by abarth@chromium.org, Jan 8 2009

Labels: private
I presume cpu meant to set the "private" flag too.

Comment 4 by venkataramana@chromium.org, Jan 12 2009

 Issue 6270  has been merged into this issue.

Comment 5 by venkataramana@chromium.org, Jan 12 2009

Stack Analysis for this crash
#############################

00c7d7f8 0155cf50 000000ea 000000ea 000000ff
chrome_1000000!WebCore::RGBA32Buffer::setRGBA+0x86
[c:\b\slave\chrome-official\build\src\webkit\port\platform\image-decoders\imagedecoder.h
@ 202]
00c7d838 0155ea82 0242bbf8 00b35178 00b3539e
chrome_1000000!WebCore::GIFImageDecoder::haveDecodedRow+0x130
[c:\b\slave\chrome-official\build\src\webkit\port\platform\image-decoders\gif\gifimagedecoder.cpp
@ 380]
00c7d86c 0155ed03 00b3a3e0 00000001 024b5468
chrome_1000000!GIFImageReader::output_row+0xc8
[c:\b\slave\chrome-official\build\src\webkit\port\platform\image-decoders\gif\gifimagereader.cpp
@ 167]
00c7d8c0 0155ee64 00b3a3e0 024b54a0 021688e8
chrome_1000000!GIFImageReader::do_lzw+0x217
[c:\b\slave\chrome-official\build\src\webkit\port\platform\image-decoders\gif\gifimagereader.cpp
@ 351]
00c7d8f4 0155c970 00b3a3e0 024b5566 0003ced8 chrome_1000000!GIFImageReader::read+0xd0
[c:\b\slave\chrome-official\build\src\webkit\port\platform\image-decoders\gif\gifimagereader.cpp
@ 441]
00c7d90c 0155cb8c 00000000 00000003 02265de0
chrome_1000000!WebCore::GIFImageDecoderPrivate::decode+0x26
[c:\b\slave\chrome-official\build\src\webkit\port\platform\image-decoders\gif\gifimagedecoder.cpp
@ 53]
00c7d920 0155cb15 021688e8 00000000 00000003
chrome_1000000!WebCore::GIFImageDecoder::decode+0x1f
[c:\b\slave\chrome-official\build\src\webkit\port\platform\image-decoders\gif\gifimagedecoder.cpp
@ 227]
00c7d938 013c6193 00000002 00b381a8 013e4803
chrome_1000000!WebCore::GIFImageDecoder::frameBufferAtIndex+0x33
[c:\b\slave\chrome-official\build\src\webkit\port\platform\image-decoders\gif\gifimagedecoder.cpp
@ 184]
00c7d944 013e4803 00000002 00b38198 00000002
chrome_1000000!WebCore::ImageSource::createFrameAtIndex+0x14
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\platform\graphics\skia\imagesourceskia.cpp
@ 178]
00c7d960 013e4a1c 00000002 00000000 00b38198
chrome_1000000!WebCore::BitmapImage::cacheFrame+0x60
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\platform\graphics\bitmapimage.cpp
@ 126]
00c7d974 013e4b8a 00000002 00c7da98 00b38198
chrome_1000000!WebCore::BitmapImage::frameIsCompleteAtIndex+0x32
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\platform\graphics\bitmapimage.cpp
@ 222]
00c7d9ac 01480000 00000001 00c7da98 00c7daa8
chrome_1000000!WebCore::BitmapImage::startAnimation+0x96
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\platform\graphics\bitmapimage.cpp
@ 292]
00c7da28 013fbd2a 00c7fc10 00c7da44 00c7da54
chrome_1000000!WebCore::BitmapImage::draw+0x1f
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\platform\graphics\skia\imageskia.cpp
@ 438]
00c7da78 013fb8da 00c7fc10 44098000 00000002
chrome_1000000!WebCore::GraphicsContext::drawImage+0x125
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\platform\graphics\graphicscontext.cpp
@ 430]
00c7dabc 013fb8a5 00c7fc10 00b38198 00c7db34
chrome_1000000!WebCore::GraphicsContext::drawImage+0x31
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\platform\graphics\graphicscontext.cpp
@ 302]
00c7daec 014453d2 00c7fc10 00b38198 00c7db34
chrome_1000000!WebCore::GraphicsContext::drawImage+0x2d
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\platform\graphics\graphicscontext.cpp
@ 292]
00c7db6c 014bebf9 00c7dbdc 00000113 0000007f
chrome_1000000!WebCore::RenderImage::paintReplaced+0x18e
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderimage.cpp
@ 409]
00c7dbbc 0149844a 00c7dbdc 00000113 0000007f
chrome_1000000!WebCore::RenderReplaced::paint+0x123
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderreplaced.cpp
@ 142]
00c7dc00 014e290e 00c7dc20 00000113 0000007f
chrome_1000000!WebCore::InlineBox::paint+0xbc
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\inlinebox.cpp
@ 156]
00c7dc64 014b99f6 00c7dcec 00000113 0000007f
chrome_1000000!WebCore::InlineFlowBox::paint+0x24e
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\inlineflowbox.cpp
@ 661]
00c7dc7c 014afe6b 00c7dcec 00000113 0000007f
chrome_1000000!WebCore::RootInlineBox::paint+0x14
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\rootinlinebox.cpp
@ 180]
00c7dd10 01456eaa 02223d9c 00000113 0000007f
chrome_1000000!WebCore::RenderFlow::paintLines+0x288
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderflow.cpp
@ 434]
00c7dd24 01457240 00c7ddd8 00000113 0000007f
chrome_1000000!WebCore::RenderBlock::paintContents+0x3d
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1604]
00c7dd64 01456b84 00c7ddd8 00000113 0000007f
chrome_1000000!WebCore::RenderBlock::paintObject+0xcc
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1699]
00c7ddb4 0145753e 00c7ddd8 00000113 0000007f
chrome_1000000!WebCore::RenderBlock::paint+0x13d
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1520]
00c7de10 014572b6 00c7defc 00000113 0000007f
chrome_1000000!WebCore::RenderBlock::paintFloats+0x10d
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1759]
00c7de54 0149fee5 00c7defc 00000113 0000007f
chrome_1000000!WebCore::RenderBlock::paintObject+0x142
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1711]
00c7de7c 014a79be 00000000 00000113 0000007f
chrome_1000000!WebCore::RenderTableCell::paint+0x15a
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\rendertablecell.cpp
@ 649]
00c7decc 0143c6c5 00c7defc 00000113 0000007f
chrome_1000000!WebCore::RenderTableSection::paint+0x382
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\rendertablesection.cpp
@ 970]
00c7e250 01456fa6 00c7e270 00000113 0000007f
chrome_1000000!WebCore::RenderTable::paint+0x1c4
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\rendertable.cpp
@ 480]
00c7e29c 01456eb5 021c8b00 00c7e360 00000113
chrome_1000000!WebCore::RenderBlock::paintChildren+0xed
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1634]
00c7e2b4 01457240 00c7e360 00000113 0000006e
chrome_1000000!WebCore::RenderBlock::paintContents+0x48
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1606]
00c7e2f4 01456b84 00c7e360 00000113 0000006e
chrome_1000000!WebCore::RenderBlock::paintObject+0xcc
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1699]
00c7e340 01456fa6 00c7e360 00000113 0000006e
chrome_1000000!WebCore::RenderBlock::paint+0x13d
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1520]
00c7e38c 01456eb5 021c8928 00c7e450 00000113
chrome_1000000!WebCore::RenderBlock::paintChildren+0xed
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1634]
00c7e3a4 01457240 00c7e450 00000113 0000006e
chrome_1000000!WebCore::RenderBlock::paintContents+0x48
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1606]
00c7e3e4 01456b84 00c7e450 00000113 0000006e
chrome_1000000!WebCore::RenderBlock::paintObject+0xcc
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1699]
00c7e430 01456fa6 00c7e450 00000113 0000006e
chrome_1000000!WebCore::RenderBlock::paint+0x13d
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1520]
00c7e47c 01456eb5 021c8878 00c7e57c 00000113
chrome_1000000!WebCore::RenderBlock::paintChildren+0xed
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1634]
00c7e494 01457240 00c7e57c 00000113 0000006e
chrome_1000000!WebCore::RenderBlock::paintContents+0x48
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1606]
00c7e4d4 0149fee5 00c7e57c 00000113 0000006e
chrome_1000000!WebCore::RenderBlock::paintObject+0xcc
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1699]
00c7e4fc 014a79be 00000000 00000113 0000006e
chrome_1000000!WebCore::RenderTableCell::paint+0x15a
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\rendertablecell.cpp
@ 649]
00c7e54c 0143c6c5 00c7e57c 00000113 0000006e
chrome_1000000!WebCore::RenderTableSection::paint+0x382
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\rendertablesection.cpp
@ 970]
00c7e8d0 01456fa6 00c7e8f0 00000113 0000006e
chrome_1000000!WebCore::RenderTable::paint+0x1c4
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\rendertable.cpp
@ 480]
00c7e91c 01456eb5 021c85f8 00c7ea1c 00000113
chrome_1000000!WebCore::RenderBlock::paintChildren+0xed
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1634]
00c7e934 01457240 00c7ea1c 00000113 0000006e
chrome_1000000!WebCore::RenderBlock::paintContents+0x48
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1606]
00c7e974 0149fee5 00c7ea1c 00000113 0000006e
chrome_1000000!WebCore::RenderBlock::paintObject+0xcc
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1699]
00c7e99c 014a79be 00000000 00000113 0000006e
chrome_1000000!WebCore::RenderTableCell::paint+0x15a
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\rendertablecell.cpp
@ 649]
00c7e9ec 0143c6c5 00c7ea1c 0000008c 0000006e
chrome_1000000!WebCore::RenderTableSection::paint+0x382
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\rendertablesection.cpp
@ 970]
00c7ed70 01456fa6 00c7ed90 0000008c 0000006e
chrome_1000000!WebCore::RenderTable::paint+0x1c4
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\rendertable.cpp
@ 480]
00c7edbc 01456eb5 021c7e74 00c7eebc 0000008c
chrome_1000000!WebCore::RenderBlock::paintChildren+0xed
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1634]
00c7edd4 01457240 00c7eebc 0000008c 00000061
chrome_1000000!WebCore::RenderBlock::paintContents+0x48
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1606]
00c7ee14 0149fee5 00c7eebc 0000008c 00000061
chrome_1000000!WebCore::RenderBlock::paintObject+0xcc
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1699]
00c7ee3c 014a79be 00000000 0000008c 00000061
chrome_1000000!WebCore::RenderTableCell::paint+0x15a
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\rendertablecell.cpp
@ 649]
00c7ee8c 0143c6c5 00c7eebc 00000014 00000013
chrome_1000000!WebCore::RenderTableSection::paint+0x382
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\rendertablesection.cpp
@ 970]
00c7f210 01456fa6 00c7f230 00000014 00000013
chrome_1000000!WebCore::RenderTable::paint+0x1c4
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\rendertable.cpp
@ 480]
00c7f25c 01456eb5 02188b00 00c7f35c 00000014
chrome_1000000!WebCore::RenderBlock::paintChildren+0xed
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1634]
00c7f274 01457240 00c7f35c 00000014 00000013
chrome_1000000!WebCore::RenderBlock::paintContents+0x48
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1606]
00c7f2b4 0149fee5 00c7f35c 00000014 00000013
chrome_1000000!WebCore::RenderBlock::paintObject+0xcc
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\renderblock.cpp
@ 1699]
00c7f2dc 014a79be 00000000 00000014 00000013
chrome_1000000!WebCore::RenderTableCell::paint+0x15a
[c:\b\slave\chrome-official\build\src\third_party\webkit\webcore\rendering\rende

STACK_COMMAND:  ~1s; .ecxr ; kb

FOLLOWUP_IP: 
chrome_1000000!WebCore::RGBA32Buffer::setRGBA+86
[c:\b\slave\chrome-official\build\src\webkit\port\platform\image-decoders\imagedecoder.h
@ 202]
0155b901 8906            mov     dword ptr [esi],eax

FAULTING_SOURCE_CODE:  
   198:                 r = static_cast<unsigned>(r * alphaPercent);
   199:                 g = static_cast<unsigned>(g * alphaPercent);
   200:                 b = static_cast<unsigned>(b * alphaPercent);
   201:             }
>  202:             *dest = (a << 24 | r << 16 | g << 8 | b);
   203:         }
   204:     }
   205: 
   206:     void setRGBA(int x, int y,
   207:                  uint8_t r, uint8_t g, uint8_t b, uint8_t a)


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  chrome_1000000!WebCore::RGBA32Buffer::setRGBA+86

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: chrome_1000000

IMAGE_NAME:  chrome.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  49644cec

FAILURE_BUCKET_ID: 
INVALID_POINTER_READ_c0000005_chrome.dll!WebCore::RGBA32Buffer::setRGBA

BUCKET_ID: 
APPLICATION_FAULT_INVALID_POINTER_READ_chrome_1000000!WebCore::RGBA32Buffer::setRGBA+86

Comment 6 by lafo...@chromium.org, Jan 13 2009

Labels: -Area-Misc Area-WebKit stable Mstone-2.0 Crash-2.0.156.1 Crash-2.0.157.1
3 of these occurring on Chromebot for 2.0.157.0.

The full crash report details can be found at: http://go/crash-staging/reportdetail?
reportid=75a2c01259b7a5a7&product=Chrome&version=2.0.157.0-
qemu&signature=WebCore%3A%3AGIFImageDecoder%3A%3AhaveDecodedRow(unsigned+int%2Cunsign
ed+char+*%2Cunsigned+char+*%2Cunsigned+int%2Cunsigned+int%2Cbool)-1AF8AF0

The full crash report details can be found at: http://go/crash-staging/reportdetail?
reportid=ea88918c4aa5db9b&product=Chrome&version=2.0.157.0-
qemu&signature=WebCore%3A%3AGIFImageDecoder%3A%3AhaveDecodedRow(unsigned+int%2Cunsign
ed+char+*%2Cunsigned+char+*%2Cunsigned+int%2Cunsigned+int%2Cbool)-1AF8AD4

The full crash report details can be found at: http://go/crash-staging/reportdetail?
reportid=a846cdead4f04e8a&product=Chrome&version=2.0.157.0-
qemu&signature=WebCore%3A%3AGIFImageDecoder%3A%3AhaveDecodedRow(unsigned+int%2Cunsign
ed+char+*%2Cunsigned+char+*%2Cunsigned+int%2Cunsigned+int%2Cbool)-1AF8A99

Comment 7 by lafo...@chromium.org, Jan 14 2009

Status: Assigned
Hye Peter, I'm flipping the bit from Untriaged to Assigned, just wanted to confirm 
that you were the right owner for this issue.

Comment 8 by lafo...@chromium.org, Jan 21 2009

 Issue 6307  has been merged into this issue.

Comment 9 by venkataramana@chromium.org, Jan 21 2009

 Issue 6650  has been merged into this issue.

Comment 10 by mberkowitz@chromium.org, Jan 21 2009

Labels: p

Comment 11 by mberkowitz@chromium.org, Jan 21 2009

Labels: -p

Comment 12 by deanm@chromium.org, Jan 23 2009

This is a Peter bug, I peaked at it, and didn't get very far.  Valgrind catches the
crash earlier.  I copied the image and can reproduce it here:

http://www.corp.google.com/~deanm/tmp/chrome/gif-crash2.gif

==29911==
==29911== Invalid write of size 4
==29911==    at 0x84868BA: WebCore::RGBA32Buffer::setRGBA(unsigned int*, unsigned
char, unsigned char, unsigned char, unsigned char) (ImageDecoder.h:211)
==29911==    by 0x8766B0C: WebCore::GIFImageDecoder::haveDecodedRow(unsigned int,
unsigned char*, unsigned char*, unsigned int, unsigned int, bool)
(GIFImageDecoder.cpp:383)
==29911==    by 0x8785A23: GIFImageReader::output_row() (GIFImageReader.cpp:164)
==29911==    by 0x8785ED4: GIFImageReader::do_lzw(unsigned char const*)
(GIFImageReader.cpp:352)
==29911==    by 0x8786139: GIFImageReader::read(unsigned char const*, unsigned int,
WebCore::GIFImageDecoder::GIFQuery, unsigned int) (GIFImageReader.cpp:442)
==29911==    by 0x876771D:
WebCore::GIFImageDecoderPrivate::decode(WebCore::SharedBuffer*,
WebCore::GIFImageDecoder::GIFQuery, unsigned int) (GIFImageDecoder.cpp:52)
==29911==    by 0x8766DB0:
WebCore::GIFImageDecoder::decode(WebCore::GIFImageDecoder::GIFQuery, unsigned int)
const (GIFImageDecoder.cpp:230)
==29911==    by 0x8766E83: WebCore::GIFImageDecoder::frameBufferAtIndex(unsigned int)
(GIFImageDecoder.cpp:186)
==29911==    by 0x83CB2F0: WebCore::ImageSource::createFrameAtIndex(unsigned int)
(ImageSourceSkia.cpp:183)
==29911==    by 0x874964D: WebCore::BitmapImage::cacheFrame(unsigned int)
(BitmapImage.cpp:120)
==29911==    by 0x87499DA: WebCore::BitmapImage::frameIsCompleteAtIndex(unsigned int)
(BitmapImage.cpp:218)
==29911==    by 0x8749CFF: WebCore::BitmapImage::startAnimation(bool)
(BitmapImage.cpp:320)

Comment 13 by jon@chromium.org, Jan 23 2009

Crashes trunk build but not 1.0.154.43 (Official Build 7746).

Comment 14 by jon@chromium.org, Jan 27 2009

We have crashes from 2.0.158.0 see http://crash/search?
query=Chrome+WebCore::GIFImageDecoder

Comment 15 by pkasting@chromium.org, Feb 4 2009

Status: Started
I have a local fix for this.

Comment 16 by pkasting@chromium.org, Feb 4 2009

Issue 6134 has been merged into this issue.

Comment 18 by pkasting@chromium.org, Feb 5 2009

Status: Fixed
Fixed in WebKit r40641, we'll get the fix in the next merge.

Comment 19 by brettw@chromium.org, Feb 6 2009

 Issue 6374  has been merged into this issue.

Comment 20 by jsc...@chromium.org, Jan 4 2011

Labels: SecSeverity-High

Comment 21 by lafo...@chromium.org, Mar 19 2011

Labels: -Crash bulkmove Stability-Crash
The full crash report details can be found at:

http://go/crash-staging/reportview?product=Chromium&amp;version=2.0.156.0-7582&amp;signature=WebCore%3A%3AGIFImageDecoder%3A%3AhaveDecodedRow(unsigned+int%2Cunsigned+char+*%2Cunsigned+char+*%2Cunsigned+int%2Cunsigned+int%2Cbool)-2AE3DD3

Meta information:

Files 	Download minidump
Client ID: 	lIjrmgkae1N+dnLrP8GmPPzUC4M=
(Show all crashes by this client for this version)
Report Time (UTC): 	2009/01/06 06:22:27, Tue
(Show all crashes by this date for this version)
Uptime: 	48 sec
User Comments: 	ChromeBot: build=buildbot_7582_ext,
url=http://www.buienradar.nl/, proxy=2,
full_dump=http://go/chromebot/dump?build=buildbot_7582_ext&amp;id=626da8d1-0c33-43d3-b990-9123766a2ed6-full
Product Name: 	Chromium
Product Version: 	2.0.156.0-7582
OS Name: 	Windows NT
OS Version: 	5.1.2600 Service Pack 2
CPU Architecture: 	x86
CPU Info: 	GenuineIntel family 6 model 3 stepping 3
rept: 	crash svc
ptype: 	renderer
plat: 	Win32

Stack Trace:

0x02c93cee 	[chrome.dll 	- gifimagedecoder.cpp:380] 
WebCore::GIFImageDecoder::haveDecodedRow(unsigned int,unsigned char
*,unsigned char *,unsigned int,unsigned int,bool)
0x02c940fc 	[chrome.dll 	- gifimagereader.cpp:163] 
GIFImageReader::output_row()
0x02c943f6 	[chrome.dll 	- gifimagereader.cpp:351] 
GIFImageReader::do_lzw(unsigned char const *)
0x02c94575 	[chrome.dll 	- gifimagereader.cpp:441] 
GIFImageReader::read(unsigned char const *,unsigned
int,WebCore::GIFImageDecoder::GIFQuery,unsigned int)
0x02c9367e 	[chrome.dll 	- gifimagedecoder.cpp:227] 
WebCore::GIFImageDecoder::decode(WebCore::GIFImageDecoder::GIFQuery,unsigned int)
0x02c9377c 	[chrome.dll 	- gifimagedecoder.cpp:183] 
WebCore::GIFImageDecoder::frameBufferAtIndex(unsigned int)
0x02a44dca 	[chrome.dll 	- imagesourceskia.cpp:178] 
WebCore::ImageSource::createFrameAtIndex(unsigned int)
0x02a495dc 	[chrome.dll 	- bitmapimage.cpp:126] 
WebCore::BitmapImage::cacheFrame(unsigned int)
0x02a49777 	[chrome.dll 	- bitmapimage.cpp:222] 
WebCore::BitmapImage::frameIsCompleteAtIndex(unsigned int)
0x02a498dd 	[chrome.dll 	- bitmapimage.cpp:292] 
WebCore::BitmapImage::startAnimation(bool)
0x02b471f3 	[chrome.dll 	- imageskia.cpp:436] 
WebCore::BitmapImage::draw(WebCore::GraphicsContext *,WebCore::FloatRect
const &amp;,WebCore::FloatRect const &amp;,WebCore::CompositeOperator)
0x02a8e6da 	[chrome.dll 	- graphicscontext.cpp:429] 
WebCore::GraphicsContext::drawImage(WebCore::Image *,WebCore::FloatRect
const &amp;,WebCore::FloatRect const &amp;,WebCore::CompositeOperator,bool)
0x02a8e839 	[chrome.dll 	- graphicscontext.cpp:291] 
WebCore::GraphicsContext::drawImage(WebCore::Image *,WebCore::IntRect const
&amp;,WebCore::CompositeOperator,bool)
0x02af97a3 	[chrome.dll 	- renderimage.cpp:409] 
WebCore::RenderImage::paintReplaced(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b8c187 	[chrome.dll 	- renderreplaced.cpp:140] 
WebCore::RenderReplaced::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b6be93 	[chrome.dll 	- inlinebox.cpp:154] 
WebCore::InlineBox::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02bd25a3 	[chrome.dll 	- inlineflowbox.cpp:663] 
WebCore::InlineFlowBox::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b92ae8 	[chrome.dll 	- rootinlinebox.cpp:179] 
WebCore::RootInlineBox::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b87590 	[chrome.dll 	- renderflow.cpp:434] 
WebCore::RenderFlow::paintLines(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b12387 	[chrome.dll 	- renderblock.cpp:1603] 
WebCore::RenderBlock::paintContents(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b172ac 	[chrome.dll 	- renderblock.cpp:1693] 
WebCore::RenderBlock::paintObject(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b0eeef 	[chrome.dll 	- renderblock.cpp:1517] 
WebCore::RenderBlock::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b0d7e8 	[chrome.dll 	- renderblock.cpp:1757] 
WebCore::RenderBlock::paintFloats(WebCore::RenderObject::PaintInfo
&amp;,int,int,bool)
0x02b17328 	[chrome.dll 	- renderblock.cpp:1707] 
WebCore::RenderBlock::paintObject(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b7dc0a 	[chrome.dll 	- rendertablecell.cpp:649] 
WebCore::RenderTableCell::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b8000d 	[chrome.dll 	- rendertablesection.cpp:970] 
WebCore::RenderTableSection::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02ab038d 	[chrome.dll 	- rendertable.cpp:482] 
WebCore::RenderTable::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b105ad 	[chrome.dll 	- renderblock.cpp:1629] 
WebCore::RenderBlock::paintChildren(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b12391 	[chrome.dll 	- renderblock.cpp:1605] 
WebCore::RenderBlock::paintContents(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b172ac 	[chrome.dll 	- renderblock.cpp:1693] 
WebCore::RenderBlock::paintObject(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b0eeef 	[chrome.dll 	- renderblock.cpp:1517] 
WebCore::RenderBlock::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b105ad 	[chrome.dll 	- renderblock.cpp:1629] 
WebCore::RenderBlock::paintChildren(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b12391 	[chrome.dll 	- renderblock.cpp:1605] 
WebCore::RenderBlock::paintContents(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b172ac 	[chrome.dll 	- renderblock.cpp:1693] 
WebCore::RenderBlock::paintObject(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b0eeef 	[chrome.dll 	- renderblock.cpp:1517] 
WebCore::RenderBlock::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b105ad 	[chrome.dll 	- renderblock.cpp:1629] 
WebCore::RenderBlock::paintChildren(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b12391 	[chrome.dll 	- renderblock.cpp:1605] 
WebCore::RenderBlock::paintContents(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b172ac 	[chrome.dll 	- renderblock.cpp:1693] 
WebCore::RenderBlock::paintObject(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b7dc0a 	[chrome.dll 	- rendertablecell.cpp:649] 
WebCore::RenderTableCell::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b8000d 	[chrome.dll 	- rendertablesection.cpp:970] 
WebCore::RenderTableSection::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02ab038d 	[chrome.dll 	- rendertable.cpp:482] 
WebCore::RenderTable::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b105ad 	[chrome.dll 	- renderblock.cpp:1629] 
WebCore::RenderBlock::paintChildren(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b12391 	[chrome.dll 	- renderblock.cpp:1605] 
WebCore::RenderBlock::paintContents(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b172ac 	[chrome.dll 	- renderblock.cpp:1693] 
WebCore::RenderBlock::paintObject(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b7dc0a 	[chrome.dll 	- rendertablecell.cpp:649] 
WebCore::RenderTableCell::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b8000d 	[chrome.dll 	- rendertablesection.cpp:970] 
WebCore::RenderTableSection::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02ab038d 	[chrome.dll 	- rendertable.cpp:482] 
WebCore::RenderTable::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b105ad 	[chrome.dll 	- renderblock.cpp:1629] 
WebCore::RenderBlock::paintChildren(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b12391 	[chrome.dll 	- renderblock.cpp:1605] 
WebCore::RenderBlock::paintContents(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b172ac 	[chrome.dll 	- renderblock.cpp:1693] 
WebCore::RenderBlock::paintObject(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b7dc0a 	[chrome.dll 	- rendertablecell.cpp:649] 
WebCore::RenderTableCell::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b8000d 	[chrome.dll 	- rendertablesection.cpp:970] 
WebCore::RenderTableSection::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02ab038d 	[chrome.dll 	- rendertable.cpp:482] 
WebCore::RenderTable::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b105ad 	[chrome.dll 	- renderblock.cpp:1629] 
WebCore::RenderBlock::paintChildren(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b12391 	[chrome.dll 	- renderblock.cpp:1605] 
WebCore::RenderBlock::paintContents(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b172ac 	[chrome.dll 	- renderblock.cpp:1693] 
WebCore::RenderBlock::paintObject(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b7dc0a 	[chrome.dll 	- rendertablecell.cpp:649] 
WebCore::RenderTableCell::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b8000d 	[chrome.dll 	- rendertablesection.cpp:970] 
WebCore::RenderTableSection::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02ab038d 	[chrome.dll 	- rendertable.cpp:482] 
WebCore::RenderTable::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b105ad 	[chrome.dll 	- renderblock.cpp:1629] 
WebCore::RenderBlock::paintChildren(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b12391 	[chrome.dll 	- renderblock.cpp:1605] 
WebCore::RenderBlock::paintContents(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b172ac 	[chrome.dll 	- renderblock.cpp:1693] 
WebCore::RenderBlock::paintObject(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b0eeef 	[chrome.dll 	- renderblock.cpp:1517] 
WebCore::RenderBlock::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b105ad 	[chrome.dll 	- renderblock.cpp:1629] 
WebCore::RenderBlock::paintChildren(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b12391 	[chrome.dll 	- renderblock.cpp:1605] 
WebCore::RenderBlock::paintContents(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b172ac 	[chrome.dll 	- renderblock.cpp:1693] 
WebCore::RenderBlock::paintObject(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b0eeef 	[chrome.dll 	- renderblock.cpp:1517] 
WebCore::RenderBlock::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b105ad 	[chrome.dll 	- renderblock.cpp:1629] 
WebCore::RenderBlock::paintChildren(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b12391 	[chrome.dll 	- renderblock.cpp:1605] 
WebCore::RenderBlock::paintContents(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b172ac 	[chrome.dll 	- renderblock.cpp:1693] 
WebCore::RenderBlock::paintObject(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02b0eeef 	[chrome.dll 	- renderblock.cpp:1517] 
WebCore::RenderBlock::paint(WebCore::RenderObject::PaintInfo &amp;,int,int)
0x02a968d2 	[chrome.dll 	- renderlayer.cpp:1785] 
WebCore::RenderLayer::paintLayer(WebCore::RenderLayer
*,WebCore::GraphicsContext *,WebCore::IntRect const
&amp;,bool,WebCore::PaintRestriction,WebCore::RenderObject *,bool,bool)
0x02a96a51 	[chrome.dll 	- renderlayer.cpp:1812] 
WebCore::RenderLayer::paintLayer(WebCore::RenderLayer
*,WebCore::GraphicsContext *,WebCore::IntRect const
&amp;,bool,WebCore::PaintRestriction,WebCore::RenderObject *,bool,bool)
0x02a971ce 	[chrome.dll 	- renderlayer.cpp:1623] 
WebCore::RenderLayer::paint(WebCore::GraphicsContext *,WebCore::IntRect
const &amp;,WebCore::PaintRestriction,WebCore::RenderObject *)
0x02a70b15 	[chrome.dll 	- frameview.cpp:1232] 
WebCore::FrameView::paintContents(WebCore::GraphicsContext
*,WebCore::IntRect const &amp;)
0x02a42bf8 	[chrome.dll 	- scrollview.cpp:684] 
WebCore::ScrollView::paint(WebCore::GraphicsContext *,WebCore::IntRect const &amp;)
0x027f891b 	[chrome.dll 	- webframe_impl.cc:1440] 
WebFrameImpl::Paint(skia::PlatformCanvasWin *,gfx::Rect const &amp;)
0x02733a37 	[chrome.dll 	- render_widget.cc:366] 
RenderWidget::PaintRect(gfx::Rect const &amp;,base::SharedMemory *)
0x02735ab7 	[chrome.dll 	- render_widget.cc:408] 
RenderWidget::DoDeferredPaint()
0x02736353 	[chrome.dll 	- render_widget.cc:297] 
RenderWidget::OnPaintRectAck()
0x02733788 	[chrome.dll 	- ipc_message.h:125] 
IPC::Message::Dispatch&lt;RenderWidget&gt;(IPC::Message const *,RenderWidget
*,void ( RenderWidget::*)(void))
0x0273643e 	[chrome.dll 	- render_widget.cc:157] 
RenderWidget::OnMessageReceived(IPC::Message const &amp;)
0x027312e3 	[chrome.dll 	- render_view.cc:400] 
RenderView::OnMessageReceived(IPC::Message const &amp;)
0x02702ec3 	[chrome.dll 	- message_router.cc:39] 
MessageRouter::RouteMessage(IPC::Message const &amp;)
0x02702e7f 	[chrome.dll 	- message_router.cc:30] 
MessageRouter::OnMessageReceived(IPC::Message const &amp;)
0x02723a34 	[chrome.dll 	- render_thread.cc:174] 
RenderThread::OnMessageReceived(IPC::Message const &amp;)
0x0261a316 	[chrome.dll 	- task.h:312] 
RunnableMethod&lt;CancelableRequest&lt;CallbackRunner&lt;Tuple2&lt;int,SkBitmap *&gt; &gt;
&gt;,void ( CancelableRequest&lt;CallbackRunner&lt;Tuple2&lt;int,SkBitmap *&gt; &gt;
&gt;::*)(Tuple2&lt;int,SkBitmap *&gt; const &amp;),Tuple1&lt;Tuple2&lt;int,SkBitmap *&gt; &gt; &gt;::Run()
0x024127cf 	[chrome.dll 	- message_loop.cc:308] 	MessageLoop::RunTask(Task *)
0x02413329 	[chrome.dll 	- message_loop.cc:408] 	MessageLoop::DoWork()
0x02427f90 	[chrome.dll 	- message_pump_default.cc:50] 
base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x02412ea6 	[chrome.dll 	- message_loop.cc:197] 	MessageLoop::RunInternal()
0x0241303f 	[chrome.dll 	- message_loop.cc:180] 	MessageLoop::RunHandler()
0x024138dc 	[chrome.dll 	- message_loop.cc:154] 	MessageLoop::Run()
0x02997d39 	[chrome.dll 	- thread.cc:153] 	base::Thread::ThreadMain()
0x0241b81c 	[chrome.dll 	- platform_thread_win.cc:26] 	`anonymous
namespace'::ThreadFunc(void *)
0x7c80b682 	[kernel32.dll 	+ 0x0000b682] 	BaseThreadStart

Comment 22 by jsc...@chromium.org, Mar 21 2011

Labels: Type-Security

Comment 23 by jsc...@chromium.org, Oct 5 2011

Labels: SecImpacts-Stable
Batch update: Guessing based on search criteria that this security bug impacted a stable release.

Comment 24 by jsc...@chromium.org, Apr 18 2012

Labels: -private
Lifting view restrictions.

Comment 25 by bugdroid1@chromium.org, Oct 13 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 26 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Area-WebKit -SecSeverity-High -Type-Security -SecImpacts-Stable Cr-Content Security-Impact-Stable Security-Severity-High Type-Bug-Security

Comment 27 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 28 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 29 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 30 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment