Closed Bug 1274579 Opened 8 years ago Closed 8 years ago

"ASSERTION: aPos out of range" and heap-buffer-overflow with writing-mode, adjacent whitespace text nodes

Categories

(Core :: Graphics: Text, defect)

Product:
Core
Component:
Graphics: Text
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1275059
Tracking Flags:
Tracking Status
firefox49 --- affected

People

(Reporter: jruderman, Unassigned)

References

Details

(5 keywords)

Attachments

(3 files)

testcase
(deleted), text/html
Details
stack (debug assertion)
(deleted), text/plain
Details
stack (ASan heap-buffer-overflow)
(deleted), text/plain
Details
Attached file testcase (deleted) — 
Debug:
> ###!!! ASSERTION: aPos out of range: 'aPos < GetLength()', file gfxTextRun.h, line 117

ASan:
> AddressSanitizer: heap-buffer-overflow [@ nsTextFrame::AddInlineMinISizeForFlow] with READ of size 4
Attached file stack (debug assertion) (deleted) — 

    
    

    
  

      
      
      
      

        Attached file
          
        stack (ASan heap-buffer-overflow) (deleted)
        — 
      

    


  

    
    

    
  
Could you look into this, Jonathan? Thanks.
Flags: needinfo?(jfkthame)

    
    

    
  
I think this is a dupe of a bug that Xidorn fixed recently; will try to confirm shortly. Leaving ni? for now, till I track that down...
Flags: needinfo?(jfkthame)
Flags: needinfo?(jfkthame)
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jfkthame)
Resolution: --- → DUPLICATE
Group: gfx-core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: