Closed Bug 158796 Opened 22 years ago Closed 22 years ago

Trunk crashes viewing BiDi text (perhaps) [@ ArabicShaping]

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: greer, Assigned: smontagu)

References

Details

(Keywords: crash, topcrash)

Crash Data

Attachments

(1 file, 1 obsolete file)

Patch v.2
(deleted), patch
john
: review+
jst
: superreview+
asa
: approval+
Details | Diff | Splinter Review
There are a handful of crashes in the Trunk topcrash data (2002071204 to 2002072008) at the ArabicShaping signature. The stack is brief: ArabicShaping [c:/builds/seamonkey/mozilla/content/shared/src/nsBidiUtils.cpp line 292] And the comments don't refer to any specific BiDi issue. But nine unique users have been able to reproduce a crash with this stack. (8529331) URL: http://optimoz.mozdev.org/gestures/installation.html (8529331) Comments: I can't remember the exact URL but I was just clicking a plain link to a download for a .rar file on a site. This somehow caused a crash. (8522150) URL: http://www.url.ru/~copah/Gatekeeper.htm (8522150) Comments: I clicked the link to download the installer for Windows (8400132) URL: http://listings.ebay.com/aw/listings/going/all/category15057/index.html (8288376) URL: http://www.agspri.com/video.html (8288376) Comments: Attempted to download movie in windows media format. http://www.agspri.com/assets/cfm320x240.wmv
Note: the links at http://www.url.ru/~copah/Gatekeeper.htm are now broken.
Keywords: crash, topcrash
I can't reproduce the crash, but I noticed that all the talkback reports that specify a full URL point to binary files that are being served as text/plain.
I now suspect that the crash is a buffer overrun in ArabicShaping, which is being triggered when people (unintentionally?) set their default encoding to Arabic (IBM-864), the first in the list.
Taking
Assignee: mkaply → smontagu
Attached patch Suggested patch (obsolete) (deleted) — Splinter Review
Attached patch Patch v.2 (deleted) — Splinter Review
diff -u10 and removing the length check, which jst told me was unnecessary
Attachment #92645 - Attachment is obsolete: true
Comment on attachment 92668 [details] [diff] [review] Patch v.2 r=jkeiser But please file a bug on network, which ought to be checking that it creates a proper Unicode string :)
Attachment #92668 - Flags: review+
Comment on attachment 92668 [details] [diff] [review] Patch v.2 sr=jst
Attachment #92668 - Flags: superreview+
*** Bug 159168 has been marked as a duplicate of this bug. ***
Comment on attachment 92668 [details] [diff] [review] Patch v.2 a=asa (on behalf of drivers) for checkin to 1.1
Attachment #92668 - Flags: approval+
Fix checked in to trunk. No branch checkin will be required since the patched code isn't in the branch.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
v.fixed. No recent incidents found in Talkback data.
Status: RESOLVED → VERIFIED
*** Bug 161336 has been marked as a duplicate of this bug. ***
Component: Layout: BiDi Hebrew & Arabic → Layout: Text
QA Contact: zach → layout.fonts-and-text
Crash Signature: [@ ArabicShaping]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: