Closed Bug 368860 Opened 18 years ago Closed 18 years ago

"ASSERTION: bad index" in nsTextFragment.h with &rlm; and tables

Tracking

()

Status:

RESOLVED FIXED

People

(Reporter: jruderman, Assigned: roc)

References

Details

(Keywords: assertion, testcase, Whiteboard: [sg:moderate?] post 1.8-branch)

Attachments

(2 files)

testcase 18 years ago Jesse Ruderman (deleted), text/html		Details
fix 18 years ago Robert O'Callahan (:roc) (email my personal email if necessary) (deleted), patch	dbaron : review+ dbaron : superreview+	Details \| Diff \| Splinter Review

Jesse Ruderman

Reporter

Description

•

18 years ago

Loading the testcase triggers: ###!!! ASSERTION: bad index: 'PRUint32(aIndex) < mState.mLength', file /Users/admin/trunk/mozilla/layout/base/../../content/base/src/nsTextFragment.h, line 183 This looks like a "read past end of buffer" bug, so filing as security-sensitive.

Jesse Ruderman

Reporter

Comment 1

•

18 years ago

Attached file testcase (deleted) — Details

Jesse Ruderman

Reporter

Updated

•

18 years ago

Flags: blocking1.9?

Uri Bernstein (Google)

Comment 2

•

18 years ago

This code was introduced in bug 343445.

Blocks: 343445

Jesse Ruderman

Reporter

Updated

•

18 years ago

Whiteboard: [sg:moderate?]

Robert O'Callahan (:roc) (email my personal email if necessary)

Assignee

Comment 3

•

18 years ago

Attached patch fix (deleted) — Details — Splinter Review

Avoid the out-of-bounds access. This code is going away with the new textframe, anyway.

Assignee: nobody → roc

Status: NEW → ASSIGNED

Attachment #254258 - Flags: superreview?(dbaron)

Attachment #254258 - Flags: review?(dbaron)

David Baron :dbaron:

Comment 4

•

18 years ago

I don't see this assertion on the trunk. Was it fixed elsewhere?

Jesse Ruderman

Reporter

Comment 5

•

18 years ago

Same here. roc said "This code is going away with the new textframe, anyway", so the bug 370588 landing probably took care of it.

Robert O'Callahan (:roc) (email my personal email if necessary)

Assignee

Comment 6

•

18 years ago

No, this code hasn't gone away yet, and won't until we turn on the new textframe. I don't know why the assertion has gone away.

David Baron :dbaron:

Updated

•

18 years ago

Attachment #254258 - Flags: superreview?(dbaron)

Attachment #254258 - Flags: superreview+

Attachment #254258 - Flags: review?(dbaron)

Attachment #254258 - Flags: review+

Robert O'Callahan (:roc) (email my personal email if necessary)

Assignee

Comment 7

•

18 years ago

Fixed.

Status: ASSIGNED → RESOLVED

Closed: 18 years ago

Resolution: --- → FIXED

Robert O'Callahan (:roc) (email my personal email if necessary)

Assignee

Updated

•

18 years ago

Flags: blocking1.9? → blocking1.9+

Daniel Veditz [:dveditz]

Updated

•

18 years ago

Flags: wanted1.8.1.x-

Whiteboard: [sg:moderate?] → [sg:moderate?] post 1.8-branch

Daniel Veditz [:dveditz]

Updated

•

18 years ago

Group: security

Jesse Ruderman

Reporter

Comment 8

•

17 years ago

Crashtest checked in.

Flags: in-testsuite+

timeless

Updated

•

16 years ago

Component: Layout: BiDi Hebrew & Arabic → Layout: Text

QA Contact: layout.bidi → layout.fonts-and-text

You need to log in before you can comment on or make changes to this bug.

Bugzilla

"ASSERTION: bad index" in nsTextFragment.h with &rlm; and tables

Categories

(Core :: Layout: Text and Fonts, defect)

Tracking

()

People

(Reporter: jruderman, Assigned: roc)

References

Details

(Keywords: assertion, testcase, Whiteboard: [sg:moderate?] post 1.8-branch)

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Comment 1

Updated

Comment 2

Updated

Comment 3

Comment 4

Comment 5

Comment 6

Updated

Comment 7

Updated

Updated

Updated

Comment 8

Updated

Attachment

General

Description

File Name

Content Type