Closed
Bug 374251
Opened 18 years ago
Closed 17 years ago
style.fontFamily overflow on osx
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: msg, Assigned: masayuki)
References
Details
(Keywords: crash, platform-parity, regression, Whiteboard: [sg:critical] post-1.8-branch)
Attachments
(4 files)
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a3pre) Gecko/20070316 Minefield/3.0a3pre an overflow in this.document.firstChild.style.fontFamily value causes a crash, with some register control on OSX. Does not appear to affect win32. found via javascript introspection fuzzing. see attached crash dump + sample script Reproducible: Always Steps to Reproduce: 1. run attached script Actual Results: crash with some register control see attached items
Comment 3•18 years ago
|
||
Comment 4•18 years ago
|
||
Does not appear to affect Linux either - it seems this is MacOSX only so far. A regression range would be nice to have...
Comment 6•17 years ago
|
||
gdb's backtrace for the testcase in comment 3 is kinda useless: (gdb) bt #0 0x00420044 in dyld_stub_fflush () #1 0x00420042 in dyld_stub_fflush () In an attempt to get a better backtrace, I modified the testcase to try adding one character to the string at a time until it crashed. I got this: (gdb) bt #0 0x9025ca97 in IteratorFindFontIDFromName () #1 0x6547736e in ?? () #2 0x4e5a5f3a in ?? () #3 0x00000000 in ?? () (gdb) info symbol IteratorFindFontIDFromName IteratorFindFontIDFromName in section LC_SEGMENT.__TEXT.__text of /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/ATS There are no hits on Google for "IteratorFindFontIDFromName". Is this a bug in Apple code?
Whiteboard: [sg:critical]
Comment 7•17 years ago
|
||
Regressed between 2007-01-05-06 and 2007-01-05-14 (there happened to be a nightly respin that day). There were several checkins to Mac font-choosing code during that period: bug 364785, bug 364832, and bug 365613.
Comment 8•17 years ago
|
||
The patch on bug 364785 is especially suspect because it plays with a buffer of size 1024.
Comment 9•17 years ago
|
||
The crash occurs during the first call to ATSUFindFontFromName in gfxQuartzFontCache::ResolveFontName: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/gfx/thebes/src/gfxQuartzFontCache.mm&rev=1.12&mark=705-711#705
Blocks: 364785
Whiteboard: [sg:critical] → [sg:critical] post-1.8-branch
Updated•17 years ago
|
Flags: blocking1.9?
Assignee | ||
Updated•17 years ago
|
Assignee: general → nobody
Component: DOM: Level 0 → GFX: Thebes
QA Contact: ian → thebes
Version: unspecified → Trunk
Assignee | ||
Comment 10•17 years ago
|
||
Thank you for the testing. We should skip to resolve the long font name, but this patch cannot suppress same issues in future.
Attachment #267592 -
Flags: review?(vladimir) → review+
Assignee | ||
Comment 11•17 years ago
|
||
checked-in.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Updated•17 years ago
|
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
Updated•17 years ago
|
Group: security
Flags: in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•