Gary Kwong found this bug and I helped make a reduced testcase. Firefox displays the text in the testcase incorrectly (e.g. the first two letters of "apples" are missing) and asserts: ###!!! ASSERTION: Range out of bounds: 'IsInBounds(mStart, mLength, aStart, aLength)', file /Users/jruderman/trunk/mozilla/layout/generic/nsTextFrameThebes.cpp, line 2189 ###!!! ASSERTION: No text for IsSpace!: 'aPos < aFrag->GetLength()', file /Users/jruderman/trunk/mozilla/layout/generic/nsTextFrameThebes.cpp, line 476 ###!!! ASSERTION: bad index: 'PRUint32(aIndex) < mState.mLength', file /Users/jruderman/trunk/mozilla/layout/base/../../content/base/src/nsTextFragment.h, line 184 ###!!! ASSERTION: Bad offset: 'aPos <= aFrag->GetLength()', file /Users/jruderman/trunk/mozilla/layout/generic/nsTextFrameThebes.cpp, line 466 Bug 426272 triggers many of the same assertions, but not the last one, and has a very different testcase. Filing as security-sensitive because I get scared when nsTextFrameThebes.cpp complains about bad indices and offsets.

I think these assertions are scary enough to warrant "[sg:critical?]". If this bug isn't exploitable, it can be downgraded to [sg:want P2] (on the grounds that it interferes with fuzz-testing to look for other testcases that trigger similar problems).

This bug has been placed on the "Top Security Bugs" list. Vlad, can you find someone to assign this to and please treat it as a top priority.

Bug 471594 might be related.

(-> Layout)

In a Linux mozilla-central build (with my patch queue) I don't see any assertions on this testcase. Is this somehow platform-specific, or is it fixed?

I'm not seeing the assertions or mis-rendering any more. WFM.

Landed a crashtest: https://hg.mozilla.org/integration/mozilla-inbound/rev/0c4ed86ff0dd