Closed
Bug 499862
Opened 15 years ago
Closed 15 years ago
"ASSERTION: invalid array index" with overflow:scroll, float:left, text-transform, changing <style>
Categories
(Core :: Layout, defect, P2)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: roc)
References
Details
(4 keywords, Whiteboard: [sg:critical?])
Attachments
(3 files)
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
smontagu
:
review+
beltzner
:
approval1.9.2.2+
beltzner
:
approval1.9.1.9+
beltzner
:
approval1.9.0.19-
|
Details | Diff | Splinter Review |
|
(deleted),
text/html
|
Details |
###!!! ASSERTION: Should have been cleared: 'mBreakSinks.IsEmpty()', file layout/generic/nsTextFrameThebes.cpp, line 648
###!!! ASSERTION: Should have Reset() before destruction!: 'mCurrentWord.Length() == 0', file content/base/src/nsLineBreaker.cpp, line 51
###!!! ASSERTION: invalid array index: 'i < Length()', file nsTArray.h, line 317
###!!! ASSERTION: Hmm, something went wrong, aOffset should have been found: 'mGlyphRuns[start].mCharacterOffset <= aOffset', file gfx/thebes/src/gfxFont.cpp, line 2189
Security-sensitive because the "invalid array index" assertion is in an unchecked array access function.
|
Reporter | |
Updated•15 years ago
|
Whiteboard: [sg:critical?]
|
Assignee | |
Updated•15 years ago
|
Assignee: nobody → roc
blocking2.0: --- → ?
|
|
Assignee | |
Comment 1•15 years ago
|
||
We need to flush out break sinks etc even if there are no mapped flows. In this testcase, the textrun finishes after the T (since it's in a float by itself) so we exit too early from FlushFrames. Flushing out the break sinks is needed so that we tell the text-transform textrun where the capitalized characters are.
Attachment #428646 -
Flags: review?(smontagu)
|
|
Assignee | |
Updated•15 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?][needs review]
|
|
Assignee | |
Comment 2•15 years ago
|
||
This testcase is simpler but still fires the first assertion.
|
||
Updated•15 years ago
|
Attachment #428646 -
Flags: review?(smontagu) → review+
|
|
Assignee | |
Updated•15 years ago
|
Whiteboard: [sg:critical?][needs review] → [sg:critical?][needs landing]
|
|
Assignee | |
Comment 3•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/9c24556c14c3
I checked in my simple testcase, which doesn't lead directly to a security issue.
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [sg:critical?][needs landing] → [sg:critical?]
|
|
Assignee | |
Comment 4•15 years ago
|
||
Comment on attachment 428646 [details] [diff] [review]
fix
Patch should apply to all 1.9.x branches.
Attachment #428646 -
Flags: approval1.9.2.2?
Attachment #428646 -
Flags: approval1.9.1.9?
Attachment #428646 -
Flags: approval1.9.0.19?
|
||
Comment 5•15 years ago
|
||
Comment on attachment 428646 [details] [diff] [review]
fix
a=beltzner for all branches
Attachment #428646 -
Flags: approval1.9.2.2?
Attachment #428646 -
Flags: approval1.9.2.2+
Attachment #428646 -
Flags: approval1.9.1.9?
Attachment #428646 -
Flags: approval1.9.1.9+
Attachment #428646 -
Flags: approval1.9.0.19?
Attachment #428646 -
Flags: approval1.9.0.19+
|
|
Assignee | |
Updated•15 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?][needs 190 landing][needs 191 landing][needs 192 landing]
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/60dce6cf3aaa
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/5d3418e69ab0
status1.9.1:
--- → .9-fixed
status1.9.2:
--- → .2-fixed
|
|
Assignee | |
Comment 7•15 years ago
|
||
Checked into 1.9.0.
Keywords: fixed1.9.0.19
Whiteboard: [sg:critical?][needs 190 landing][needs 191 landing][needs 192 landing] → [sg:critical?]
|
|
Assignee | |
Comment 8•15 years ago
|
||
I backed this out of 1.9.0 because it caused crashes there. Is it worth figuring those out, or should we just leave this unfixed on 1.9.0?
Keywords: fixed1.9.0.19
|
|
||
Comment 9•15 years ago
|
||
Comment on attachment 428646 [details] [diff] [review]
fix
I'm fine to leave these unfixed, yeah. It does mean we can't open up this bug for a while longer, though.
Attachment #428646 -
Flags: approval1.9.0.19+ → approval1.9.0.19-
|
||
Comment 10•15 years ago
|
||
Verified for 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9pre) Gecko/20100311 Shiretoko/3.5.9pre (.NET CLR 3.5.30729) using testcase.
Verified for 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3pre) Gecko/20100315 Namoroka/3.6.3pre (.NET CLR 3.5.30729). (This was built just after the release branch was cut but before any checkins were made so it is the same as 1.9.2.2.)
Keywords: verified1.9.1,
verified1.9.2
|
||
Updated•15 years ago
|
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.19-
|
|
Assignee | |
Updated•15 years ago
|
blocking2.0: ? → final+
Priority: -- → P2
|
|
||
Updated•14 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•