Closed
Bug 564705
Opened 15 years ago
Closed 15 years ago
String buffer underflow and crash [@ nsTextBoxFrame::UpdateAccessTitle]
Categories
(Core :: XUL, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: tnikkel)
References
Details
(4 keywords, Whiteboard: [sg:low UMR])
Crash Data
Attachments
(2 files)
|
(deleted),
application/vnd.mozilla.xul+xml
|
Details | |
|
(deleted),
patch
|
neil
:
review+
dveditz
:
approval1.9.2.7+
dveditz
:
approval1.9.1.11+
|
Details | Diff | Splinter Review |
nsTextBoxFrame::UpdateAccessTitle tried to subtract 1 from 0 and got 2^32-1.
###!!! ASSERTION: index exceeds allowable range: 'i <= mLength', file nsTString.h, line 129
At least on a 64-bit system, a crash immediately follows the assertion.
#5 0x00007f9f2e7b9422 in nsString::CharAt (this=0x7f9f13b78ac8, i=4294967295) at ../../../dist/include/nsTString.h:130
#6 0x00007f9f2e7b9448 in nsString::operator[] (this=0x7f9f13b78ac8, i=4294967295) at ../../../dist/include/nsTString.h:135
#7 0x00007f9f2ec81bcd in nsTextBoxFrame::UpdateAccessTitle (this=0x7f9f13b78a78) at layout/xul/base/src/nsTextBoxFrame.cpp:878
#8 0x00007f9f2ec7fc9e in nsTextBoxFrame::UpdateAccesskey (this=0x7f9f13b78a78, aWeakThis=...)
at layout/xul/base/src/nsTextBoxFrame.cpp:264
#9 0x00007f9f2ec82b13 in nsAsyncAccesskeyUpdate::ReflowFinished (this=0x7f9f13b91060) at layout/xul/base/src/nsTextBoxFrame.cpp:224
|
Reporter | |
Comment 1•15 years ago
|
||
Reported on 64-bit Linux. I can't reproduce even the assertion on 32-bit Mac.
|
Assignee | |
Comment 2•15 years ago
|
||
The title consists of only the ellipsis, so the offset is zero, and we check the character before to see if it is a space. If we are at the start then we don't want to insert a separating space.
Assignee: nobody → tnikkel
Attachment #444469 -
Flags: review?(neil)
|
||
Updated•15 years ago
|
Attachment #444469 -
Flags: review?(neil) → review+
|
|
Assignee | |
Comment 3•15 years ago
|
||
Landed
http://hg.mozilla.org/mozilla-central/rev/e40cbab6a972
but backed out because something in the push was causing orange
http://hg.mozilla.org/mozilla-central/rev/01befa5163ee
|
|
Assignee | |
Comment 4•15 years ago
|
||
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
|
|
Assignee | |
Updated•15 years ago
|
Attachment #444469 -
Flags: approval1.9.2.5?
Attachment #444469 -
Flags: approval1.9.1.11?
|
||
Updated•14 years ago
|
Attachment #444469 -
Flags: approval1.9.2.5?
Attachment #444469 -
Flags: approval1.9.2.5+
Attachment #444469 -
Flags: approval1.9.1.11?
Attachment #444469 -
Flags: approval1.9.1.11+
|
|
||
Comment 5•14 years ago
|
||
Comment on attachment 444469 [details] [diff] [review]
patch
Approved for 1.9.2.6 and 1.9.1.11, a=dveditz for release-drivers
|
|
Assignee | |
Comment 6•14 years ago
|
||
status1.9.1:
--- → .11-fixed
|
|
Assignee | |
Comment 7•14 years ago
|
||
status1.9.2:
--- → .6-fixed
|
|
||
Updated•14 years ago
|
Attachment #444469 -
Flags: approval1.9.2.5+ → approval1.9.2.6+
|
||
Comment 8•14 years ago
|
||
Verified for 1.9.2 on 64-bit Ubuntu 10.4 with Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.6pre) Gecko/20100622 Namoroka/3.6.6pre. Crashes the 1.9.2.4 release with attached testcase.
Keywords: verified1.9.2
|
|
||
Updated•14 years ago
|
Group: core-security
|
|
Assignee | |
Comment 9•14 years ago
|
||
Added crashtest
http://hg.mozilla.org/mozilla-central/rev/ec7b4a08a04e
Flags: in-testsuite? → in-testsuite+
|
||
Updated•13 years ago
|
Crash Signature: [@ nsTextBoxFrame::UpdateAccessTitle]
You need to log in
before you can comment on or make changes to this bug.
Description
•