Closed Bug 633477 Opened 14 years ago Closed 14 years ago

Invalid read of size 4 of freed memory [@ gfxUserFontSet::FindFontEntry]

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 633500

People

(Reporter: bc, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: regression, valgrind)

Attachments

(2 files)

stack
(deleted), patch
Details | Diff | Splinter Review
fix v1
(deleted), patch
Details | Diff | Splinter Review
1. crashtest layout/style/crashtests/472237-1.html Valgrind Stack Invalid read of size 4 at 0x6D3A896: gfxUserFontSet::FindFontEntry(nsAString_internal const&, gfxFontStyle const&, int&, int&) (gfxUserFontSet.cpp:206) by 0x6D4E04D: FindFontPatterns(gfxUserFontSet*, nsACString_internal const&, unsigned char, unsigned short, int&) (gfxPangoFonts.cpp:1203) by 0x6D4E6C9: gfxFcFontSet::SortPreferredFonts(int&) (gfxPangoFonts.cpp:1371) by 0x6D53EAD: gfxFcFontSet::gfxFcFontSet(_FcPattern*, gfxUserFontSet*) (gfxPangoFonts.cpp:1102) by 0x6D4FD44: gfxPangoFontGroup::MakeFontSet(_PangoLanguage*, double, nsAutoRef<_FcPattern>*) (gfxPangoFonts.cpp:1911) by 0x6D513CF: gfxPangoFontGroup::GetBaseFontSet() (gfxPangoFonts.cpp:2398) by 0x6D4F9D9: gfxPangoFontGroup::GetBaseFont() (gfxPangoFonts.cpp:1848) by 0x6D4FACF: gfxPangoFontGroup::GetFontAt(int) (gfxPangoFonts.cpp:1866) by 0x6870D97: nsThebesFontMetrics::GetMetrics() const (nsThebesFontMetrics.cpp:112) by 0x68711DD: nsThebesFontMetrics::GetExternalLeading(int&) (nsThebesFontMetrics.cpp:190) by 0x57A9BBB: GetNormalLineHeight(nsIFontMetrics*) (nsHTMLReflowState.cpp:2099) by 0x57A9E15: ComputeLineHeight(nsStyleContext*, int) (nsHTMLReflowState.cpp:2149) Address 0x15f54d08 is 152 bytes inside a block of size 176 free'd at 0x4A05E04: free (vg_replace_malloc.c:366) by 0x8752E53: moz_free (mozalloc.cpp:92) by 0x6D3A310: gfxProxyFontEntry::~gfxProxyFontEntry() (mozalloc.h:253) by 0x58AAAD7: gfxFontEntry::Release() (gfxFont.h:209) by 0x58AABF4: nsRefPtr<gfxFontEntry>::~nsRefPtr() (nsAutoPtr.h:969) by 0x6D25D13: nsTArrayElementTraits<nsRefPtr<gfxFontEntry> >::Destruct(nsRefPtr<gfxFontEntry>*) (nsTArray.h:279) by 0x6D25086: nsTArray<nsRefPtr<gfxFontEntry>, nsTArrayDefaultAllocator>::DestructRange(unsigned int, unsigned int) (nsTArray.h:1106) by 0x6D230C5: nsTArray<nsRefPtr<gfxFontEntry>, nsTArrayDefaultAllocator>::RemoveElementsAt(unsigned int, unsigned int) (nsTArray.h:834) by 0x6D3CA8C: nsTArray<nsRefPtr<gfxFontEntry>, nsTArrayDefaultAllocator>::RemoveElementAt(unsigned int) (nsTArray.h:840) by 0x6D3C2EF: gfxMixedFontFamily::RemoveFontEntry(gfxFontEntry*) (gfxUserFontSet.h:117) by 0x6D3BC25: gfxUserFontSet::LoadNext(gfxProxyFontEntry*) (gfxUserFontSet.cpp:686) by 0x6D3A86F: gfxUserFontSet::FindFontEntry(nsAString_internal const&, gfxFontStyle const&, int&, int&) (gfxUserFontSet.cpp:196)
Attached patch stack (deleted) — Splinter Review
gfxUserFontSet::FindFontEntry calls LoadNext which removes the font entry, it's the last reference so it's deleted. FindFontEntry then tries to read "proxyEntry->mLoadingState" of the deleted object.
Attached patch fix v1 (deleted) — Splinter Review
Assignee: nobody → matspal
Attachment #511717 - Flags: review?(jdaggett)
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Attachment #511717 - Flags: review?(jdaggett)
blocking2.0: ? → ---
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: