Closed Bug 732696 Opened 13 years ago Closed 13 years ago

Invalid write in gfxShapedWord::SetupClusterBoundaries with U+1112C

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 732330

People

(Reporter: jruderman, Unassigned)

References

Details

(4 keywords, Whiteboard: [sg:critical])

Attachments

(1 file)

testcase (crashes Firefox)
(deleted), text/html
Details
Attached file testcase (crashes Firefox) (deleted) —
The testcase crashes Firefox trunk at random within a few seconds. It's more deterministic (and less crashy) under Valgrind: > Invalid write of size 4 > at 0xA696696: gfxShapedWord::SetupClusterBoundaries(gfxShapedWord::CompressedGlyph*, unsigned short const*, unsigned int) (gfxFont.cpp:3806) > by 0xA6A2286: void gfxFontGroup::InitScriptRun<unsigned short>(gfxContext*, gfxTextRun*, unsigned short const*, unsigned int, unsigned int, int) (gfxFont.cpp:3240) > by 0xA69E7B6: void gfxFontGroup::InitTextRun<unsigned short>(gfxContext*, gfxTextRun*, unsigned short const*, unsigned int) (gfxFont.cpp:3171) > by 0xA694E47: gfxFontGroup::MakeTextRun(unsigned short const*, unsigned int, gfxTextRunFactory::Parameters const*, unsigned int) (gfxFont.cpp:3076) > by 0x89ACC44: gfxTextRun* MakeTextRun<unsigned short>(unsigned short const*, unsigned int, gfxFontGroup*, gfxTextRunFactory::Parameters const*, unsigned int) (nsTextFrameThebes.cpp:559) > by 0x8993764: BuildTextRunsScanner::BuildTextRunForFrames(void*) (nsTextFrameThebes.cpp:1972) > by 0x8991B40: BuildTextRunsScanner::FlushFrames(bool, bool) (nsTextFrameThebes.cpp:1397) > by 0x89964C9: BuildTextRuns(gfxContext*, nsTextFrame*, nsIFrame*, nsLineList_iterator const*, nsTextFrame::TextRunType, float) (nsTextFrameThebes.cpp:1325) > by 0x89955C3: nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, float, gfxContext*, nsIFrame*, nsLineList_iterator const*, unsigned int*) (nsTextFrameThebes.cpp:2390) > by 0x89A7C6B: nsTextFrame::ReflowText(nsLineLayout&, int, nsRenderingContext*, bool, nsHTMLReflowMetrics&, unsigned int&) (nsTextFrameThebes.cpp:7375) > by 0x895B26D: nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) (nsLineLayout.cpp:870) > by 0x88CA500: nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) (nsBlockFrame.cpp:3837) > Address 0x1032926f0 is 0 bytes after a block of size 128 alloc'd > at 0xC743: malloc (vg_replace_malloc.c:266) > by 0x7E1C784: moz_malloc (mozalloc.cpp:113) > by 0xA696E64: gfxTextRun::AllocateStorageForTextRun(unsigned long, unsigned int) (gfxFont.cpp:3977) > by 0xA69423F: gfxTextRun::Create(gfxTextRunFactory::Parameters const*, void const*, unsigned int, gfxFontGroup*, unsigned int) (gfxFont.cpp:3994) > by 0xA694E0C: gfxFontGroup::MakeTextRun(unsigned short const*, unsigned int, gfxTextRunFactory::Parameters const*, unsigned int) (gfxFont.cpp:3070) > by 0x89ACC44: gfxTextRun* MakeTextRun<unsigned short>(unsigned short const*, unsigned int, gfxFontGroup*, gfxTextRunFactory::Parameters const*, unsigned int) (nsTextFrameThebes.cpp:559) > by 0x8993764: BuildTextRunsScanner::BuildTextRunForFrames(void*) (nsTextFrameThebes.cpp:1972) > by 0x8991B40: BuildTextRunsScanner::FlushFrames(bool, bool) (nsTextFrameThebes.cpp:1397) > by 0x89964C9: BuildTextRuns(gfxContext*, nsTextFrame*, nsIFrame*, nsLineList_iterator const*, nsTextFrame::TextRunType, float) (nsTextFrameThebes.cpp:1325) > by 0x89955C3: nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, float, gfxContext*, nsIFrame*, nsLineList_iterator const*, unsigned int*) (nsTextFrameThebes.cpp:2390) > by 0x89A7C6B: nsTextFrame::ReflowText(nsLineLayout&, int, nsRenderingContext*, bool, nsHTMLReflowMetrics&, unsigned int&) (nsTextFrameThebes.cpp:7375) > by 0x895B26D: nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) (nsLineLayout.cpp:870) Seems to be a regression from the last few days.
Whiteboard: [sg:critical]
This is the same issue as jdaggett encountered in bug 732330, and is already fixed on mozilla-inbound by bug 732443.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: