Closed
Bug 1135426
Opened 9 years ago
Closed 9 years ago
Bug 966166 reverted the fix for bug 964078
Categories
(Core :: CSS Parsing and Computation, defect)
Tracking
()
RESOLVED
FIXED
mozilla38
| Tracking | Status | |
|---|---|---|
| firefox35 | --- | wontfix |
| firefox36 | --- | wontfix |
| firefox37 | --- | wontfix |
| firefox38 | --- | fixed |
| firefox-esr31 | --- | unaffected |
| b2g-v1.4 | --- | unaffected |
| b2g-v2.0 | --- | unaffected |
| b2g-v2.0M | --- | unaffected |
| b2g-v2.1 | --- | wontfix |
| b2g-v2.1S | --- | wontfix |
| b2g-v2.2 | --- | wontfix |
| b2g-master | --- | fixed |
People
(Reporter: MatsPalmgren_bugz, Assigned: xidorn)
References
Details
(5 keywords, Whiteboard: [adv-main38-])
Attachments
(1 file)
|
1.00 KB,
patch
|
MatsPalmgren_bugz
:
review+
lmandel
:
approval-mozilla-beta-
Sylvestre
:
approval-mozilla-release-
|
Details | Diff | Splinter Review |
"part 5" in bug 966166 removed the fixed version of CJKIdeographicToText which lived in layout/generic/nsBulletFrame.cpp and instead landed the old version of CJKIdeographicToText without the fix for bug 964078 in layout/style/CounterStyleManager.cpp https://bugzilla.mozilla.org/attachment.cgi?id=8438903&action=diff Instead there is now a NS_ASSERTION(aOrdinal >= 0, "Only accept non-negative ordinal"); which fails for the testcase in bug 964078.
|
Reporter | |
Comment 1•9 years ago
|
||
Xidorn, did you revert the fix from bug 964078 intentionally? If so, what is it that is supposed to guarantee that aOrdinal is non-negative exactly?
Severity: normal → critical
Flags: needinfo?(quanxunzhen)
OS: Windows 7 → All
Hardware: x86 → All
|
Assignee | |
Comment 2•9 years ago
|
||
I cannot see content of bug 964078, could you cc that to me?
|
|
Assignee | |
Updated•9 years ago
|
Flags: needinfo?(mats)
|
|
Reporter | |
Comment 4•9 years ago
|
||
FYI, it's only "Android 4.0 API11+ debug" that failed, so maybe something is odd with that platform? https://treeherder.mozilla.org/#/jobs?repo=try&revision=59e3140297b2
|
|
Assignee | |
Comment 5•9 years ago
|
||
OK, yes, it is supposed to guarantee that aOrdinal is non-negative, because after bug 966166, the negative sign is handled in another path. And that assert could happen on Android platform because bug 989718 that the ARM compiler invalidates the CheckedInt used in CounterStyle::GetCounterText. [1] This problem also causes some known reftest failures in layout/reftests/counters. [2] [1] https://dxr.mozilla.org/mozilla-central/source/layout/style/CounterStyleManager.cpp#1866 [2] https://dxr.mozilla.org/mozilla-central/source/layout/reftests/counters/reftest.list#63
Flags: needinfo?(quanxunzhen)
|
|
Reporter | |
Comment 6•9 years ago
|
||
OK, so I guess that means bug 964078 still occurs on that platform. So we should probably try to fix bug 989718 with higher priority, or add a wallpaper in CJKIdeographicToText using a uint32_t like I did in bug 964078, would that work?
Depends on: 989718
|
|
Assignee | |
Comment 7•9 years ago
|
||
The best way would be fixing bug 989718. Instead of wrapping aOrdinal, I'd prefer changing int32_t cur = aOrdinal % 10; to something like: auto cur = static_cast<MakeUnsigned<CounterValue>::Type>(aOrdinal) % 10;
|
|
Assignee | |
Comment 8•9 years ago
|
||
This won't fix the reftest failures and assertions. But I guess it's probably better to leave them as they are now, because we don't actually fix the problem before we fix bug 989718.
Attachment #8567592 -
Flags: review?(mats)
|
|
Reporter | |
Updated•9 years ago
|
Attachment #8567592 -
Flags: review?(mats) → review+
|
|
Assignee | |
Comment 9•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/9e46e93f81dd
|
|
Assignee | |
Comment 10•9 years ago
|
||
Comment on attachment 8567592 [details] [diff] [review] patch Approval Request Comment [Feature/regressing bug #]: bug 966166 [User impact if declined]: may be exposed to buffer overflow issue on ARM platforms where we use the buggy compiler [Describe test coverage new/current, TreeHerder]: no test [Risks and why]: no risk [String/UUID change made/needed]: n/a
Attachment #8567592 -
Flags: approval-mozilla-release?
Attachment #8567592 -
Flags: approval-mozilla-beta?
Attachment #8567592 -
Flags: approval-mozilla-aurora?
|
|
Reporter | |
Comment 11•9 years ago
|
||
In bug 964078 we concluded that it isn't a very serious issue though. See analysis in bug 964078 comment 12.
|
|
Assignee | |
Comment 12•9 years ago
|
||
I'm not sure, because the worst case is using gDataJapaneseInformal. What is gDataJapaneseInformal.digits[-9] is unknown, because it is the first table in that file. But it might still be fine, because it is highly possible that it is still some static data.
|
||
Comment 13•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/9e46e93f81dd
Assignee: nobody → quanxunzhen
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox38:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
|
||
Comment 14•9 years ago
|
||
Comment on attachment 8567592 [details] [diff] [review] patch Too late for release, we build rc and for now at least, we don't have a reason to rebuild a second rc.
Attachment #8567592 -
Flags: approval-mozilla-release? → approval-mozilla-release-
|
|
Assignee | |
Updated•9 years ago
|
status-firefox35:
--- → affected
status-firefox36:
--- → affected
status-firefox37:
--- → affected
status-firefox-esr31:
--- → unaffected
|
||
Comment 15•9 years ago
|
||
I'm marking both 35 (EOL tomorrow) and 36, which is scheduled to release tomorrow, as wontfix. We can look at taking this fix in 37.
|
|
||
Comment 16•9 years ago
|
||
Comment on attachment 8567592 [details] [diff] [review] patch Clearing Aurora approval as Aurora is now 38, which is already fixed.
Attachment #8567592 -
Flags: approval-mozilla-aurora?
|
||
Updated•9 years ago
|
Group: layout-core-security → core-security
|
|
||
Comment 17•9 years ago
|
||
mats, xidorn - From comment 11 and comment 12 I'm not sure you two are on the same page wrt this fix. Is there a good reason not to uplift this fix to 37?
Flags: needinfo?(quanxunzhen)
Flags: needinfo?(mats)
|
|
Reporter | |
Comment 18•9 years ago
|
||
The out-of-bounds read is limited to 9 bytes. Even if gDataJapaneseInformal is first in that section, so you might be able to read a few bytes off the end of the previous memory page, it still sec-low IMO. It might cause crashes if that address isn't mapped. It only affects platforms where we use a buggy compiler (bug 989718). It doesn't seem worth uploading to Beta to me.
Flags: needinfo?(mats)
OS: All → Android
Hardware: All → ARM
|
|
Assignee | |
Comment 19•9 years ago
|
||
I have no idea. If mats says it's not important then it's not important, although I think it's trivial to uplift.
Flags: needinfo?(quanxunzhen)
|
|
||
Comment 20•9 years ago
|
||
Comment on attachment 8567592 [details] [diff] [review] patch OK. If this isn't required, let's let it ride the 38 train. Thank you both for you input on this and Xidorn for the fix! Beta-
Attachment #8567592 -
Flags: approval-mozilla-beta? → approval-mozilla-beta-
|
|
||
Updated•9 years ago
|
|
||
Updated•9 years ago
|
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → wontfix
status-b2g-v2.1S:
--- → wontfix
status-b2g-v2.2:
--- → wontfix
status-b2g-master:
--- → fixed
|
||
Updated•9 years ago
|
Whiteboard: [adv-main38-]
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•