If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

crash in FontFace.load when loading a second face for a font using unicode-range

RESOLVED FIXED in Firefox 40

Status

()

Core
DOM: CSS Object Model
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: heycam, Assigned: heycam)

Tracking

Trunk
mozilla40
Points:
---

Firefox Tracking Flags

(firefox40 fixed)

Details

Attachments

(2 attachments)

(Assignee)

Description

2 years ago
Created attachment 8601238 [details]
test (crashes Firefox)

The attachment will crash Firefox with a null pointer dereference if the Font Loading API is enabled (as it is currently on Nightly/Aurora).
(Assignee)

Comment 1

2 years ago
This is because we're parsing the font descriptor values passing null for the sheet URI.  The sheet URI gets stored in the URLValue, and then copied into the gfxFontFaceSrc object, where its operator== assumes that it is non-null.
(Assignee)

Comment 2

2 years ago
Created attachment 8601252 [details] [diff] [review]
patch
Assignee: nobody → cam
Status: NEW → ASSIGNED
Attachment #8601252 - Flags: review?(dbaron)
(Assignee)

Updated

2 years ago
Blocks: 1149381
Comment on attachment 8601252 [details] [diff] [review]
patch

Maybe call the variable docURI instead of just uri?

r=dbaron
Attachment #8601252 - Flags: review?(dbaron) → review+

Comment 4

2 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/0faf5cdec061
https://hg.mozilla.org/mozilla-central/rev/0faf5cdec061
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox40: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.