Closed Bug 1161366 Opened 9 years ago Closed 9 years ago

crash in FontFace.load when loading a second face for a font using unicode-range

Categories

(Core :: DOM: CSS Object Model, defect)

Product:
Core
Component:
DOM: CSS Object Model
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla40
Tracking Flags:
Tracking Status
firefox40 --- fixed

People

(Reporter: heycam, Assigned: heycam)

References

Details

Attachments

(2 files)

test (crashes Firefox)
196 bytes, text/html
Details
patch
2.16 KB, patch
dbaron
: review+
Details | Diff | Splinter Review
Attached file test (crashes Firefox) 
The attachment will crash Firefox with a null pointer dereference if the Font Loading API is enabled (as it is currently on Nightly/Aurora).
This is because we're parsing the font descriptor values passing null for the sheet URI.  The sheet URI gets stored in the URLValue, and then copied into the gfxFontFaceSrc object, where its operator== assumes that it is non-null.
Attached patch patchSplinter Review 
Assignee: nobody → cam
Status: NEW → ASSIGNED

        Attachment #8601252 -
        Flags: review?(dbaron)

    
  
Blocks: 1149381

    
    

    
  
Comment on attachment 8601252 [details] [diff] [review]
patch

Maybe call the variable docURI instead of just uri?

r=dbaron

        Attachment #8601252 -
        Flags: review?(dbaron) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/0faf5cdec061
Status: ASSIGNED → RESOLVED
Closed: 9 years ago

          status-firefox40:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: