Closed Bug 1161366 Opened 5 years ago Closed 5 years ago

crash in FontFace.load when loading a second face for a font using unicode-range

Categories

(Core :: DOM: CSS Object Model, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla40
Tracking Status
firefox40 --- fixed

People

(Reporter: heycam, Assigned: heycam)

References

Details

Attachments

(2 files)

Attached file test (crashes Firefox)
The attachment will crash Firefox with a null pointer dereference if the Font Loading API is enabled (as it is currently on Nightly/Aurora).
This is because we're parsing the font descriptor values passing null for the sheet URI.  The sheet URI gets stored in the URLValue, and then copied into the gfxFontFaceSrc object, where its operator== assumes that it is non-null.
Attached patch patchSplinter Review
Assignee: nobody → cam
Status: NEW → ASSIGNED
Attachment #8601252 - Flags: review?(dbaron)
Blocks: 1149381
Comment on attachment 8601252 [details] [diff] [review]
patch

Maybe call the variable docURI instead of just uri?

r=dbaron
Attachment #8601252 - Flags: review?(dbaron) → review+
https://hg.mozilla.org/mozilla-central/rev/0faf5cdec061
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.