a large font-size will crash firefox

RESOLVED FIXED in mozilla1.9alpha5



13 years ago
10 years ago


(Reporter: g.ficara, Assigned: vlad)


({crash, testcase})

Bug Flags:
blocking1.9 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [sg:nse])


(3 attachments, 1 obsolete attachment)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; it; rv: Gecko/20060719 Firefox/
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; it; rv: Gecko/20060719 Firefox/

I obtained this crash when viewing a page which contained a css directive with large value for font-size attribute.

Reproducible: Always

Steps to Reproduce:
1. open the example file

Actual Results:  
Firefox crashes

Expected Results:  
Correct rendering or maybe wrap the font-size to a fixed value...?

I'm using Gentoo mozilla-firefox-bin package.
Save your work before opening... :)
Looks like it doesn't crash on Ubuntu's Firefox (checked with a friend of mine).
Assignee: dbaron → nobody
Component: Style System (CSS) → GFX: Gtk
QA Contact: ian → gtk
Works for me, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b1) Gecko/20060814 BonEcho/2.0b1
Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.7) Gecko/20060525

(dbx) attach 2951
Reading mozilla-bin
Reading ld.so.1
Reading libc.so.1
Reading libCrun.so.1
Reading libdl.so.1
Reading libdemangle.so.1
Reading libplc4.so
Reading libnspr4.so
Reading libpthread.so.1
Reading libthread.so.1
Reading librt.so.1
Reading libsocket.so.1
Reading libnsl.so.1
Reading libaio.so.1
Reading libgtk-x11-2.0.so.0.800.17
Reading libgdk-x11-2.0.so.0.800.17
Reading libglib-2.0.so.0.1000.2
Reading libgobject-2.0.so.0.1000.2
Reading libmlib.so.2
Reading libmlib_sse2.so.2
Reading en_US.UTF-8.so.3
Reading methods_unicode.so.3
Reading libX11.so.4
Reading xlcUTF-8.so.2
Reading libpango-1.0.so.0.1200.2
Reading UTF-8%8859-1.so
Reading libXext.so.0
Reading libXi.so.5
Reading libxpcom.so
Reading libplds4.so
Reading libgkgfx.so
Reading libembedcomponents.so
Reading libtypeaheadfind.so
Reading libmozapoc.so
Reading libapoc.so.1
Reading libscf.so.1
Reading libuutil.so.1
Reading libpref.so
Reading libnecko.so
Reading libgklayout.so
Reading libmozjs.so
Reading libcaps.so
Reading libxpconnect.so
Reading libi18n.so
Reading libsystem-pref.so
Reading libgconf-2.so.4.1.0
Reading libORBit-2.so.0.1.0
Reading libgthread-2.0.so.0.1000.2
Reading libresolv.so.2
Reading libimglib2.so
Reading librdf.so
Reading libjsd.so
Reading libnsappshell.so
Reading libchrome.so
Reading libhtmlpars.so
Reading libuconv.so
Reading libdocshell.so
Reading libgnome-2.so.0.1401.0
Reading libbonobo-activation.so.4.0.0
Reading libpopt.so.0.0.0
Reading libgnomevfs-2.so.0.1400.1
Reading libbonobo-2.so.0.0.0
Reading libORBitCosNaming-2.so.0.1.0
Reading libxml2.so.2
Reading libz.so.1
Reading libm.so.2
Reading libssl.so.0.9.8
Reading libcrypto.so.0.9.8
Reading libwidget_gtk2.so
Reading libprofile.so
Reading libxpcom_compat_c.so
Reading libxpcom_compat.so
Reading UTF-8%UTF-16LE.so
Reading UTF-16LE%UTF-8.so
Reading libgfx_gtk.so
Reading libgmodule-2.0.so.0.1000.2
Reading libnimbus.so
Reading libgdk_pixbuf-2.0.so.0.800.17
Reading libXrandr.so.2
Reading libXrender.so.1
Reading libcairo.so.2.2.3
Reading libpangocairo-1.0.so.0.1200.2
Reading libfontconfig.so.1
Reading libpng12.so.
Reading libfreetype.so.6
Reading libpangoft2-1.0.so.0.1200.2
Reading libexpat.so.0.5.0
Reading libmp.so.2
Reading libmd.so.1
Reading libatk-1.0.so.0.1114.0
Reading UTF-8%UTF-8.so
Reading libpixbufloader-xpm.so
Reading libSM.so.6
Reading libICE.so.6
Reading libXft.so.2
Reading libpipboot.so
Reading liboji.so
Reading libjsj.so
Reading libgkplugin.so
Reading libnullplugin.so
Reading libXt.so.4
Reading libjavaplugin_oji.so
Reading libjavaplugin_nscp.so
Reading libcookie.so
Reading libwebbrwsr.so
Reading libjar50.so
Reading libmozz.so
Reading libsroaming.so
Reading libp3p.so
Reading im-iiim.so
Reading libpangoxft-1.0.so.0.1200.2
Reading libpangox-1.0.so.0.1200.2
Reading libiiimcf.so.3.0.0
Reading libiiimp.so.1.0.0
Reading libappcomps.so
Reading libxremoteservice.so
Reading libtxmgr.so
Reading libeditor.so
Reading pango-basic-fc.so
Reading libmork.so
Attached to process 2951 with 3 LWPs
t@1 (l@1) stopped in __pollsys at 0xfef59695
0xfef59695: __pollsys+0x0015:   jb       __cerror       [ 0xfeeef710, .-0x69f85 ]
(dbx) c
c: not found
(dbx) cont
Reading libsmime3.so
Reading libnss3.so
Reading libsoftokn3.so
Reading libssl3.so
Reading libpipnss.so
Reading libnssckbi.so
Reading libctl.so
Reading libnecko2.so
Reading libnkgnomevfs.so
Reading libmozpango.so
Reading libwallet.so
t@1 (l@1) signal PIPE (Broken Pipe) in _writev at 0xfef5a095
0xfef5a095: _writev+0x0015:     jae      _writev+0x21   [ 0xfef5a0a1, .+0xc ]
(dbx) where
current thread: t@1
=>[1] _writev(0x4, 0x803e298, 0x2), at 0xfef5a095
  [2] writev(0x4, 0x803e298, 0x2), at 0xfef4d96f
  [3] _X11TransSocketWritev(0x80bd1a0, 0x803e298, 0x2, 0x803e2d0, 0xfe75c577, 0x80bd1a0), at 0xfe75a26c
  [4] _X11TransWritev(0x80bd1a0, 0x803e298, 0x2), at 0xfe75a243
  [5] _XSend(0x80bda38, 0x8e543b0, 0x43d1f4), at 0xfe75c577
  [6] XRenderAddGlyphs(0x80bda38, 0x4c02961, 0x8040464, 0x8a6a230, 0x1, 0x8e543b0, 0x43d1f4), at 0xfa913087
  [7] XftFontLoadGlyphs(0x80bda38, 0x8dc5f28, 0x1, 0x8040494, 0x1), at 0xfa3be9ea
  [8] XftGlyphFontSpecRender(0x80bda38, 0x3, 0x4c00074, 0x4c02968, 0x0, 0x0, 0x80424a0, 0x6), at 0xfa3c08bc
  [9] XftDrawGlyphFontSpec(0x8a12b18, 0x8042480, 0x80424a0, 0x6), at 0xfa3ba5b4
  [10] nsAutoDrawSpecBuffer::Flush(0x8042494), at 0xfaa2c58f
  [11] nsFontMetricsXft::DrawString(0x8a89800, 0x8a41f10, 0x6, 0x0, 0x7215, 0x0), at 0xfaa2894a
  [12] nsRenderingContextGTK::DrawString(0x8b56b60, 0x8a41f10, 0x6, 0x0, 0x7215, 0x0), at 0xfaa12ee7
  [13] nsTextFrame::PaintAsciiText(0x8456840, 0x8dd7e20, 0x8b56b60, 0x8456814, 0x8045a20, 0x0, 0x0), at 0xfb8e0a56
  [14] nsTextFrame::Paint(0x8456840, 0x8dd7e20, 0x8b56b60, 0x8045ad0, 0x2, 0x0), at 0xfb8dcdef
  [15] nsContainerFrame::PaintChild(0x84567c4, 0x8dd7e20, 0x8b56b60, 0x8045cc0, 0x8456840, 0x2, 0x0), at 0xfb88c5f6
  [16] nsBlockFrame::PaintChild(0x84567c4, 0x8dd7e20, 0x8b56b60, 0x8045cc0, 0x8456840, 0x2, 0x0), at 0xfb88632a
  [17] PaintLine(0x8045ba0, 0x8045cc0, 0x8045be4, 0x0, 0x8045be0, 0x8dd7e20, 0x8b56b60, 0x2, 0x84567c4), at 0xfb886172
  [18] nsBlockFrame::PaintChildren(0x84567c4, 0x8dd7e20, 0x8b56b60, 0x8045cc0, 0x2, 0x0), at 0xfb88414b
  [19] nsHTMLContainerFrame::PaintDecorationsAndChildren(0x84567c4, 0x8dd7e20, 0x8b56b60, 0x8045cc0, 0x2, 0x1, 0x0), at 0xfb89ec76
  [20] nsBlockFrame::Paint(0x84567c4, 0x8dd7e20, 0x8b56b60, 0x8045cc0, 0x2, 0x0), at 0xfb883ed9
  [21] nsContainerFrame::PaintChild(0x8456338, 0x8dd7e20, 0x8b56b60, 0x8045eb0, 0x84567c4, 0x2, 0x0), at 0xfb88c5f6
  [22] nsBlockFrame::PaintChild(0x8456338, 0x8dd7e20, 0x8b56b60, 0x8045eb0, 0x84567c4, 0x2, 0x0), at 0xfb88632a
  [23] PaintLine(0x8045d90, 0x8045eb0, 0x8045dd4, 0x0, 0x8045dd0, 0x8dd7e20, 0x8b56b60, 0x2, 0x8456338), at 0xfb886172
  [24] nsBlockFrame::PaintChildren(0x8456338, 0x8dd7e20, 0x8b56b60, 0x8045eb0, 0x2, 0x0), at 0xfb88414b
  [25] nsHTMLContainerFrame::PaintDecorationsAndChildren(0x8456338, 0x8dd7e20, 0x8b56b60, 0x8045eb0, 0x2, 0x1, 0x0), at 0xfb89ec76
  [26] nsBlockFrame::Paint(0x8456338, 0x8dd7e20, 0x8b56b60, 0x8045eb0, 0x2, 0x0), at 0xfb883ed9
  [27] nsContainerFrame::PaintChild(0x8456110, 0x8dd7e20, 0x8b56b60, 0x80460a0, 0x8456338, 0x2, 0x0), at 0xfb88c5f6
  [28] nsBlockFrame::PaintChild(0x8456110, 0x8dd7e20, 0x8b56b60, 0x80460a0, 0x8456338, 0x2, 0x0), at 0xfb87d60a
  [29] PaintLine(0x8045f80, 0x80460a0, 0x8045fc4, 0x0, 0x8045fc0, 0x8dd7e20, 0x8b56b60, 0x2, 0x8456110), at 0xfb886172
  [30] nsBlockFrame::PaintChildren(0x8456110, 0x8dd7e20, 0x8b56b60, 0x80460a0, 0x2, 0x0), at 0xfb88414b
  [31] nsHTMLContainerFrame::PaintDecorationsAndChildren(0x8456110, 0x8dd7e20, 0x8b56b60, 0x80460a0, 0x2, 0x1, 0x0), at 0xfb89ec76
  [32] nsBlockFrame::Paint(0x8456110, 0x8dd7e20, 0x8b56b60, 0x80460a0, 0x2, 0x0), at 0xfb883ed9
  [33] nsContainerFrame::PaintChild(0x8c6b990, 0x8dd7e20, 0x8b56b60, 0x80462b0, 0x8456110, 0x2, 0x0), at 0xfb88c5f6
  [34] nsContainerFrame::PaintChildren(0x8c6b990, 0x8dd7e20, 0x8b56b60, 0x80462b0, 0x2, 0x0), at 0xfb88c4ed
  [35] nsHTMLContainerFrame::Paint(0x8c6b990, 0x8dd7e20, 0x8b56b60, 0x80462b0, 0x2, 0x0), at 0xfb89eadd
  [36] CanvasFrame::Paint(0x8c6b990, 0x8dd7e20, 0x8b56b60, 0x80462b0, 0x2, 0x0), at 0xfb89fb3e
  [37] PresShell::Paint(0x8b64478, 0x89b52d0, 0x8b56b60, 0x80462b0), at 0xfb8d2e24
  [38] nsView::Paint(0x89b52d0, 0x8b56b60, 0x80462b0, 0x0, 0x80462cc), at 0xfbc2c72d
  [39] nsViewManager::RenderDisplayListElement(0x8cd9d08, 0x8d86508, 0x8b56b60), at 0xfbc329a5
  [40] nsViewManager::RenderViews(0x8cd9d08, 0x8a23ad8, 0x8b56b60, 0x8046410, 0x8800c40, 0x8046460), at 0xfbc32285
  [41] nsViewManager::Refresh(0x8cd9d08, 0x8a23ad8, 0x8b56b60, 0x88dda88, 0x1), at 0xfbc31029
  [42] nsViewManager::DispatchEvent(0x8cd9d08, 0x8046604, 0x80465c4), at 0xfbc339c6
  [43] HandleEvent(0x8046604), at 0xfbc2c1ad
  [44] nsCommonWidget::DispatchEvent(0x8925978, 0x8046604, 0x8046660), at 0xfab04e1b
  [45] nsWindow::OnExposeEvent(0x8925978, 0x84935b8, 0x8046b4c), at 0xfaafbf31
  [46] expose_event_cb(0x84935b8, 0x8046b4c, 0x0), at 0xfab0084d
  [47] _gtk_marshal_BOOLEAN__BOXED(0x8327738, 0x8046760, 0x2, 0x804681c, 0x804677c, 0x0), at 0xfe913f21
  [48] g_closure_invoke(0x8327738, 0x8046760, 0x2, 0x804681c, 0x804677c), at 0xfeb0a42a
  [49] signal_emit_unlocked_R(0x81d7448, 0x0, 0x84935b8, 0x804699c, 0x804681c), at 0xfeb1e3cc
  [50] g_signal_emit_valist(0x84935b8, 0x2a, 0x0, 0x8046a90), at 0xfeb1d467
  [51] g_signal_emit(0x84935b8, 0x2a, 0x0, 0x8046b4c, 0x8046ab4), at 0xfeb1d86d
  [52] gtk_widget_event_internal(0x84935b8, 0x8046b4c), at 0xfe9f62be
  [53] gtk_widget_send_expose(0x84935b8, 0x8046b4c), at 0xfe9f600a
  [54] gtk_main_do_event(0x8046b4c, 0x0), at 0xfe911b50
  [55] gdk_window_process_updates_internal(0x8d93d08), at 0xfec1e86b
  [56] gdk_window_process_all_updates(0xfebe3eb4, 0x8046bf0, 0xfeb7c6d7, 0x0, 0xfebe3eb4, 0x8046c78), at 0xfec1e906
  [57] gdk_window_update_idle(0x0), at 0xfec1e6aa
  [58] g_idle_dispatch(0x8c49da0, 0xfec1e684, 0x0), at 0xfeb7c6d7
  [59] g_main_dispatch(0x80ce528), at 0xfeb79690
  [60] g_main_context_dispatch(0x80ce528), at 0xfeb7a779
  [61] g_main_context_iterate(0x80ce528, 0x1, 0x1, 0x815fb58), at 0xfeb7ab99
  [62] g_main_loop_run(0x82be840), at 0xfeb7b19e
  [63] gtk_main(0x8046ed4, 0x809b144, 0x8046d78, 0xfb388a41, 0x81dfc50, 0x8046ed8), at 0xfe9113f7
  [64] nsAppShell::Run(0x81dfc50, 0x8046ed8, 0x805e1f6, 0x81cc2d0, 0x806fec2, 0x0), at 0xfab03361
  [65] nsAppShellService::Run(0x81cc2d0), at 0xfb388a41
  [66] main1(0x5, 0x8046f38, 0x810fbb0), at 0x805e1f6
  [67] main(0x5, 0x8046f38, 0x8046f50), at 0x805f39c
(dbx) cont

execution completed, exit code is 1

This isn't security sensitive. X11 or gtk or whatever disagree with us and we quit.
Group: security
Whiteboard: [sg:nse]
*** Bug 351438 has been marked as a duplicate of this bug. ***
Confirming based on duplicate bug.
Ever confirmed: true
*** Bug 359109 has been marked as a duplicate of this bug. ***
Duplicate of this bug: 369285
Posted file Testcase #2
Flags: blocking1.9?
Keywords: crash, testcase
Posted patch Patch rev. 1 (obsolete) — Splinter Review
This fixes it for me...
Attachment #261556 - Flags: superreview?(pavlov)
Attachment #261556 - Flags: review?(pavlov)
should we just change the cross platform 5000 to 2000?
... if you want to change size(PR_MIN(aSize, 5000)) to size(PR_MIN(aSize, 2000)) that would be fine with me.  I don't like the current platform-specific limit
Component: GFX: Gtk → GFX: Thebes
QA Contact: gtk → thebes
Comment on attachment 261556 [details] [diff] [review]
Patch rev. 1

See stuart's comments above -- just limit the font size to 2000 on all platforms (the PR_MIN in the constructor intializers)
Attachment #261556 - Flags: superreview?(pavlov)
Attachment #261556 - Flags: superreview-
Attachment #261556 - Flags: review?(pavlov)
Attachment #261556 - Flags: review-
Flags: blocking1.9? → blocking1.9+
Target Milestone: --- → mozilla1.9alpha5
Assignee: nobody → vladimir
Comment on attachment 266575 [details] [diff] [review]
clamp large font size everywhere

make static const and move inside the function.
Attachment #266575 - Flags: review?(pavlov) → review+
Checked in inside function.  Clamped to 2000 now.
Closed: 12 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
crash test landed
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.