Closed
Bug 348462
Opened 19 years ago
Closed 18 years ago
a large font-size will crash firefox
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha5
People
(Reporter: g.ficara, Assigned: vlad)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:nse])
Attachments
(3 files, 1 obsolete file)
User-Agent: Mozilla/5.0 (X11; U; Linux i686; it; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; it; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5
I obtained this crash when viewing a page which contained a css directive with large value for font-size attribute.
Reproducible: Always
Steps to Reproduce:
1. open the example file
Actual Results:
Firefox crashes
Expected Results:
Correct rendering or maybe wrap the font-size to a fixed value...?
I'm using Gentoo mozilla-firefox-bin package.
Reporter | ||
Comment 1•19 years ago
|
||
Save your work before opening... :)
Reporter | ||
Comment 2•19 years ago
|
||
Looks like it doesn't crash on Ubuntu's Firefox (checked with a friend of mine).
Assignee: dbaron → nobody
Component: Style System (CSS) → GFX: Gtk
QA Contact: ian → gtk
Comment 3•19 years ago
|
||
Works for me, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b1) Gecko/20060814 BonEcho/2.0b1
Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.7) Gecko/20060525
(dbx) attach 2951
Reading mozilla-bin
Reading ld.so.1
Reading libc.so.1
Reading libCrun.so.1
Reading libdl.so.1
Reading libdemangle.so.1
Reading libplc4.so
Reading libnspr4.so
Reading libpthread.so.1
Reading libthread.so.1
Reading librt.so.1
Reading libsocket.so.1
Reading libnsl.so.1
Reading libaio.so.1
Reading libgtk-x11-2.0.so.0.800.17
Reading libgdk-x11-2.0.so.0.800.17
Reading libglib-2.0.so.0.1000.2
Reading libgobject-2.0.so.0.1000.2
Reading libmlib.so.2
Reading libmlib_sse2.so.2
Reading en_US.UTF-8.so.3
Reading methods_unicode.so.3
Reading libX11.so.4
Reading xlcUTF-8.so.2
Reading libpango-1.0.so.0.1200.2
Reading UTF-8%8859-1.so
Reading libXext.so.0
Reading libXi.so.5
Reading libxpcom.so
Reading libplds4.so
Reading libgkgfx.so
Reading libembedcomponents.so
Reading libtypeaheadfind.so
Reading libmozapoc.so
Reading libapoc.so.1
Reading libscf.so.1
Reading libuutil.so.1
Reading libpref.so
Reading libnecko.so
Reading libgklayout.so
Reading libmozjs.so
Reading libcaps.so
Reading libxpconnect.so
Reading libi18n.so
Reading libsystem-pref.so
Reading libgconf-2.so.4.1.0
Reading libORBit-2.so.0.1.0
Reading libgthread-2.0.so.0.1000.2
Reading libresolv.so.2
Reading libimglib2.so
Reading librdf.so
Reading libjsd.so
Reading libnsappshell.so
Reading libchrome.so
Reading libhtmlpars.so
Reading libuconv.so
Reading libdocshell.so
Reading libgnome-2.so.0.1401.0
Reading libbonobo-activation.so.4.0.0
Reading libpopt.so.0.0.0
Reading libgnomevfs-2.so.0.1400.1
Reading libbonobo-2.so.0.0.0
Reading libORBitCosNaming-2.so.0.1.0
Reading libxml2.so.2
Reading libz.so.1
Reading libm.so.2
Reading libssl.so.0.9.8
Reading libcrypto.so.0.9.8
Reading libwidget_gtk2.so
Reading libprofile.so
Reading libxpcom_compat_c.so
Reading libxpcom_compat.so
Reading UTF-8%UTF-16LE.so
Reading UTF-16LE%UTF-8.so
Reading libgfx_gtk.so
Reading libgmodule-2.0.so.0.1000.2
Reading libnimbus.so
Reading libgdk_pixbuf-2.0.so.0.800.17
Reading libXrandr.so.2
Reading libXrender.so.1
Reading libcairo.so.2.2.3
Reading libpangocairo-1.0.so.0.1200.2
Reading libfontconfig.so.1
Reading libpng12.so.0.1.2.8
Reading libfreetype.so.6
Reading libpangoft2-1.0.so.0.1200.2
Reading libexpat.so.0.5.0
Reading libmp.so.2
Reading libmd.so.1
Reading libatk-1.0.so.0.1114.0
Reading UTF-8%UTF-8.so
Reading libpixbufloader-xpm.so
Reading libSM.so.6
Reading libICE.so.6
Reading libXft.so.2
Reading libpipboot.so
Reading liboji.so
Reading libjsj.so
Reading libgkplugin.so
Reading libnullplugin.so
Reading libXt.so.4
Reading libjavaplugin_oji.so
Reading libjavaplugin_nscp.so
Reading libcookie.so
Reading libwebbrwsr.so
Reading libjar50.so
Reading libmozz.so
Reading libsroaming.so
Reading libp3p.so
Reading im-iiim.so
Reading libpangoxft-1.0.so.0.1200.2
Reading libpangox-1.0.so.0.1200.2
Reading libiiimcf.so.3.0.0
Reading libiiimp.so.1.0.0
Reading libappcomps.so
Reading libxremoteservice.so
Reading libtxmgr.so
Reading libeditor.so
Reading pango-basic-fc.so
Reading libmork.so
Attached to process 2951 with 3 LWPs
t@1 (l@1) stopped in __pollsys at 0xfef59695
0xfef59695: __pollsys+0x0015: jb __cerror [ 0xfeeef710, .-0x69f85 ]
(dbx) c
c: not found
(dbx) cont
Reading libsmime3.so
Reading libnss3.so
Reading libsoftokn3.so
Reading libssl3.so
Reading libpipnss.so
Reading libnssckbi.so
Reading libctl.so
Reading libnecko2.so
Reading libnkgnomevfs.so
Reading libmozpango.so
Reading libwallet.so
t@1 (l@1) signal PIPE (Broken Pipe) in _writev at 0xfef5a095
0xfef5a095: _writev+0x0015: jae _writev+0x21 [ 0xfef5a0a1, .+0xc ]
(dbx) where
current thread: t@1
=>[1] _writev(0x4, 0x803e298, 0x2), at 0xfef5a095
[2] writev(0x4, 0x803e298, 0x2), at 0xfef4d96f
[3] _X11TransSocketWritev(0x80bd1a0, 0x803e298, 0x2, 0x803e2d0, 0xfe75c577, 0x80bd1a0), at 0xfe75a26c
[4] _X11TransWritev(0x80bd1a0, 0x803e298, 0x2), at 0xfe75a243
[5] _XSend(0x80bda38, 0x8e543b0, 0x43d1f4), at 0xfe75c577
[6] XRenderAddGlyphs(0x80bda38, 0x4c02961, 0x8040464, 0x8a6a230, 0x1, 0x8e543b0, 0x43d1f4), at 0xfa913087
[7] XftFontLoadGlyphs(0x80bda38, 0x8dc5f28, 0x1, 0x8040494, 0x1), at 0xfa3be9ea
[8] XftGlyphFontSpecRender(0x80bda38, 0x3, 0x4c00074, 0x4c02968, 0x0, 0x0, 0x80424a0, 0x6), at 0xfa3c08bc
[9] XftDrawGlyphFontSpec(0x8a12b18, 0x8042480, 0x80424a0, 0x6), at 0xfa3ba5b4
[10] nsAutoDrawSpecBuffer::Flush(0x8042494), at 0xfaa2c58f
[11] nsFontMetricsXft::DrawString(0x8a89800, 0x8a41f10, 0x6, 0x0, 0x7215, 0x0), at 0xfaa2894a
[12] nsRenderingContextGTK::DrawString(0x8b56b60, 0x8a41f10, 0x6, 0x0, 0x7215, 0x0), at 0xfaa12ee7
[13] nsTextFrame::PaintAsciiText(0x8456840, 0x8dd7e20, 0x8b56b60, 0x8456814, 0x8045a20, 0x0, 0x0), at 0xfb8e0a56
[14] nsTextFrame::Paint(0x8456840, 0x8dd7e20, 0x8b56b60, 0x8045ad0, 0x2, 0x0), at 0xfb8dcdef
[15] nsContainerFrame::PaintChild(0x84567c4, 0x8dd7e20, 0x8b56b60, 0x8045cc0, 0x8456840, 0x2, 0x0), at 0xfb88c5f6
[16] nsBlockFrame::PaintChild(0x84567c4, 0x8dd7e20, 0x8b56b60, 0x8045cc0, 0x8456840, 0x2, 0x0), at 0xfb88632a
[17] PaintLine(0x8045ba0, 0x8045cc0, 0x8045be4, 0x0, 0x8045be0, 0x8dd7e20, 0x8b56b60, 0x2, 0x84567c4), at 0xfb886172
[18] nsBlockFrame::PaintChildren(0x84567c4, 0x8dd7e20, 0x8b56b60, 0x8045cc0, 0x2, 0x0), at 0xfb88414b
[19] nsHTMLContainerFrame::PaintDecorationsAndChildren(0x84567c4, 0x8dd7e20, 0x8b56b60, 0x8045cc0, 0x2, 0x1, 0x0), at 0xfb89ec76
[20] nsBlockFrame::Paint(0x84567c4, 0x8dd7e20, 0x8b56b60, 0x8045cc0, 0x2, 0x0), at 0xfb883ed9
[21] nsContainerFrame::PaintChild(0x8456338, 0x8dd7e20, 0x8b56b60, 0x8045eb0, 0x84567c4, 0x2, 0x0), at 0xfb88c5f6
[22] nsBlockFrame::PaintChild(0x8456338, 0x8dd7e20, 0x8b56b60, 0x8045eb0, 0x84567c4, 0x2, 0x0), at 0xfb88632a
[23] PaintLine(0x8045d90, 0x8045eb0, 0x8045dd4, 0x0, 0x8045dd0, 0x8dd7e20, 0x8b56b60, 0x2, 0x8456338), at 0xfb886172
[24] nsBlockFrame::PaintChildren(0x8456338, 0x8dd7e20, 0x8b56b60, 0x8045eb0, 0x2, 0x0), at 0xfb88414b
[25] nsHTMLContainerFrame::PaintDecorationsAndChildren(0x8456338, 0x8dd7e20, 0x8b56b60, 0x8045eb0, 0x2, 0x1, 0x0), at 0xfb89ec76
[26] nsBlockFrame::Paint(0x8456338, 0x8dd7e20, 0x8b56b60, 0x8045eb0, 0x2, 0x0), at 0xfb883ed9
[27] nsContainerFrame::PaintChild(0x8456110, 0x8dd7e20, 0x8b56b60, 0x80460a0, 0x8456338, 0x2, 0x0), at 0xfb88c5f6
[28] nsBlockFrame::PaintChild(0x8456110, 0x8dd7e20, 0x8b56b60, 0x80460a0, 0x8456338, 0x2, 0x0), at 0xfb87d60a
[29] PaintLine(0x8045f80, 0x80460a0, 0x8045fc4, 0x0, 0x8045fc0, 0x8dd7e20, 0x8b56b60, 0x2, 0x8456110), at 0xfb886172
[30] nsBlockFrame::PaintChildren(0x8456110, 0x8dd7e20, 0x8b56b60, 0x80460a0, 0x2, 0x0), at 0xfb88414b
[31] nsHTMLContainerFrame::PaintDecorationsAndChildren(0x8456110, 0x8dd7e20, 0x8b56b60, 0x80460a0, 0x2, 0x1, 0x0), at 0xfb89ec76
[32] nsBlockFrame::Paint(0x8456110, 0x8dd7e20, 0x8b56b60, 0x80460a0, 0x2, 0x0), at 0xfb883ed9
[33] nsContainerFrame::PaintChild(0x8c6b990, 0x8dd7e20, 0x8b56b60, 0x80462b0, 0x8456110, 0x2, 0x0), at 0xfb88c5f6
[34] nsContainerFrame::PaintChildren(0x8c6b990, 0x8dd7e20, 0x8b56b60, 0x80462b0, 0x2, 0x0), at 0xfb88c4ed
[35] nsHTMLContainerFrame::Paint(0x8c6b990, 0x8dd7e20, 0x8b56b60, 0x80462b0, 0x2, 0x0), at 0xfb89eadd
[36] CanvasFrame::Paint(0x8c6b990, 0x8dd7e20, 0x8b56b60, 0x80462b0, 0x2, 0x0), at 0xfb89fb3e
[37] PresShell::Paint(0x8b64478, 0x89b52d0, 0x8b56b60, 0x80462b0), at 0xfb8d2e24
[38] nsView::Paint(0x89b52d0, 0x8b56b60, 0x80462b0, 0x0, 0x80462cc), at 0xfbc2c72d
[39] nsViewManager::RenderDisplayListElement(0x8cd9d08, 0x8d86508, 0x8b56b60), at 0xfbc329a5
[40] nsViewManager::RenderViews(0x8cd9d08, 0x8a23ad8, 0x8b56b60, 0x8046410, 0x8800c40, 0x8046460), at 0xfbc32285
[41] nsViewManager::Refresh(0x8cd9d08, 0x8a23ad8, 0x8b56b60, 0x88dda88, 0x1), at 0xfbc31029
[42] nsViewManager::DispatchEvent(0x8cd9d08, 0x8046604, 0x80465c4), at 0xfbc339c6
[43] HandleEvent(0x8046604), at 0xfbc2c1ad
[44] nsCommonWidget::DispatchEvent(0x8925978, 0x8046604, 0x8046660), at 0xfab04e1b
[45] nsWindow::OnExposeEvent(0x8925978, 0x84935b8, 0x8046b4c), at 0xfaafbf31
[46] expose_event_cb(0x84935b8, 0x8046b4c, 0x0), at 0xfab0084d
[47] _gtk_marshal_BOOLEAN__BOXED(0x8327738, 0x8046760, 0x2, 0x804681c, 0x804677c, 0x0), at 0xfe913f21
[48] g_closure_invoke(0x8327738, 0x8046760, 0x2, 0x804681c, 0x804677c), at 0xfeb0a42a
[49] signal_emit_unlocked_R(0x81d7448, 0x0, 0x84935b8, 0x804699c, 0x804681c), at 0xfeb1e3cc
[50] g_signal_emit_valist(0x84935b8, 0x2a, 0x0, 0x8046a90), at 0xfeb1d467
[51] g_signal_emit(0x84935b8, 0x2a, 0x0, 0x8046b4c, 0x8046ab4), at 0xfeb1d86d
[52] gtk_widget_event_internal(0x84935b8, 0x8046b4c), at 0xfe9f62be
[53] gtk_widget_send_expose(0x84935b8, 0x8046b4c), at 0xfe9f600a
[54] gtk_main_do_event(0x8046b4c, 0x0), at 0xfe911b50
[55] gdk_window_process_updates_internal(0x8d93d08), at 0xfec1e86b
[56] gdk_window_process_all_updates(0xfebe3eb4, 0x8046bf0, 0xfeb7c6d7, 0x0, 0xfebe3eb4, 0x8046c78), at 0xfec1e906
[57] gdk_window_update_idle(0x0), at 0xfec1e6aa
[58] g_idle_dispatch(0x8c49da0, 0xfec1e684, 0x0), at 0xfeb7c6d7
[59] g_main_dispatch(0x80ce528), at 0xfeb79690
[60] g_main_context_dispatch(0x80ce528), at 0xfeb7a779
[61] g_main_context_iterate(0x80ce528, 0x1, 0x1, 0x815fb58), at 0xfeb7ab99
[62] g_main_loop_run(0x82be840), at 0xfeb7b19e
[63] gtk_main(0x8046ed4, 0x809b144, 0x8046d78, 0xfb388a41, 0x81dfc50, 0x8046ed8), at 0xfe9113f7
[64] nsAppShell::Run(0x81dfc50, 0x8046ed8, 0x805e1f6, 0x81cc2d0, 0x806fec2, 0x0), at 0xfab03361
[65] nsAppShellService::Run(0x81cc2d0), at 0xfb388a41
[66] main1(0x5, 0x8046f38, 0x810fbb0), at 0x805e1f6
[67] main(0x5, 0x8046f38, 0x8046f50), at 0x805f39c
(dbx) cont
execution completed, exit code is 1
(dbx)
This isn't security sensitive. X11 or gtk or whatever disagree with us and we quit.
Group: security
Whiteboard: [sg:nse]
Comment 5•19 years ago
|
||
*** Bug 351438 has been marked as a duplicate of this bug. ***
Comment 6•19 years ago
|
||
Confirming based on duplicate bug.
Status: UNCONFIRMED → NEW
Ever confirmed: true
*** Bug 359109 has been marked as a duplicate of this bug. ***
Comment 9•18 years ago
|
||
Updated•18 years ago
|
Comment 10•18 years ago
|
||
This fixes it for me...
Attachment #261556 -
Flags: superreview?(pavlov)
Attachment #261556 -
Flags: review?(pavlov)
Comment 11•18 years ago
|
||
should we just change the cross platform 5000 to 2000?
Comment 12•18 years ago
|
||
?
Comment 13•18 years ago
|
||
... if you want to change size(PR_MIN(aSize, 5000)) to size(PR_MIN(aSize, 2000)) that would be fine with me. I don't like the current platform-specific limit
Updated•18 years ago
|
Component: GFX: Gtk → GFX: Thebes
QA Contact: gtk → thebes
Assignee | ||
Comment 14•18 years ago
|
||
Comment on attachment 261556 [details] [diff] [review]
Patch rev. 1
See stuart's comments above -- just limit the font size to 2000 on all platforms (the PR_MIN in the constructor intializers)
Attachment #261556 -
Flags: superreview?(pavlov)
Attachment #261556 -
Flags: superreview-
Attachment #261556 -
Flags: review?(pavlov)
Attachment #261556 -
Flags: review-
Assignee | ||
Updated•18 years ago
|
Flags: blocking1.9? → blocking1.9+
Assignee | ||
Updated•18 years ago
|
Target Milestone: --- → mozilla1.9alpha5
Assignee | ||
Updated•18 years ago
|
Assignee: nobody → vladimir
Assignee | ||
Comment 15•18 years ago
|
||
Attachment #261556 -
Attachment is obsolete: true
Attachment #266575 -
Flags: review?(pavlov)
Comment 16•18 years ago
|
||
Comment on attachment 266575 [details] [diff] [review]
clamp large font size everywhere
make static const and move inside the function.
Attachment #266575 -
Flags: review?(pavlov) → review+
Assignee | ||
Comment 17•18 years ago
|
||
Checked in inside function. Clamped to 2000 now.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Updated•18 years ago
|
Flags: in-testsuite?
Comment 18•16 years ago
|
||
crash test landed
http://hg.mozilla.org/mozilla-central/rev/874ade6d6099
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•