35749 - Array Bounds Read in nsTextFrame::PaintAsciiText()

Status: VERIFIED FIXED

(Core :: Layout, defect, P3)

Description

[Bruce Mitchener]

Guessing this is troy's due to recent checkins.  Please run Purify more often!

This happens _very_ often in startup/shutdown of mozilla-bin.  Did not test
under viewer.

      ABR: Array bounds read (52 times)
      This is occurring while in:
            
nsTextFrame::PaintAsciiText(nsIPresContext*,nsIRenderingContext&,nsIStyleContext*,nsTextFrame::TextStyle&,int,int)
[nsTextFrame.cpp:2356]
               
                   // See if we should skip leading whitespace
                   if (0 != (mState & TEXT_SKIP_LEADING_WS)) {
            =>       while (XP_IS_SPACE(*text) && (textLength > 0)) {
                       text++;
                       textLength--;
                     }
            nsTextFrame::Paint(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsFramePaintLayer) [nsTextFrame.cpp:1219]
                     // If we have ascii text that doesn't contain multi-byte
characters
                     // and the text doesn't need transforming then always
render as ascii
                     if ((0 == (mState & TEXT_WAS_TRANSFORMED)) && !frag->Is2b()
&& !hasMultiByteChars) {
            =>         PaintAsciiText(aPresContext, aRenderingContext, sc, ts,
0, 0);
                     
                     } else if (hasMultiByteChars || (0 == (hints &
NS_RENDERING_HINT_FAST_8BIT_TEXT))) {
                       // If it has multi-byte characters then we have to render
it as Unicode
          
nsContainerFrame::PaintChild(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsIFrame*,nsFramePaintLayer) [nsContainerFrame.cpp:225]
           
nsContainerFrame::PaintChildren(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsFramePaintLayer) [nsContainerFrame.cpp:166]
           
nsHTMLContainerFrame::Paint(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsFramePaintLayer) [nsHTMLContainerFrame.cpp:88]
           
nsContainerFrame::PaintChild(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsIFrame*,nsFramePaintLayer) [nsContainerFrame.cpp:225]
           
nsBlockFrame::PaintChildren(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsFramePaintLayer) [nsBlockFrame.cpp:6012]
            nsBlockFrame::Paint(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsFramePaintLayer) [nsBlockFrame.cpp:5889]
           
nsContainerFrame::PaintChild(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsIFrame*,nsFramePaintLayer) [nsContainerFrame.cpp:225]
           
nsContainerFrame::PaintChildren(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsFramePaintLayer) [nsContainerFrame.cpp:166]
            nsTableCellFrame::Paint(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsFramePaintLayer) [nsTableCellFrame.cpp:317]
           
nsTableRowFrame::PaintChildren(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsFramePaintLayer) [nsTableRowFrame.cpp:442]
            nsTableRowFrame::Paint(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsFramePaintLayer) [nsTableRowFrame.cpp:397]
           
nsTableRowGroupFrame::PaintChildren(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsFramePaintLayer) [nsTableRowGroupFrame.cpp:259]
           
nsTableRowGroupFrame::Paint(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsFramePaintLayer) [nsTableRowGroupFrame.cpp:215]
           
nsContainerFrame::PaintChild(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsIFrame*,nsFramePaintLayer) [nsContainerFrame.cpp:225]
           
nsContainerFrame::PaintChildren(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsFramePaintLayer) [nsContainerFrame.cpp:166]
            nsTableFrame::Paint(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsFramePaintLayer) [nsTableFrame.cpp:1278]
           
nsContainerFrame::PaintChild(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsIFrame*,nsFramePaintLayer) [nsContainerFrame.cpp:225]
            nsTableOuterFrame::Paint(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsFramePaintLayer) [nsTableOuterFrame.cpp:375]
           
nsContainerFrame::PaintChild(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsIFrame*,nsFramePaintLayer) [nsContainerFrame.cpp:225]
           
nsBlockFrame::PaintChildren(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsFramePaintLayer) [nsBlockFrame.cpp:6012]
            nsBlockFrame::Paint(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsFramePaintLayer) [nsBlockFrame.cpp:5889]
           
nsContainerFrame::PaintChild(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsIFrame*,nsFramePaintLayer) [nsContainerFrame.cpp:225]
           
nsBlockFrame::PaintChildren(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsFramePaintLayer) [nsBlockFrame.cpp:6012]
            nsBlockFrame::Paint(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsFramePaintLayer) [nsBlockFrame.cpp:5889]
           
nsContainerFrame::PaintChild(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsIFrame*,nsFramePaintLayer) [nsContainerFrame.cpp:225]
           
nsContainerFrame::PaintChildren(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsFramePaintLayer) [nsContainerFrame.cpp:166]
           
nsHTMLContainerFrame::Paint(nsIPresContext*,nsIRenderingContext&,const
nsRect&,nsFramePaintLayer) [nsHTMLContainerFrame.cpp:88]
            PresShell::Paint(nsIView*,nsIRenderingContext&,const nsRect&)
[nsPresShell.cpp:3280]
      Reading 1 byte from 0x208abf1 in the heap.
      Address 0x208abf1 is 1 byte past end of a malloc'd block at 0x208abf0 of 1
byte.
      This block was allocated from:
            malloc         [rtlib.o]
            __bUiLtIn_nEw  [libxpcom.so]
            __builtin_new  [rtlib.o]
            __bUiLtIn_vEc_nEw [libxpcom.so]
            __builtin_vec_new [rtlib.o]
            nsTextFragment::SetTo(const unsigned short*,int)
[nsTextFragment.cpp:158]
            nsGenericDOMDataNode::SetText(nsIContent*,const unsigned
short*,int,int) [nsGenericDOMDataNode.cpp:1007]
            nsTextNode::SetText(const unsigned short*,int,int)
[nsTextNode.cpp:68]
            SinkContext::FlushText(int*,int) [nsHTMLContentSink.cpp:2011]
            SinkContext::FlushTextAndRelease(int*) [nsHTMLContentSink.cpp:427]
            SinkContext::OpenContainer(const nsIParserNode&)
[nsHTMLContentSink.cpp:1258]
            HTMLContentSink::OpenContainer(const nsIParserNode&)
[nsHTMLContentSink.cpp:2918]
            CNavDTD::OpenContainer(const
nsIParserNode*,nsHTMLTag,int,nsEntryStack*) [CNavDTD.cpp:2970]
            CNavDTD::HandleDefaultStartToken(CToken*,nsHTMLTag,nsIParserNode*)
[CNavDTD.cpp:1086]
            CNavDTD::HandleStartToken(CToken*) [CNavDTD.cpp:1424]
            CNavDTD::HandleToken(CToken*,nsIParser*) [CNavDTD.cpp:771]
           
CNavDTD::BuildModel(nsIParser*,nsITokenizer*,nsITokenObserver*,nsIContentSink*)
[CNavDTD.cpp:509]
            nsParser::BuildModel() [nsParser.cpp:1298]
            nsParser::ResumeParse(int,int) [nsParser.cpp:1182]
           
nsParser::OnDataAvailable(nsIChannel*,nsISupports*,nsIInputStream*,unsigned
int,unsigned int) [nsParser.cpp:1616]
           
nsDocumentOpenInfo::OnDataAvailable(nsIChannel*,nsISupports*,nsIInputStream*,unsigned
int,unsigned int) [nsURILoader.cpp:269]
           
InterceptStreamListener::OnDataAvailable(nsIChannel*,nsISupports*,nsIInputStream*,unsigned
int,unsigned int) [nsCachedNetData.cpp:1128]
           
nsHTTPChunkConv::OnDataAvailable(nsIChannel*,nsISupports*,nsIInputStream*,unsigned
int,unsigned int) [nsHTTPChunkConv.cpp:195]
           
nsHTTPServerListener::OnDataAvailable(nsIChannel*,nsISupports*,nsIInputStream*,unsigned
int,unsigned int) [nsHTTPResponseListener.cpp:444]
            nsOnDataAvailableEvent::HandleEvent()
[nsAsyncStreamListener.cpp:406]
            nsStreamListenerEvent::HandlePLEvent(PLEvent*)
[nsAsyncStreamListener.cpp:97]
            PL_HandleEvent [plevent.c:563]
            PL_ProcessPendingEvents [plevent.c:508]
            nsEventQueueImpl::ProcessPendingEvents() [nsEventQueue.cpp:316]
            event_processor_callback(void*,int,GdkInputCondition)
[nsAppShell.cpp:143]

Comment 1

[troy]

Fixed

Comment 2

[Chris Petersen]

Marking verified fixed per last comments.