Crash [@ nsTextFrameUtils::TransformText] loading png as HTML

RESOLVED FIXED in mozilla1.9alpha6

Status

()

Core
Layout: Text
--
critical
RESOLVED FIXED
11 years ago
10 years ago

People

(Reporter: karlt, Assigned: karlt)

Tracking

Trunk
mozilla1.9alpha6
x86
Linux
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment, 2 obsolete attachments)

(Assignee)

Description

11 years ago
Created attachment 269978 [details] [diff] [review]
keep limitLength within [0, length]

###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file
/home/karl/moz/mozilla/gfx/thebes/src/gfxSkipChars.cpp, line 92
###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file
/home/karl/moz/mozilla/gfx/thebes/src/gfxSkipChars.cpp, line 92

#0  0x00002aaaadae21d9 in nsTextFrameUtils::TransformText (aText=0x14fd3d8, 
    aLength=4294967293, aOutput=0x7fff1b644000, aCompressWhitespace=1, 
    aIncomingWhitespace=0x7fff1b63b17f "", aSkipChars=0x7fff1b6393b0, 
    aAnalysisFlags=0x7fff1b63960c)
    at /home/karl/moz/mozilla/layout/generic/nsTextFrameUtils.cpp:153
#1  0x00002aaaadad3b62 in BuildTextRunsScanner::BuildTextRunForFrames (
    this=0x7fff1b63ac90, aTextBuffer=0x7fff1b6397d0)
    at /home/karl/moz/mozilla/layout/generic/nsTextFrameThebes.cpp:1584
#2  0x00002aaaadad4bf4 in BuildTextRunsScanner::FlushFrames (
    this=0x7fff1b63ac90, aFlushLineBreaks=0)
    at /home/karl/moz/mozilla/layout/generic/nsTextFrameThebes.cpp:1256
#3  0x0054fffd0140fffd in ?? ()

limitLength > length in nsTextFrame::Reflow.

The attached patch ignores the break from nsLineLayout::GetForcedBreakPosition if it is not within the range of interest, which prevents the crash.

The patch assumes that offset >= 0.  Is this a valid assumption (on a PRInt32)?
Attachment #269978 - Flags: superreview?(roc)
Attachment #269978 - Flags: review?(roc)
(Assignee)

Comment 1

11 years ago
Created attachment 270114 [details] [diff] [review]
keep limitLength <= length

Modified after discussion with roc.

* limitLength should never be < 0 so we shouldn't need to check,
  but, if it is, then we want the ASSERTION to fire.

* The forceBreak variable may in the future be used again in this scope,
  so make its value reflect whether we are interested in the break.
Attachment #269978 - Attachment is obsolete: true
Attachment #270114 - Flags: superreview?(roc)
Attachment #270114 - Flags: review?(roc)
Attachment #269978 - Flags: superreview?(roc)
Attachment #269978 - Flags: review?(roc)
(Assignee)

Updated

11 years ago
Severity: normal → critical
Flags: blocking1.9?
Target Milestone: --- → mozilla1.9alpha6
(Assignee)

Comment 2

11 years ago
Created attachment 270115 [details] [diff] [review]
 keep limitLength <= length with braces

Iteration 3 of what is now a 4 line patch - style.
Attachment #270114 - Attachment is obsolete: true
Attachment #270115 - Flags: superreview?(roc)
Attachment #270115 - Flags: review?(roc)
Attachment #270114 - Flags: superreview?(roc)
Attachment #270114 - Flags: review?(roc)
Attachment #270115 - Flags: superreview?(roc)
Attachment #270115 - Flags: superreview+
Attachment #270115 - Flags: review?(roc)
Attachment #270115 - Flags: review+
(Assignee)

Updated

11 years ago
Whiteboard: [checkin needed]

Comment 3

11 years ago
Checking in layout/generic/nsTextFrameThebes.cpp;
/cvsroot/mozilla/layout/generic/nsTextFrameThebes.cpp,v  <--  nsTextFrameThebes.cpp
new revision: 3.49; previous revision: 3.48
done
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Whiteboard: [checkin needed]
(Assignee)

Updated

10 years ago
Flags: blocking1.9?
Flags: in-testsuite?
You need to log in before you can comment on or make changes to this bug.