"ASSERTION: invalid array index: 'i < Length()" in nsLineBreaker::AppendText

RESOLVED WORKSFORME

Status

()

Core
Layout: Text
RESOLVED WORKSFORME
11 years ago
9 years ago

People

(Reporter: Eli Friedman, Unassigned)

Tracking

Trunk
x86
Windows XP
Points:
---
Bug Flags:
blocking1.9 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [dbaron-1.9:Rs], URL)

(Reporter)

Description

11 years ago
Per summary.

Steps to reproduce:
1. Use test styles bookmarklet from https://www.squarefree.com/bookmarklets/webdevel.html on an arbitrary webpage.
2. Type into the window that comes up.

Stacktrace:
00129f58 01465883 00000019 00129fc4 0012af8c gklayout!nsTArray<unsigned char>::ElementAt+0x31 [c:\mozilla\mozilla\obj-i686-pc-mingw32\dist\include\xpcom\nstarray.h @ 318]
00129f68 0162a785 00000019 00000010 00000000 gklayout!nsTArray<unsigned char>::operator[]+0x13 [c:\mozilla\mozilla\obj-i686-pc-mingw32\dist\include\xpcom\nstarray.h @ 352]
0012af8c 0145a3d2 02ba0a98 05411018 00000021 gklayout!nsLineBreaker::AppendText+0x2c5 [c:\mozilla\mozilla\content\base\src\nslinebreaker.cpp @ 273]
0012b004 01459b12 0546deb0 00000000 00000001 gklayout!BuildTextRunsScanner::SetupBreakSinksForTextRun+0x242 [c:\mozilla\mozilla\layout\generic\nstextframethebes.cpp @ 1870]
0012c358 0145867d 0012c399 0012d420 00000000 gklayout!BuildTextRunsScanner::BuildTextRunForFrames+0xcf2 [c:\mozilla\mozilla\layout\generic\nstextframethebes.cpp @ 1773]
0012d384 01458cce 00000001 000074b8 0012d420 gklayout!BuildTextRunsScanner::FlushFrames+0x12d [c:\mozilla\mozilla\layout\generic\nstextframethebes.cpp @ 1248]
0012d3b4 0145afca 0540a4dc 0012d3e0 00431c90 gklayout!BuildTextRunsScanner::ScanFrame+0x25e [c:\mozilla\mozilla\layout\generic\nstextframethebes.cpp @ 1390]
0012d768 0145a813 05476f80 0540a49c 05409a94 gklayout!BuildTextRuns+0x54a [c:\mozilla\mozilla\layout\generic\nstextframethebes.cpp @ 1199]
0012d7d8 01463615 0012da90 05476f80 05409a94 gklayout!nsTextFrame::EnsureTextRun+0x83 [c:\mozilla\mozilla\layout\generic\nstextframethebes.cpp @ 1953]
0012dac0 014b94d3 0540a49c 0539d3f8 0012db40 gklayout!nsTextFrame::Reflow+0x235 [c:\mozilla\mozilla\layout\generic\nstextframethebes.cpp @ 5266]

Filing as security sensitive just in case; it doesn't look exploitable, but it is an out-of-bounds array access.

I haven't reduced this.
I'm not seeing it on 1.8 or a week-old trunk build, is it a recent regression?
(Reporter)

Comment 2

11 years ago
Yeah, recent regression.
(Reporter)

Comment 3

11 years ago
Semi-reduced testcase: data:text/html,<textarea>%0a%0a. %0aType here:</textarea>
(Reporter)

Updated

11 years ago
Blocks: 388602
Flags: blocking1.9? → blocking1.9+
Is this still an issue in current trunk build? I don't see the assertion with the semi-reduced testcase.
Eli, see comment 4.
(In reply to comment #4)
> I don't see the assertion with
> the semi-reduced testcase.

Yup, me neither.
Whiteboard: [dbaron-1.9:Rs]
I don't see this with the reduced testcase or the original steps to reproduce. Works for me?
Reopen if there's still a problem.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → WORKSFORME

Updated

11 years ago
Flags: in-testsuite?
Group: core-security
You need to log in before you can comment on or make changes to this bug.