Closed Bug 390417 Opened 12 years ago Closed 12 years ago

Crash [@ gfxSkipCharsIterator::SetOffsets ] with div:first-line {}, many lines of text, and empty line at end

Categories

(Core :: Layout, defect, critical)

x86
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: dholbert, Unassigned)

References

Details

(Whiteboard: [sg:critical] post 1.8-branch)

Attachments

(1 file)

Crashing on gfxSkipChars.cpp:129, which is:

    PRInt32 currentRunLength = mSkipChars->mList[mListPrefixLength];

In my current instance, mListPrefixLength is 3260547140, which makes me think it's coming from uninitialized memory or something.

I also get a few of these assertions before the crash:
 ###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file /scratch/work/builds/trunk.07-07-31.09-38/mozilla/gfx/thebes/src/gfxSkipChars.cpp, line 92

Also, if there's enough text to create a vertical scrollbar, the crash doesn't happen. 

Right now, it looks like I only get a crash when there's 5+ lines of text... but that could just be circumstantial.

Also, if I make my browser window wide enough before triggering the test case, I don't get the crash (presumably because there are fewer lines)

Found this crash while modifying testcases for bug 387512
How old is your tree?  Before roc's backout yesterday?
The tree I tested was from 9am on 7-31.

Checking out a new tree now... in the meantime, tested these nightlies:
2007-07-30-04-trunk:   No Crash
2007-08-01-04-trunk:   **Crash**
Getting a crash with this morning's tree as well.
Reproduced on WinXP using latest nightly.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a7pre) Gecko/2007080105 Minefield/3.0a7pre
OS: Linux → All
Resolving as duplicate of 386584.

(Based on crash location and the fact that both bugs seem triggered by back-out of 385270)
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 386584
Because this crash looks potentially exploitable and does not require the user interaction (changing text size) of bug 386584 it's better to leave this open for separate QA verification. We can make it depend on that one instead, although given the handy simple testcase here it might be easier to go the other way.
Status: RESOLVED → REOPENED
Depends on: 386584
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
Flags: blocking1.9?
Resolution: DUPLICATE → ---
Whiteboard: [sg:critical] post 1.8-branch
Testcase seems to be fixed by checkin for Bug 385270.
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Depends on: 385270
No longer depends on: 386584
Resolution: --- → FIXED
Flags: in-testsuite?
Should this bug's security flag be removed?
Group: security
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.