Closed Bug 390417 Opened 17 years ago Closed 17 years ago

Crash [@ gfxSkipCharsIterator::SetOffsets ] with div:first-line {}, many lines of text, and empty line at end

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dholbert, Unassigned)

References

Details

(Whiteboard: [sg:critical] post 1.8-branch)

Attachments

(1 file)

testcase
532 bytes, text/html
Details 
Crashing on gfxSkipChars.cpp:129, which is:

    PRInt32 currentRunLength = mSkipChars->mList[mListPrefixLength];

In my current instance, mListPrefixLength is 3260547140, which makes me think it's coming from uninitialized memory or something.

I also get a few of these assertions before the crash:
 ###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file /scratch/work/builds/trunk.07-07-31.09-38/mozilla/gfx/thebes/src/gfxSkipChars.cpp, line 92

Also, if there's enough text to create a vertical scrollbar, the crash doesn't happen. 

Right now, it looks like I only get a crash when there's 5+ lines of text... but that could just be circumstantial.

Also, if I make my browser window wide enough before triggering the test case, I don't get the crash (presumably because there are fewer lines)

Found this crash while modifying testcases for bug 387512
Attached file testcase 

    
    

    
  
How old is your tree?  Before roc's backout yesterday?

    
    

    
  
The tree I tested was from 9am on 7-31.

Checking out a new tree now... in the meantime, tested these nightlies:
2007-07-30-04-trunk:   No Crash
2007-08-01-04-trunk:   **Crash**


    
    

    
  
Getting a crash with this morning's tree as well.

    
    

    
  
Reproduced on WinXP using latest nightly.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a7pre) Gecko/2007080105 Minefield/3.0a7pre

OS: Linux → All

    
    

    
  
Resolving as duplicate of 386584.

(Based on crash location and the fact that both bugs seem triggered by back-out of 385270)

Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE

    
    

    
  
Because this crash looks potentially exploitable and does not require the user interaction (changing text size) of bug 386584 it's better to leave this open for separate QA verification. We can make it depend on that one instead, although given the handy simple testcase here it might be easier to go the other way.
Status: RESOLVED → REOPENED
Depends on: 386584
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
Flags: blocking1.9?
Resolution: DUPLICATE → ---
Whiteboard: [sg:critical] post 1.8-branch

    
    

    
  
Testcase seems to be fixed by checkin for Bug 385270.

Status: REOPENED → RESOLVED
Closed: 17 years ago17 years ago
Depends on: 385270
No longer depends on: 386584
Resolution: --- → FIXED

    
  
Flags: in-testsuite?

    
    

    
  
Should this bug's security flag be removed?

    
  
Group: security
Flags: in-testsuite? → in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: