Closed Bug 395556 Opened 17 years ago Closed 16 years ago

"ASSERTION: colgroup data should not be null" with large columnspan and strangely nested table elements

Categories

(Core :: MathML, defect)

Product:
Core
Component:
MathML
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jruderman, Assigned: rbs)

References

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

simple testcase without any scripts
209 bytes, application/xhtml+xml
Details
testcase that demonstrates a "doubling" effect (may hang Firefox)
522 bytes, application/xhtml+xml
Details
Loading the testcase triggers: ###!!! ASSERTION: colgroup data should not be null - bug 237421: 'mCols[i].mColGroup', file /Users/jruderman/trunk/mozilla/layout/tables/nsTablePainter.cpp, line 257
Even though the columnspan in the markup is much smaller, this testcase eventually (~15 seconds) triggers the assertion simply by adding <style> elements that don't do anything to the document. I found the bug because of this phenomenon.
It looks like this is due to an overflow of a 16-bit value somewhere. Modifying the first simple testcase, I get this behavior: columnspan="65536" (2^16) or any lower value: No bug. (no colgroup assertion) columnspan="65537" (2^16 + 1) or any higher value: *BUG* (colgroup assertion)
<math:mtd columnspan="72205"> somebody is sneaking trough the large colspan protection see http://lxr.mozilla.org/seamonkey/source/content/html/content/src/nsHTMLTableCellElement.cpp#265 We need to do the same for the mtd otherwise insane colspan values are easily used as DOS attacks against FF.
WFM. Probably fixed by bug 443089.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: