Closed
Bug 396321
Opened 17 years ago
Closed 17 years ago
"ASSERTION: Couldn't find glyph for trailing marker" with <svg:text>, RLE
Categories
(Core :: Graphics, defect, P1)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: roc)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical])
Attachments
(2 files)
182 bytes,
image/svg+xml
|
Details | |
3.67 KB,
patch
|
pavlov
:
review+
vlad
:
approvalM9+
vlad
:
approval1.9+
|
Details | Diff | Splinter Review |
Loading the testcase triggers this assertion, at least the first time it's loaded in a session: ###!!! ASSERTION: Couldn't find glyph for trailing marker: 'glyphRecords[numGlyphs - 1].originalOffset == aSegmentLength*2', file /Users/jruderman/trunk/mozilla/gfx/thebes/src/gfxAtsuiFonts.cpp, line 865 With a testcase more complicated than the one I'm attaching, this leads to a crash that looks exploitable. I'm testing with the patch from bug 395458 comment 3.
Flags: blocking1.9?
Reporter | ||
Updated•17 years ago
|
Whiteboard: [sg:critical]
Assignee | ||
Comment 1•17 years ago
|
||
The text-frame code strips IsDiscardable characters before creating a textrun with them; looks like SVG needs to, too: http://mxr.mozilla.org/seamonkey/source/layout/generic/nsTextFrameUtils.cpp#73 I suppose I could add these to gfxFontGroup::IsInvalidChar, though, which would fix this. Guess I'll do that.
Assignee: nobody → roc
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
Assignee | ||
Comment 2•17 years ago
|
||
I need the patch in bug 395458 to land first because it will conflict with this one.
Depends on: 395458
Whiteboard: [sg:critical] → [sg:critical] [depends on 395458]
Updated•17 years ago
|
Priority: -- → P1
Assignee | ||
Updated•17 years ago
|
Whiteboard: [sg:critical] [depends on 395458] → [sg:critical]
Assignee | ||
Comment 3•17 years ago
|
||
Just make bidi control characters illegal to be passed to MakeTextRun. gfxTextRunWordCache (which SVG and all other textrun consumers use) will filter them automatically.
Attachment #285958 -
Flags: review?(pavlov)
Assignee | ||
Updated•17 years ago
|
Whiteboard: [sg:critical] → [sg:critical][needs review]
Comment 4•17 years ago
|
||
Comment on attachment 285958 [details] [diff] [review] fix this is fine -- imho unicharutil should live near the bottom of the dependency stack. that said, nsBidiUtils.h shouldn't include nsCOMPtr.h
Attachment #285958 -
Flags: review?(pavlov) → review+
Updated•17 years ago
|
Attachment #285958 -
Flags: approvalM9?
Assignee | ||
Updated•17 years ago
|
Whiteboard: [sg:critical][needs review] → [sg:critical][needs approval/landing]
Comment on attachment 285958 [details] [diff] [review] fix a=drivers, please land ASAP for M9
Attachment #285958 -
Flags: approvalM9?
Attachment #285958 -
Flags: approvalM9+
Attachment #285958 -
Flags: approval1.9+
Assignee | ||
Comment 6•17 years ago
|
||
checked in.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical][needs approval/landing] → [sg:critical]
Updated•17 years ago
|
Flags: in-testsuite?
Comment 7•17 years ago
|
||
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b3pre) Gecko/2008011009 Firefox/3.0b3pre ID:2008011009 and the testcase from jesse. -> Verified fixed
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 8•16 years ago
|
||
This bug doesn't seem to affect the 1.8 branch.
Group: security
Flags: wanted1.8.1.x-
You need to log in
before you can comment on or make changes to this bug.
Description
•