Closed Bug 429458 Opened 12 years ago Closed 11 years ago

"ASSERTION: Bad offset" in nsTextFrameThebes.cpp with XBL

Categories

(Core :: Layout: Text and Fonts, defect)

x86
macOS
defect
Not set

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: jruderman, Assigned: roc)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [sg:critical?])

Attachments

(1 file)

673 bytes, application/xhtml+xml
Details
Attached file testcase
Gary Kwong found this bug and I helped make a reduced testcase.

Firefox displays the text in the testcase incorrectly (e.g. the first two letters of "apples" are missing) and asserts:


###!!! ASSERTION: Range out of bounds: 'IsInBounds(mStart, mLength, aStart, aLength)', file /Users/jruderman/trunk/mozilla/layout/generic/nsTextFrameThebes.cpp, line 2189

###!!! ASSERTION: No text for IsSpace!: 'aPos < aFrag->GetLength()', file /Users/jruderman/trunk/mozilla/layout/generic/nsTextFrameThebes.cpp, line 476

###!!! ASSERTION: bad index: 'PRUint32(aIndex) < mState.mLength', file /Users/jruderman/trunk/mozilla/layout/base/../../content/base/src/nsTextFragment.h, line 184

###!!! ASSERTION: Bad offset: 'aPos <= aFrag->GetLength()', file /Users/jruderman/trunk/mozilla/layout/generic/nsTextFrameThebes.cpp, line 466


Bug 426272 triggers many of the same assertions, but not the last one, and has a very different testcase.

Filing as security-sensitive because I get scared when nsTextFrameThebes.cpp complains about bad indices and offsets.
I think these assertions are scary enough to warrant "[sg:critical?]".  If this bug isn't exploitable, it can be downgraded to [sg:want P2] (on the grounds that it interferes with fuzz-testing to look for other testcases that trigger similar problems).
Whiteboard: [sg:critical?]
This bug has been placed on the "Top Security Bugs" list.  Vlad, can you find someone to assign this to and please treat it as a top priority.
Assignee: nobody → roc
Bug 471594 might be related.
(-> Layout)
Component: GFX: Thebes → Layout: Text
QA Contact: thebes → layout.fonts-and-text
Whiteboard: [sg:critical?] → [sg:critical?] common fuzz blocker
In a Linux mozilla-central build (with my patch queue) I don't see any assertions on this testcase.  Is this somehow platform-specific, or is it fixed?
Keywords: qawanted
I'm not seeing the assertions or mis-rendering any more.  WFM.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
Keywords: qawanted
Whiteboard: [sg:critical?] common fuzz blocker → [sg:critical?]
Flags: in-testsuite?
Landed a crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/0c4ed86ff0dd
Group: core-security
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.