Closed Bug 429458 Opened 12 years ago Closed 11 years ago
"ASSERTION: Bad offset" in ns
Text Frame Thebes .cpp with XBL
Gary Kwong found this bug and I helped make a reduced testcase. Firefox displays the text in the testcase incorrectly (e.g. the first two letters of "apples" are missing) and asserts: ###!!! ASSERTION: Range out of bounds: 'IsInBounds(mStart, mLength, aStart, aLength)', file /Users/jruderman/trunk/mozilla/layout/generic/nsTextFrameThebes.cpp, line 2189 ###!!! ASSERTION: No text for IsSpace!: 'aPos < aFrag->GetLength()', file /Users/jruderman/trunk/mozilla/layout/generic/nsTextFrameThebes.cpp, line 476 ###!!! ASSERTION: bad index: 'PRUint32(aIndex) < mState.mLength', file /Users/jruderman/trunk/mozilla/layout/base/../../content/base/src/nsTextFragment.h, line 184 ###!!! ASSERTION: Bad offset: 'aPos <= aFrag->GetLength()', file /Users/jruderman/trunk/mozilla/layout/generic/nsTextFrameThebes.cpp, line 466 Bug 426272 triggers many of the same assertions, but not the last one, and has a very different testcase. Filing as security-sensitive because I get scared when nsTextFrameThebes.cpp complains about bad indices and offsets.
I think these assertions are scary enough to warrant "[sg:critical?]". If this bug isn't exploitable, it can be downgraded to [sg:want P2] (on the grounds that it interferes with fuzz-testing to look for other testcases that trigger similar problems).
This bug has been placed on the "Top Security Bugs" list. Vlad, can you find someone to assign this to and please treat it as a top priority.
11 years ago
Assignee: nobody → roc
Bug 471594 might be related.
Component: GFX: Thebes → Layout: Text
QA Contact: thebes → layout.fonts-and-text
Whiteboard: [sg:critical?] → [sg:critical?] common fuzz blocker
In a Linux mozilla-central build (with my patch queue) I don't see any assertions on this testcase. Is this somehow platform-specific, or is it fixed?
I'm not seeing the assertions or mis-rendering any more. WFM.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
Whiteboard: [sg:critical?] common fuzz blocker → [sg:critical?]
Landed a crashtest: https://hg.mozilla.org/integration/mozilla-inbound/rev/0c4ed86ff0dd
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.