Closed
Bug 444452
Opened 16 years ago
Closed 16 years ago
Crash with adding weird character into input
Categories
(Core :: Graphics, defect, P1)
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Assigned: smontagu)
References
Details
(5 keywords, Whiteboard: [sg:critical?][fixed by bug 445711])
Attachments
(2 files)
See testcase, which usually crashes within 10s after load. I got this with the indic IME extension, when pressing the letter 'g' constantly, while Hindi language was selected and Inscript keyboard. This regressed between 2007-08-28 and 2007-08-29: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-08-28+04&maxdate=2007-08-29+08&cvsroot=%2Fcvsroot I think a regression from bug 378457.
Reporter | ||
Comment 1•16 years ago
|
||
VC express also complained about heap corruption, btw.
msvcr80d.dll!__free_dbg_nolock() + 0x313 bytes
msvcr80d.dll!__free_dbg() + 0x4e bytes
msvcr80d.dll!_free() + 0xe bytes
> nspr4.dll!PR_Free(void * ptr=0x055740e8) Line 536 + 0xa bytes C
xpcom_core.dll!NS_Free_P(void * ptr=0x055740e8) Line 303 + 0xa bytes C++
xpcom_core.dll!nsTArray_base::ShrinkCapacity(unsigned int elemSize=2) Line 130 + 0xb bytes C++
xpcom_core.dll!nsTArray_base::ShiftData(unsigned int start=0, unsigned int oldLen=137, unsigned int newLen=0, unsigned int elemSize=2) Line 163 C++
thebes.dll!nsTArray<tag_SCRIPT_VISATTR>::RemoveElementsAt(unsigned int start=0, unsigned int count=137) Line 601 C++
thebes.dll!nsTArray<tag_SCRIPT_VISATTR>::Clear() Line 611 C++
thebes.dll!nsTArray<tag_SCRIPT_VISATTR>::~nsTArray<tag_SCRIPT_VISATTR>() Line 267 + 0xf bytes C++
thebes.dll!nsAutoTArray<tag_SCRIPT_VISATTR,76>::~nsAutoTArray<tag_SCRIPT_VISATTR,76>() + 0xf bytes C++
thebes.dll!UniscribeItem::~UniscribeItem() Line 1269 + 0x46 bytes C++
thebes.dll!UniscribeItem::`scalar deleting destructor'() + 0xf bytes C++
thebes.dll!nsAutoPtr<UniscribeItem>::~nsAutoPtr<UniscribeItem>() Line 104 + 0x1e bytes C++
thebes.dll!gfxWindowsFontGroup::InitTextRunUniscribe(gfxContext * aContext=0x0566d1f0, gfxTextRun * aRun=0x053f8cf0, const unsigned short * aString=0x001298e4, unsigned int aLength=81) Line 2229 + 0x8 bytes C++
thebes.dll!gfxWindowsFontGroup::MakeTextRun(const unsigned short * aString=0x001298e4, unsigned int aLength=81, const gfxTextRunFactory::Parameters * aParams=0x00129e78, unsigned int aFlags=17826305) Line 935 C++
thebes.dll!TextRunWordCache::MakeTextRun(const unsigned short * aText=0x0012b35c, unsigned int aLength=80, gfxFontGroup * aFontGroup=0x06176b70, const gfxTextRunFactory::Parameters * aParams=0x0012b2dc, unsigned int aFlags=17826304) Line 532 + 0x31 bytes C++
etc...
Comment 2•16 years ago
|
||
Can you figure out what character was being inserted (e.g. using an oninput attribute) and then try to reproduce the bug without IME?
Reporter | ||
Comment 3•16 years ago
|
||
See testcase, it can be reproduced with the IME extension. The 'ु' character is being inserted. I can imagine that some people are even using these kinds of characters, so request for blocking.
Flags: wanted1.9.1?
Flags: wanted1.9.0.x?
Flags: blocking1.9.1?
Flags: blocking1.9.0.2?
Stuart, can you take a look at this?
Assignee: nobody → pavlov
Flags: wanted1.9.1?
Flags: blocking1.9.1?
Flags: blocking1.9.1+
Priority: -- → P1
Reporter | ||
Comment 5•16 years ago
|
||
This is probably the same bug as bug 445711.
Assignee | ||
Comment 6•16 years ago
|
||
I don't think this is the same as bug 445711. The issue there is a buffer overrun triggered by the fact that the single character "ௌ" is rendered as three glyphs.
Assignee | ||
Comment 7•16 years ago
|
||
That said, the patch from bug 445711 seems to fix this too, so what do I know?
Updated•16 years ago
|
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.2?
Flags: blocking1.9.0.2+
Whiteboard: [fixed by bug 445711]
Updated•16 years ago
|
Assignee: pavlov → smontagu
Assignee | ||
Comment 8•16 years ago
|
||
Should be fixed by bug 445711, please reopen if there is still a problem.
Comment 9•16 years ago
|
||
verified fixed on the 1.9.0 branch using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.2pre) Gecko/2008082105 GranParadiso/3.0.2pre. I verified using the testcase that was provided by martijn.
Keywords: fixed1.9.0.2 → verified1.9.0.2
Updated•16 years ago
|
Whiteboard: [fixed by bug 445711] → [sg:critical?][fixed by bug 445711]
Updated•16 years ago
|
Group: core-security
Comment 10•16 years ago
|
||
verified fixed on 1.9 Beta 1 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1b1) Gecko/20081007 Firefox/3.1b1 and the testcase from martijn. No Crash on Testcase -> Verified fixed
Status: RESOLVED → VERIFIED
Updated•16 years ago
|
Keywords: fixed1.9.1
Comment 11•16 years ago
|
||
Based on Comment 10 I am updating the 1.9.1 keyword to indicate this has been verified.
Keywords: fixed1.9.1 → verified1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•