If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Crash with adding weird character into input




9 years ago
9 years ago


(Reporter: Martijn Wargers (dead), Assigned: smontagu)


(5 keywords)

Windows XP
crash, regression, testcase, verified1.9.0.2, verified1.9.1
Bug Flags:
blocking1.9.1 +
blocking1.9.0.2 +
wanted1.9.0.x +

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [sg:critical?][fixed by bug 445711])


(2 attachments)



9 years ago
Created attachment 328755 [details]

See testcase, which usually crashes within 10s after load.

I got this with the indic IME extension, when pressing the letter 'g' constantly, while Hindi language was selected and Inscript keyboard.

This regressed between 2007-08-28 and 2007-08-29:
I think a regression from bug 378457.

Comment 1

9 years ago
Created attachment 328757 [details]
backtrace from debug build

VC express also complained about heap corruption, btw.

 	msvcr80d.dll!__free_dbg_nolock()  + 0x313 bytes	
 	msvcr80d.dll!__free_dbg()  + 0x4e bytes	
 	msvcr80d.dll!_free()  + 0xe bytes	
>	nspr4.dll!PR_Free(void * ptr=0x055740e8)  Line 536 + 0xa bytes	C
 	xpcom_core.dll!NS_Free_P(void * ptr=0x055740e8)  Line 303 + 0xa bytes	C++
 	xpcom_core.dll!nsTArray_base::ShrinkCapacity(unsigned int elemSize=2)  Line 130 + 0xb bytes	C++
 	xpcom_core.dll!nsTArray_base::ShiftData(unsigned int start=0, unsigned int oldLen=137, unsigned int newLen=0, unsigned int elemSize=2)  Line 163	C++
 	thebes.dll!nsTArray<tag_SCRIPT_VISATTR>::RemoveElementsAt(unsigned int start=0, unsigned int count=137)  Line 601	C++
 	thebes.dll!nsTArray<tag_SCRIPT_VISATTR>::Clear()  Line 611	C++
 	thebes.dll!nsTArray<tag_SCRIPT_VISATTR>::~nsTArray<tag_SCRIPT_VISATTR>()  Line 267 + 0xf bytes	C++
 	thebes.dll!nsAutoTArray<tag_SCRIPT_VISATTR,76>::~nsAutoTArray<tag_SCRIPT_VISATTR,76>()  + 0xf bytes	C++
 	thebes.dll!UniscribeItem::~UniscribeItem()  Line 1269 + 0x46 bytes	C++
 	thebes.dll!UniscribeItem::`scalar deleting destructor'()  + 0xf bytes	C++
 	thebes.dll!nsAutoPtr<UniscribeItem>::~nsAutoPtr<UniscribeItem>()  Line 104 + 0x1e bytes	C++
 	thebes.dll!gfxWindowsFontGroup::InitTextRunUniscribe(gfxContext * aContext=0x0566d1f0, gfxTextRun * aRun=0x053f8cf0, const unsigned short * aString=0x001298e4, unsigned int aLength=81)  Line 2229 + 0x8 bytes	C++
 	thebes.dll!gfxWindowsFontGroup::MakeTextRun(const unsigned short * aString=0x001298e4, unsigned int aLength=81, const gfxTextRunFactory::Parameters * aParams=0x00129e78, unsigned int aFlags=17826305)  Line 935	C++
 	thebes.dll!TextRunWordCache::MakeTextRun(const unsigned short * aText=0x0012b35c, unsigned int aLength=80, gfxFontGroup * aFontGroup=0x06176b70, const gfxTextRunFactory::Parameters * aParams=0x0012b2dc, unsigned int aFlags=17826304)  Line 532 + 0x31 bytes	C++

Comment 2

9 years ago
Can you figure out what character was being inserted (e.g. using an oninput attribute) and then try to reproduce the bug without IME?

Comment 3

9 years ago
See testcase, it can be reproduced with the IME extension. The 'ु' character is being inserted.
I can imagine that some people are even using these kinds of characters, so request for blocking.
Flags: wanted1.9.1?
Flags: wanted1.9.0.x?
Flags: blocking1.9.1?
Flags: blocking1.9.0.2?
Stuart, can you take a look at this?
Assignee: nobody → pavlov
Flags: wanted1.9.1?
Flags: blocking1.9.1?
Flags: blocking1.9.1+
Priority: -- → P1

Comment 5

9 years ago
This is probably the same bug as bug 445711.

Comment 6

9 years ago
I don't think this is the same as bug 445711. The issue there is a buffer overrun triggered by the fact that the single character "ௌ" is rendered as three glyphs.

Comment 7

9 years ago
That said, the patch from bug 445711 seems to fix this too, so what do I know?
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.2?
Flags: blocking1.9.0.2+
Whiteboard: [fixed by bug 445711]
Assignee: pavlov → smontagu

Comment 8

9 years ago
Should be fixed by bug 445711, please reopen if there is still a problem.
Last Resolved: 9 years ago
Keywords: fixed1.9.0.2
Resolution: --- → FIXED
verified fixed on the 1.9.0 branch using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/2008082105 GranParadiso/3.0.2pre. I verified using the testcase that was provided by martijn.
Keywords: fixed1.9.0.2 → verified1.9.0.2
Whiteboard: [fixed by bug 445711] → [sg:critical?][fixed by bug 445711]
Group: core-security
verified fixed on 1.9 Beta 1 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1b1) Gecko/20081007 Firefox/3.1b1 and the testcase from martijn. No Crash on Testcase -> Verified fixed
Keywords: fixed1.9.1
Based on Comment 10 I am updating the 1.9.1 keyword to indicate this has been verified.
Keywords: fixed1.9.1 → verified1.9.1
You need to log in before you can comment on or make changes to this bug.