If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Crash with adding weird character into input

VERIFIED FIXED

Status

()

Core
Graphics
P1
critical
VERIFIED FIXED
9 years ago
9 years ago

People

(Reporter: Martijn Wargers (dead), Assigned: smontagu)

Tracking

(5 keywords)

Trunk
x86
Windows XP
crash, regression, testcase, verified1.9.0.2, verified1.9.1
Points:
---
Bug Flags:
blocking1.9.1 +
blocking1.9.0.2 +
wanted1.9.0.x +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?][fixed by bug 445711])

Attachments

(2 attachments)

(Reporter)

Description

9 years ago
Created attachment 328755 [details]
testcase

See testcase, which usually crashes within 10s after load.

I got this with the indic IME extension, when pressing the letter 'g' constantly, while Hindi language was selected and Inscript keyboard.

This regressed between 2007-08-28 and 2007-08-29:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-08-28+04&maxdate=2007-08-29+08&cvsroot=%2Fcvsroot
I think a regression from bug 378457.
(Reporter)

Comment 1

9 years ago
Created attachment 328757 [details]
backtrace from debug build

VC express also complained about heap corruption, btw.

 	msvcr80d.dll!__free_dbg_nolock()  + 0x313 bytes	
 	msvcr80d.dll!__free_dbg()  + 0x4e bytes	
 	msvcr80d.dll!_free()  + 0xe bytes	
>	nspr4.dll!PR_Free(void * ptr=0x055740e8)  Line 536 + 0xa bytes	C
 	xpcom_core.dll!NS_Free_P(void * ptr=0x055740e8)  Line 303 + 0xa bytes	C++
 	xpcom_core.dll!nsTArray_base::ShrinkCapacity(unsigned int elemSize=2)  Line 130 + 0xb bytes	C++
 	xpcom_core.dll!nsTArray_base::ShiftData(unsigned int start=0, unsigned int oldLen=137, unsigned int newLen=0, unsigned int elemSize=2)  Line 163	C++
 	thebes.dll!nsTArray<tag_SCRIPT_VISATTR>::RemoveElementsAt(unsigned int start=0, unsigned int count=137)  Line 601	C++
 	thebes.dll!nsTArray<tag_SCRIPT_VISATTR>::Clear()  Line 611	C++
 	thebes.dll!nsTArray<tag_SCRIPT_VISATTR>::~nsTArray<tag_SCRIPT_VISATTR>()  Line 267 + 0xf bytes	C++
 	thebes.dll!nsAutoTArray<tag_SCRIPT_VISATTR,76>::~nsAutoTArray<tag_SCRIPT_VISATTR,76>()  + 0xf bytes	C++
 	thebes.dll!UniscribeItem::~UniscribeItem()  Line 1269 + 0x46 bytes	C++
 	thebes.dll!UniscribeItem::`scalar deleting destructor'()  + 0xf bytes	C++
 	thebes.dll!nsAutoPtr<UniscribeItem>::~nsAutoPtr<UniscribeItem>()  Line 104 + 0x1e bytes	C++
 	thebes.dll!gfxWindowsFontGroup::InitTextRunUniscribe(gfxContext * aContext=0x0566d1f0, gfxTextRun * aRun=0x053f8cf0, const unsigned short * aString=0x001298e4, unsigned int aLength=81)  Line 2229 + 0x8 bytes	C++
 	thebes.dll!gfxWindowsFontGroup::MakeTextRun(const unsigned short * aString=0x001298e4, unsigned int aLength=81, const gfxTextRunFactory::Parameters * aParams=0x00129e78, unsigned int aFlags=17826305)  Line 935	C++
 	thebes.dll!TextRunWordCache::MakeTextRun(const unsigned short * aText=0x0012b35c, unsigned int aLength=80, gfxFontGroup * aFontGroup=0x06176b70, const gfxTextRunFactory::Parameters * aParams=0x0012b2dc, unsigned int aFlags=17826304)  Line 532 + 0x31 bytes	C++
etc...

Comment 2

9 years ago
Can you figure out what character was being inserted (e.g. using an oninput attribute) and then try to reproduce the bug without IME?
(Reporter)

Comment 3

9 years ago
See testcase, it can be reproduced with the IME extension. The 'ु' character is being inserted.
I can imagine that some people are even using these kinds of characters, so request for blocking.
Flags: wanted1.9.1?
Flags: wanted1.9.0.x?
Flags: blocking1.9.1?
Flags: blocking1.9.0.2?
Stuart, can you take a look at this?
Assignee: nobody → pavlov
Flags: wanted1.9.1?
Flags: blocking1.9.1?
Flags: blocking1.9.1+
Priority: -- → P1
(Reporter)

Comment 5

9 years ago
This is probably the same bug as bug 445711.
(Assignee)

Comment 6

9 years ago
I don't think this is the same as bug 445711. The issue there is a buffer overrun triggered by the fact that the single character "ௌ" is rendered as three glyphs.
(Assignee)

Comment 7

9 years ago
That said, the patch from bug 445711 seems to fix this too, so what do I know?
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.2?
Flags: blocking1.9.0.2+
Whiteboard: [fixed by bug 445711]
Assignee: pavlov → smontagu
(Assignee)

Comment 8

9 years ago
Should be fixed by bug 445711, please reopen if there is still a problem.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Keywords: fixed1.9.0.2
Resolution: --- → FIXED
verified fixed on the 1.9.0 branch using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.2pre) Gecko/2008082105 GranParadiso/3.0.2pre. I verified using the testcase that was provided by martijn.
Keywords: fixed1.9.0.2 → verified1.9.0.2
Whiteboard: [fixed by bug 445711] → [sg:critical?][fixed by bug 445711]
Group: core-security
verified fixed on 1.9 Beta 1 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1b1) Gecko/20081007 Firefox/3.1b1 and the testcase from martijn. No Crash on Testcase -> Verified fixed
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1
Based on Comment 10 I am updating the 1.9.1 keyword to indicate this has been verified.
Keywords: fixed1.9.1 → verified1.9.1
You need to log in before you can comment on or make changes to this bug.