Closed Bug 445711 Opened 14 years ago Closed 14 years ago

Firefox crashes when it meets over 25 "ௌ". (U+0BCC TAMIL VOWEL SIGN AU)

Categories

(Core :: Layout: Text and Fonts, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: black_wizard_00, Assigned: smontagu)

References

Details

(Keywords: regression, verified1.9.0.2, verified1.9.1)

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0 LG_UA AD_LOGON=LGE.NET;
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0 LG_UA AD_LOGON=LGE.NET;

Firefox crashes every time when it tries to handle a string of Tamil character. Specifically, it's "ௌ". When firefox encounters a page with more than 25 consecutive "ௌ"s, or if you try to enter more than 25 consecutive "ௌ" in any text area (including address bar, search bar, etc). 

The crash only occurs if there are over 25 consecutive "ௌ"s. This is to say, that if you were to place a space after the 25th one and enter another "ௌ", it will be fine.

Reproducible: Always

Steps to Reproduce:
There are many steps to recreate this problem.

1. Create a document with 26 (or more) consecutive "ௌ" (without quotation marks.)
2. Try to view it in firefox.

Or:

1. In your address bar (or any other text field) enter "ௌ" 26 times. (It will crash as soon as the 26th one has been entered)

Or: 

1. Create a text document and enter 26 or more consecutive "ௌ". 
2. Copy the string.
3. Try to paste it into any text field in Firefox.
Actual Results:  
Firefox crashes instantly. 

Expected Results:  
Not crash.

Or at least display some kind of warning as to what happened. The crash is instantaneous, and user is given no warning whatsoever. 

This bug can be exploited in any forum or web page to make firefox crash as soon as the string of character is loaded.

I have only checked this on Windows machine, but will check to see if the same thing happens in Linux (ubuntu) during the weekend.
Component: General → Layout: Fonts and Text
Product: Firefox → Core
QA Contact: general → layout.fonts-and-text
Related to bug 444452?
Attached patch PatchSplinter Review
Attachment #330197 - Flags: review?
Attachment #330197 - Flags: review? → review?(pavlov)
This is regression from bug 394691:

             if (rv == E_OUTOFMEMORY) {
-                mGlyphs.AddElemCapacity(mMaxGlyphs);
-                mAttr.AddElemCapacity(mMaxGlyphs);
+                mGlyphs.SetLength(mMaxGlyphs);
+                mAttr.SetLength(mMaxGlyphs);
                 mMaxGlyphs *= 2;
                 continue;
             }
Assignee: nobody → smontagu
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.9.0.2?
Blocks: 394691
Flags: blocking1.9.1?
Summary: Firefox crashes when it meets over 25 "ௌ". → Firefox crashes when it meets over 25 "ௌ". (U+0BCC TAMIL VOWEL SIGN AU)
Flags: blocking1.9.0.2? → blocking1.9.0.2+
Keywords: regression
Stuart, can we get this reviewed? It's a blocker for 1.9.0.2.
Attachment #330197 - Flags: review?(pavlov) → review+
Checked in with crashtest. http://hg.mozilla.org/index.cgi/mozilla-central/rev/4e59007070b6
Status: NEW → RESOLVED
Closed: 14 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Comment on attachment 330197 [details] [diff] [review]
Patch

Asking approval for 1.9.0.2. This is a very simple fix for a crash, with no risk.
Attachment #330197 - Flags: approval1.9.0.2?
Comment on attachment 330197 [details] [diff] [review]
Patch

Approved for 1.9.0.2. Please land in CVS. a=ss

Be sure to land the crash test as well.
Attachment #330197 - Flags: approval1.9.0.2? → approval1.9.0.2+
Checked into 1.9.0 branch with test.
Keywords: fixed1.9.0.2
Duplicate of this bug: 451093
verified with: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.2) Gecko/2008082911 Firefox/3.0.2

also assuming the crash test has passed for the past two weeks.
Flags: blocking1.9.1? → blocking1.9.1+
Has this been pushed to 1.9.1 and trunk yet?
adesai@mozilla.com: we do not mark bugs with hundreds of keywords for all future versions that contain a fix. We use bugzilla's status fields for trunk and only  add keywords for cases where we've *backported* to a branch after it branched from trunk.
Keywords: fixed1.9.1
timeless: Aakash was replacing the fixed1.9.1 keyword he had removed. Please look at a bug's history before judging the person who added a keyword.
Keywords: fixed1.9.1
Verified FIXED: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090331 Minefield/3.6a1pre

and

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090401 Shiretoko/3.5b4pre

timeless, there was just a small hiccup with how it was vetted :). Thanks, Sam.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.