Closed
Bug 454345
Opened 16 years ago
Closed 16 years ago
Crash [@ BuildTextRunsScanner::BreakSink::SetBreaks], with really large word-spacing value
Categories
(Core :: Layout: Text and Fonts, defect)
Core
Layout: Text and Fonts
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jruderman, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical?])
Crash Data
Attachments
(2 files)
Usually crashes dereferencing 0xc000000b, so it could be exploitable (note the leading digit 'c').
Comment 1•16 years ago
|
||
Does not affect Firefox 2/Gecko 1.8.1.x I did not crash on Firefox 3.0.x, but I got several worrying assertions: ###!!! ASSERTION: nscoord subtraction will reach or pass nscoord_MIN: '(PRInt64)a - (PRInt64)b > (PRInt64)nscoord_MIN', file ../../dist/include/gfx\nsCoord.h, line 211 ###!!! ASSERTION: NSCoordSaturatingSubtract got nscoord_MIN as argument: 'a != nscoord_MIN && b != nscoord_MIN', file ../../dist/include/gfx\nsCoord.h, line 187 ###!!! ASSERTION: nscoord subtraction will reach or pass nscoord_MIN: '(PRInt64)a - (PRInt64)b > (PRInt64)nscoord_MIN', file ../../dist/include/gfx\nsCoord.h, line 211 ###!!! ASSERTION: NSCoordSaturatingSubtract got nscoord_MIN as argument: 'a != nscoord_MIN && b != nscoord_MIN', file ../../dist/include/gfx\nsCoord.h, line 187 ###!!! ASSERTION: nscoord subtraction will reach or pass nscoord_MIN: '(PRInt64)a - (PRInt64)b > (PRInt64)nscoord_MIN', file ../../dist/include/gfx\nsCoord.h, line 211 ###!!! ASSERTION: NSCoordSaturatingSubtract got nscoord_MIN as argument: 'a != nscoord_MIN && b != nscoord_MIN', file ../../dist/include/gfx\nsCoord.h, line 187 ###!!! ASSERTION: nscoord subtraction will reach or pass nscoord_MIN: '(PRInt64)a - (PRInt64)b > (PRInt64)nscoord_MIN', file ../../dist/include/gfx\nsCoord.h, line 211
Flags: wanted1.9.0.x?
Flags: wanted1.8.1.x-
Updated•16 years ago
|
Flags: wanted1.9.0.x? → wanted1.9.0.x+
Comment 2•16 years ago
|
||
I can't get this to repro either. But marking [sg:critical?] for now until we figure out repro issues.
Reporter | ||
Updated•16 years ago
|
Whiteboard: [sg:critical?]
Reporter | ||
Comment 3•16 years ago
|
||
Still crashes for me on trunk. Doesn't crash for me on 3.0.x. I don't find those assertions especially worrying, since they indicate problems with widths and heights rather than with pointers.
Comment 4•16 years ago
|
||
Testcase crashes for me on my Linux mozilla-central debug build, after a bunch of "nscoord addition/subtraction will reach or pass nscoord_MIN" assertion failures. Platform --> All/All
OS: Mac OS X → All
Hardware: PC → All
Comment 5•16 years ago
|
||
Here's a backtrace of my crash on Linux. The lowest level, nsTextFrameThebes.cpp:699, is: 699 if (mTextRun->SetPotentialLineBreaks( [SNIP] and at that point, mTextRun points to already-deleted data, so we crash. (When I print its contents, I get lots of 0x5a5a5a5a pointers)
Updated•16 years ago
|
Summary: Crash [@ BuildTextRunsScanner::BreakSink::SetBreaks] → Crash [@ BuildTextRunsScanner::BreakSink::SetBreaks], with really large word-spacing value
Comment 6•16 years ago
|
||
Can't reproduce on 64bit linux trunk, but 1.9.1 still crashes. 32 bit linux trunk is ok, so is OSX trunk. So maybe the branch is just missing some patch. Might be useful to find what has fixed this.
Comment 7•16 years ago
|
||
The testcase doesn't crash for me at all, when using the older builds, starting from 2008-09-08, nor using the latest1.9.1 build. This is on windows.
Reporter | ||
Comment 8•16 years ago
|
||
WFM.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ BuildTextRunsScanner::BreakSink::SetBreaks]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•