Closed Bug 454345 Opened 16 years ago Closed 16 years ago

Crash [@ BuildTextRunsScanner::BreakSink::SetBreaks], with really large word-spacing value

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files)

testcase (crashes Firefox when loaded)
235 bytes, text/html
Details
backtrace of crash on Linux
8.64 KB, text/plain
Details 
Usually crashes dereferencing 0xc000000b, so it could be exploitable (note the leading digit 'c').
Does not affect Firefox 2/Gecko 1.8.1.x

I did not crash on Firefox 3.0.x, but I got several worrying assertions:

###!!! ASSERTION: nscoord subtraction will reach or pass nscoord_MIN: '(PRInt64)a - (PRInt64)b > (PRInt64)nscoord_MIN', file ../../dist/include/gfx\nsCoord.h, line 211
###!!! ASSERTION: NSCoordSaturatingSubtract got nscoord_MIN as argument: 'a != nscoord_MIN && b != nscoord_MIN', file ../../dist/include/gfx\nsCoord.h, line 187
###!!! ASSERTION: nscoord subtraction will reach or pass nscoord_MIN: '(PRInt64)a - (PRInt64)b > (PRInt64)nscoord_MIN', file ../../dist/include/gfx\nsCoord.h, line 211
###!!! ASSERTION: NSCoordSaturatingSubtract got nscoord_MIN as argument: 'a != nscoord_MIN && b != nscoord_MIN', file ../../dist/include/gfx\nsCoord.h, line 187
###!!! ASSERTION: nscoord subtraction will reach or pass nscoord_MIN: '(PRInt64)a - (PRInt64)b > (PRInt64)nscoord_MIN', file ../../dist/include/gfx\nsCoord.h, line 211
###!!! ASSERTION: NSCoordSaturatingSubtract got nscoord_MIN as argument: 'a != nscoord_MIN && b != nscoord_MIN', file ../../dist/include/gfx\nsCoord.h, line 187
###!!! ASSERTION: nscoord subtraction will reach or pass nscoord_MIN: '(PRInt64)a - (PRInt64)b > (PRInt64)nscoord_MIN', file ../../dist/include/gfx\nsCoord.h, line 211
Flags: wanted1.9.0.x?
Flags: wanted1.8.1.x-
Flags: wanted1.9.0.x? → wanted1.9.0.x+
I can't get this to repro either.  But marking [sg:critical?] for now until we figure out repro issues.
Whiteboard: [sg:critical?]
Still crashes for me on trunk.

Doesn't crash for me on 3.0.x.  I don't find those assertions especially worrying, since they indicate problems with widths and heights rather than with pointers.
Testcase crashes for me on my Linux mozilla-central debug build, after a bunch of "nscoord addition/subtraction will reach or pass nscoord_MIN" assertion failures.

Platform --> All/All
OS: Mac OS X → All
Hardware: PC → All
Here's a backtrace of my crash on Linux.

The lowest level, nsTextFrameThebes.cpp:699, is:
699         if (mTextRun->SetPotentialLineBreaks( [SNIP]

and at that point, mTextRun points to already-deleted data, so we crash. (When I print its contents, I get lots of 0x5a5a5a5a pointers)
Summary: Crash [@ BuildTextRunsScanner::BreakSink::SetBreaks] → Crash [@ BuildTextRunsScanner::BreakSink::SetBreaks], with really large word-spacing value
Can't reproduce on 64bit linux trunk, but 1.9.1 still crashes.
32 bit linux trunk is ok, so is OSX trunk.
So maybe the branch is just missing some patch.

Might be useful to find what has fixed this.
The testcase doesn't crash for me at all, when using the older builds, starting from 2008-09-08, nor using the latest1.9.1 build. This is on windows.
WFM.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ BuildTextRunsScanner::BreakSink::SetBreaks]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: