Closed Bug 473278 Opened 12 years ago Closed 11 years ago

Crash [@ nsRect::nsRect] with MathML, clip-path, transform

Categories

(Core :: MathML, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: jruderman, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase, Whiteboard: [sg:dos] null deref)

Crash Data

Attachments

(2 files)

Null deref [@ nsRect::nsRect]
Attached file stack trace
Related to bug 467914?
Here's !exploitable output from WinDbg:

0:000> !exploitable
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address may be used as a return value starting at gkgfx!nsRect::nsRect+0x25 (Hash=0x6536375b.0x645b3f71)

The data from the faulting address may later be used as a return value from this function.
See bug 467914 comment 1 for cause and I think bug 467914 comment 2 has the cure too.
Depends on: 467914
Whiteboard: [sg:dos] null deref
No longer depends on: 467914
WFM.  I'll add a crashtest soon.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
Crashtest: http://hg.mozilla.org/mozilla-central/rev/282da8ca07f3
Flags: in-testsuite+
Crash Signature: [@ nsRect::nsRect]
You need to log in before you can comment on or make changes to this bug.