Closed Bug 473278 Opened 16 years ago Closed 15 years ago

Crash [@ nsRect::nsRect] with MathML, clip-path, transform

Categories

(Core :: MathML, defect)

Product:
Core
Component:
MathML
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:dos] null deref)

Crash Data

Attachments

(2 files)

testcase (crashes Firefox when loaded)
205 bytes, application/xhtml+xml
Details
stack trace
9.03 KB, text/plain
Details
Null deref [@ nsRect::nsRect]
Attached file stack trace
Related to bug 467914?
Here's !exploitable output from WinDbg: 0:000> !exploitable Exploitability Classification: UNKNOWN Recommended Bug Title: Data from Faulting Address may be used as a return value starting at gkgfx!nsRect::nsRect+0x25 (Hash=0x6536375b.0x645b3f71) The data from the faulting address may later be used as a return value from this function.
See bug 467914 comment 1 for cause and I think bug 467914 comment 2 has the cure too.
Depends on: 467914
Whiteboard: [sg:dos] null deref
No longer depends on: 467914
WFM. I'll add a crashtest soon.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Crashtest: http://hg.mozilla.org/mozilla-central/rev/282da8ca07f3
Flags: in-testsuite+
Crash Signature: [@ nsRect::nsRect]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: