Closed
Bug 483346
Opened 15 years ago
Closed 15 years ago
Assertions/crashes with <input type=image>, rtl, wrapping
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jruderman, Unassigned)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [sg:investigate])
Attachments
(2 files)
I can't get this to do anything other than dereference null, but it has a bad vibe, so I'm filing it as security-sensitive. ###!!! ASSERTION: bad index: 'PRUint32(aIndex) < mState.mLength', file /Users/jruderman/central/layout/base/../../content/base/src/nsTextFragment.h, line 186 Crash [@ nsTextFragment::CharAt]
Reporter | ||
Comment 1•15 years ago
|
||
###!!! ASSERTION: SetMayHaveFrame failed?: 'mContent->MayHaveFrame()', file /Users/jruderman/central/layout/generic/nsFrame.cpp, line 393
Comment 2•15 years ago
|
||
The root of the problems here seems to be that after deleteContents, GetContentOffset and GetContentLength lie.
Reporter | ||
Updated•15 years ago
|
Whiteboard: [sg:investigate]
Comment 3•15 years ago
|
||
I don't get any assertions or crashes with a recent Linux debug build on either testcase.
Reporter | ||
Comment 4•15 years ago
|
||
WFM on Mac, too. (Tested using post-1.9.2-branch mozilla-central.)
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•