Closed Bug 483346 Opened 15 years ago Closed 15 years ago

Assertions/crashes with <input type=image>, rtl, wrapping

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:investigate])

Attachments

(2 files)

testcase 1: "bad index" assertion and crash
605 bytes, application/xhtml+xml
Details
testcase 2: "SetMayHaveFrame failed" assertion
603 bytes, application/xhtml+xml
Details 
I can't get this to do anything other than dereference null, but it has a bad vibe, so I'm filing it as security-sensitive.

###!!! ASSERTION: bad index: 'PRUint32(aIndex) < mState.mLength', file /Users/jruderman/central/layout/base/../../content/base/src/nsTextFragment.h, line 186

Crash [@ nsTextFragment::CharAt]
###!!! ASSERTION: SetMayHaveFrame failed?: 'mContent->MayHaveFrame()', file /Users/jruderman/central/layout/generic/nsFrame.cpp, line 393
The root of the problems here seems to be that after deleteContents, GetContentOffset and GetContentLength lie.
Whiteboard: [sg:investigate]
I don't get any assertions or crashes with a recent Linux debug build on either testcase.
WFM on Mac, too.  (Tested using post-1.9.2-branch mozilla-central.)
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: