Created attachment 384546 [details] testcase ###!!! ASSERTION: Should have been cleared: 'mBreakSinks.IsEmpty()', file layout/generic/nsTextFrameThebes.cpp, line 648 ###!!! ASSERTION: Should have Reset() before destruction!: 'mCurrentWord.Length() == 0', file content/base/src/nsLineBreaker.cpp, line 51 ###!!! ASSERTION: invalid array index: 'i < Length()', file nsTArray.h, line 317 ###!!! ASSERTION: Hmm, something went wrong, aOffset should have been found: 'mGlyphRuns[start].mCharacterOffset <= aOffset', file gfx/thebes/src/gfxFont.cpp, line 2189 Security-sensitive because the "invalid array index" assertion is in an unchecked array access function.
Created attachment 428646 [details] [diff] [review] fix We need to flush out break sinks etc even if there are no mapped flows. In this testcase, the textrun finishes after the T (since it's in a float by itself) so we exit too early from FlushFrames. Flushing out the break sinks is needed so that we tell the text-transform textrun where the capitalized characters are.
Created attachment 428648 [details] simpler testcase This testcase is simpler but still fires the first assertion.
http://hg.mozilla.org/mozilla-central/rev/9c24556c14c3 I checked in my simple testcase, which doesn't lead directly to a security issue.
Comment on attachment 428646 [details] [diff] [review] fix Patch should apply to all 1.9.x branches.
Comment on attachment 428646 [details] [diff] [review] fix a=beltzner for all branches
Checked into 1.9.0.
I backed this out of 1.9.0 because it caused crashes there. Is it worth figuring those out, or should we just leave this unfixed on 1.9.0?
Comment on attachment 428646 [details] [diff] [review] fix I'm fine to leave these unfixed, yeah. It does mean we can't open up this bug for a while longer, though.
Verified for 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:18.104.22.168pre) Gecko/20100311 Shiretoko/3.5.9pre (.NET CLR 3.5.30729) using testcase. Verified for 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:22.214.171.124pre) Gecko/20100315 Namoroka/3.6.3pre (.NET CLR 3.5.30729). (This was built just after the release branch was cut but before any checkins were made so it is the same as 126.96.36.199.)