536560 - Freeze and OOM kill happens in gfxPangoFontGroup::CreateGlyphRunsItemizing, on password input field

Status: RESOLVED FIXED

(Core :: DOM: Editor, defect)

Description

[Oleg Romashin (:romaxa)]

Attachment: Initialize mLastStart, and mLastLength

aLength=6846128, = mLastLength and equals to not initialized int value...

#0  nsGenericDOMDataNode::SetTextInternal (this=0x68b848, aOffset=0,
aCount=6846128, aBuffer=0x43b7e010, aLength=6846128, aNotify=1)
content/base/src/nsGenericDOMDataNode.cpp:358
#1  0x40dfa39c in nsGenericDOMDataNode::ReplaceData (this=0x68b848, aOffset=0,
aCount=6846128, aData=<value optimized out>)
content/base/src/nsGenericDOMDataNode.cpp:352
#2  0x40e2904c in nsTextNode::ReplaceData (this=0x68b848, offset=0,
count=6846128, arg=@0x43b7e010)
content/base/src/nsTextNode.h:70
#3  0x41027058 in nsTextEditRules::HideLastPWInput (this=0x68b550)
editor/libeditor/text/nsTextEditRules.cpp:1479
#4  0x41027488 in nsTextEditRules::WillDeleteSelection (this=0x68b550,
aSelection=0x68bc08, aCollapsedAction=0, aCancel=0xbe81cfe0, 
   aHandled=0xbe81cfdc)
editor/libeditor/text/nsTextEditRules.cpp:980
#5  0x41028a18 in nsTextEditRules::WillDoAction (this=0x68b550,
aSelection=0x68bc08, aInfo=0x1, aCancel=0x43b7e010, aHandled=0xbe81cfdc)
editor/libeditor/text/nsTextEditRules.cpp:340
#6  0x41023a4c in nsPlaintextEditor::DeleteSelection (this=0x68b460, aAction=0)
editor/libeditor/text/nsPlaintextEditor.cpp:753
#7  0x41027c08 in nsTextEditRules::WillInsertText (this=0x68b550, aAction=2000,
aSelection=<value optimized out>, aCancel=0xbe81d3bc, 
    aHandled=0xbe81d3b8, inString=0xbe81d65c, outString=0xbe81d2f0,
aMaxLength=-1)
editor/libeditor/text/nsTextEditRules.cpp:605
#8  0x41028978 in nsTextEditRules::WillDoAction (this=0x68b550,
aSelection=0x68bc08, aInfo=<value optimized out>, aCancel=0xbe81d3bc, 
    aHandled=0xbe81d3b8)
editor/libeditor/text/nsTextEditRules.cpp:338
#9  0x410237f4 in nsPlaintextEditor::InsertText (this=0x68b460,
aStringToInsert=@0xbe81d65c)
---Type <return> to continue, or q <return> to quit---
editor/libeditor/text/nsPlaintextEditor.cpp:797
#10 0x40cda8d8 in nsTextControlFrame::SetValue (this=0x68a938, aValue=<value
optimized out>)
layout/forms/nsTextControlFrame.cpp:2689
#11 0x40cdabfc in nsTextControlFrame::SetFormProperty (this=0x68a938,
aName=<value optimized out>, aValue=@0xbe81d854)

layout/forms/nsTextControlFrame.cpp:1896
#12 0x40eb9520 in nsHTMLInputElement::SetValueInternal (this=0x689868,
aValue=@0xbe81d854, aFrame=<value optimized out>, aUserInput=1)


#9  0x410237f4 in nsPlaintextEditor::InsertText (this=0x68b460,
aStringToInsert=@0xbe81d65c)
    at
/home/bifh5/fremantle-arm-prereleased.cs2007q3/work/microb-engine-20091218-1.9.2/editor/libeditor/text/nsPlaintextEditor.cpp:797
797     in
/home/bifh5/fremantle-arm-prereleased.cs2007q3/work/microb-engine-20091218-1.9.2/editor/libeditor/text/nsPlaintextEditor.cpp
(gdb) p ruleInfo
$8 = {<nsRulesInfo> = {_vptr.nsRulesInfo = 0x41663cc0, action = 2000}, inString
= 0xbe81d65c, outString = 0xbe81d2f0, outputFormat = 0x0, 
  maxLength = -1, collapsedAction = 1, bOrdered = 0, entireList = 0, bulletType
= 0x0, alignType = 0x0, blockType = 0x0, insertElement = 0x0}
(gdb) p ruleInfo.inString
$9 = (const nsAString_internal *) 0xbe81d65c
(gdb) p *ruleInfo.inString
$10 = {mData = 0x59bbe0, mLength = 15, mFlags = 65541}
(gdb) p *ruleInfo.outString
$11 = {mData = 0x59bbe0, mLength = 15, mFlags = 65541}
(gdb)

Comment 1

[Oleg Romashin (:romaxa)]

Not sure is it security problem for 1.9.2? should we fix it for 1.9.2?

Comment 2

[neil@parkwaycc.co.uk]

Comment on attachment 419012 [details] [diff] [review]
Initialize mLastStart, and mLastLength

IMHO this should land on the 1.9.2.x branch too.

(I think it's only the length that really needs initialisation.)

Comment 3

[Oleg Romashin (:romaxa)]

mLastStart also can be used without initialization.

Fixed
http://hg.mozilla.org/mozilla-central/rev/6ba4460d6140