Closed Bug 557736 Opened 15 years ago Closed 15 years ago

gfxFontGroup::ForEachFontInternal mis-parses font-family lists with consecutive commas

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: scook0+bugzilla, Assigned: jfkthame)

Details

Attachments

(3 files, 1 obsolete file)

Example page using <font> elements
321 bytes, text/html
Details
Screenshot of test page in FF 3.6.3 WinXP
32.96 KB, image/png
Details
patch, v1 - ignore empty elements in the font family list
818 bytes, patch
jtd
: review+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.18) Gecko/2010021501 Ubuntu/9.04 (jaunty) Firefox/3.0.18 Build Identifier: If a font-family-list string passed to gfxFontGroup::ForEachFont contains two consecutive commas, the second comma will be treated as part of the following font family name. For example, if the string is "a,,serif", it will be split into "a" and ",serif". This is bad because under normal circumstances nsRuleNode::SetFont will add ",serif" (or ",sans-serif") to the end of the font list it encounters, to ensure that the list contains at least one valid font name. If a <font> element or font-family CSS rule contains a trailing comma, the resulting family list can potentially contain no valid font names. In practice this is offset by the fact that each of the platform-specific font group classes tries pretty hard to never end up with an empty font list, but for custom embeddings/ports that don't do this the result can be a crash. Reproducible: Always Steps to Reproduce: 1. Place a breakpoint in gfxFontGroup::ForEachFontInternal 2. Visit a page containing <span style="font-family: bogus\,;">...</span> 3. Step through the code and observe the values of string variable "family". Actual Results: The family strings produced are "bogus" and ",serif". Expected Results: The family strings should be "bogus" and "serif".
Attached file Example page triggering the mis-parse (obsolete) —
On my system (WinXP, FF 3.6.3), the two spans in the test page are rendered in two different fonts. I originally found this bug when it crashed a custom embedding of mozilla-1.9.0, but the relevant code seems to be unchanged in mozilla-central.
Bugzilla was so clever that it stripped out the protective backslash needed to protect the trailing comma. Hopefully this <font>-based test page should be more robust.
Attachment #437497 - Attachment is obsolete: true
Both elements should look identical, but here they are rendered using different fonts. The first element doesn't attempt to trigger the bug, and renders in "serif". The second triggers the bug and renders in a sans-serif font, which I suspect is the last-ditch default font added in gfxWindowsFontGroup::InitFontList.
Seems like we could fix this trivially by skipping any leading commas, just like skipping inter-fontname spaces.
Assignee: nobody → jfkthame
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #437626 - Flags: review?(jdaggett)
For any people like me who need to fix this in pre-1.9 versions, the corresponding change needs to be made in nsFont::EnumerateFamilies in gfx/src/nsFont.cpp instead. (Actually that code is still in mozilla-central, but I don't know if it's used anywhere.)
Comment on attachment 437626 [details] [diff] [review] patch, v1 - ignore empty elements in the font family list Looks good but I would add a small reftest for this.
Attachment #437626 - Flags: review?(jdaggett) → review+
http://hg.mozilla.org/mozilla-central/rev/997626d0f0f3 I'll add a reftest as a followup.
Pushed reftest based on the testcase in attachment 437499 [details]. http://hg.mozilla.org/mozilla-central/rev/d0d05d2cdcec
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: