String buffer underflow and crash [@ nsTextBoxFrame::UpdateAccessTitle]

RESOLVED FIXED

Status

()

Core
XUL
--
critical
RESOLVED FIXED
7 years ago
6 years ago

People

(Reporter: Jesse Ruderman, Assigned: tnikkel)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86_64
Linux
assertion, crash, testcase, verified1.9.2
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(status1.9.2 .7-fixed, status1.9.1 .11-fixed)

Details

(Whiteboard: [sg:low UMR], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

7 years ago
Created attachment 444324 [details]
testcase (may crash Firefox when loaded)

nsTextBoxFrame::UpdateAccessTitle tried to subtract 1 from 0 and got 2^32-1.

###!!! ASSERTION: index exceeds allowable range: 'i <= mLength', file nsTString.h, line 129

At least on a 64-bit system, a crash immediately follows the assertion.  

#5  0x00007f9f2e7b9422 in nsString::CharAt (this=0x7f9f13b78ac8, i=4294967295) at ../../../dist/include/nsTString.h:130
#6  0x00007f9f2e7b9448 in nsString::operator[] (this=0x7f9f13b78ac8, i=4294967295) at ../../../dist/include/nsTString.h:135
#7  0x00007f9f2ec81bcd in nsTextBoxFrame::UpdateAccessTitle (this=0x7f9f13b78a78) at layout/xul/base/src/nsTextBoxFrame.cpp:878
#8  0x00007f9f2ec7fc9e in nsTextBoxFrame::UpdateAccesskey (this=0x7f9f13b78a78, aWeakThis=...)
    at layout/xul/base/src/nsTextBoxFrame.cpp:264
#9  0x00007f9f2ec82b13 in nsAsyncAccesskeyUpdate::ReflowFinished (this=0x7f9f13b91060) at layout/xul/base/src/nsTextBoxFrame.cpp:224
(Reporter)

Comment 1

7 years ago
Reported on 64-bit Linux.  I can't reproduce even the assertion on 32-bit Mac.
(Assignee)

Comment 2

7 years ago
Created attachment 444469 [details] [diff] [review]
patch

The title consists of only the ellipsis, so the offset is zero, and we check the character before to see if it is a space. If we are at the start then we don't want to insert a separating space.
Assignee: nobody → tnikkel
Attachment #444469 - Flags: review?(neil)

Updated

7 years ago
Attachment #444469 - Flags: review?(neil) → review+
(Assignee)

Comment 3

7 years ago
Landed
http://hg.mozilla.org/mozilla-central/rev/e40cbab6a972

but backed out because something in the push was causing orange
http://hg.mozilla.org/mozilla-central/rev/01befa5163ee
(Assignee)

Comment 4

7 years ago
http://hg.mozilla.org/mozilla-central/rev/f0c737a853ac
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
(Assignee)

Updated

7 years ago
Attachment #444469 - Flags: approval1.9.2.5?
Attachment #444469 - Flags: approval1.9.1.11?
(Assignee)

Updated

7 years ago
Blocks: 407584
Attachment #444469 - Flags: approval1.9.2.5?
Attachment #444469 - Flags: approval1.9.2.5+
Attachment #444469 - Flags: approval1.9.1.11?
Attachment #444469 - Flags: approval1.9.1.11+
Comment on attachment 444469 [details] [diff] [review]
patch

Approved for 1.9.2.6 and 1.9.1.11, a=dveditz for release-drivers
(Assignee)

Comment 6

7 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/9b99125fac02
status1.9.1: --- → .11-fixed
(Assignee)

Comment 7

7 years ago
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/e99ea6fb56e7
status1.9.2: --- → .6-fixed
Attachment #444469 - Flags: approval1.9.2.5+ → approval1.9.2.6+
Verified for 1.9.2 on 64-bit Ubuntu 10.4 with Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.6pre) Gecko/20100622 Namoroka/3.6.6pre. Crashes the 1.9.2.4 release with attached testcase.
Keywords: verified1.9.2
Group: core-security
(Assignee)

Comment 9

7 years ago
Added crashtest
http://hg.mozilla.org/mozilla-central/rev/ec7b4a08a04e
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsTextBoxFrame::UpdateAccessTitle]
You need to log in before you can comment on or make changes to this bug.