Last Comment Bug 564705 - String buffer underflow and crash [@ nsTextBoxFrame::UpdateAccessTitle]
: String buffer underflow and crash [@ nsTextBoxFrame::UpdateAccessTitle]
Status: RESOLVED FIXED
[sg:low UMR]
: assertion, crash, testcase, verified1.9.2
Product: Core
Classification: Components
Component: XUL (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: Timothy Nikkel (:tnikkel)
:
Mentors:
Depends on:
Blocks: 344486 407584
  Show dependency treegraph
 
Reported: 2010-05-09 15:01 PDT by Jesse Ruderman
Modified: 2011-06-13 10:01 PDT (History)
7 users (show)
tnikkel: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
.7-fixed
.11-fixed


Attachments
testcase (may crash Firefox when loaded) (222 bytes, application/vnd.mozilla.xul+xml)
2010-05-09 15:01 PDT, Jesse Ruderman
no flags Details
patch (971 bytes, patch)
2010-05-10 13:47 PDT, Timothy Nikkel (:tnikkel)
neil: review+
dveditz: approval1.9.2.7+
dveditz: approval1.9.1.11+
Details | Diff | Splinter Review

Description Jesse Ruderman 2010-05-09 15:01:35 PDT
Created attachment 444324 [details]
testcase (may crash Firefox when loaded)

nsTextBoxFrame::UpdateAccessTitle tried to subtract 1 from 0 and got 2^32-1.

###!!! ASSERTION: index exceeds allowable range: 'i <= mLength', file nsTString.h, line 129

At least on a 64-bit system, a crash immediately follows the assertion.  

#5  0x00007f9f2e7b9422 in nsString::CharAt (this=0x7f9f13b78ac8, i=4294967295) at ../../../dist/include/nsTString.h:130
#6  0x00007f9f2e7b9448 in nsString::operator[] (this=0x7f9f13b78ac8, i=4294967295) at ../../../dist/include/nsTString.h:135
#7  0x00007f9f2ec81bcd in nsTextBoxFrame::UpdateAccessTitle (this=0x7f9f13b78a78) at layout/xul/base/src/nsTextBoxFrame.cpp:878
#8  0x00007f9f2ec7fc9e in nsTextBoxFrame::UpdateAccesskey (this=0x7f9f13b78a78, aWeakThis=...)
    at layout/xul/base/src/nsTextBoxFrame.cpp:264
#9  0x00007f9f2ec82b13 in nsAsyncAccesskeyUpdate::ReflowFinished (this=0x7f9f13b91060) at layout/xul/base/src/nsTextBoxFrame.cpp:224
Comment 1 Jesse Ruderman 2010-05-09 15:05:45 PDT
Reported on 64-bit Linux.  I can't reproduce even the assertion on 32-bit Mac.
Comment 2 Timothy Nikkel (:tnikkel) 2010-05-10 13:47:47 PDT
Created attachment 444469 [details] [diff] [review]
patch

The title consists of only the ellipsis, so the offset is zero, and we check the character before to see if it is a space. If we are at the start then we don't want to insert a separating space.
Comment 3 Timothy Nikkel (:tnikkel) 2010-05-11 20:05:09 PDT
Landed
http://hg.mozilla.org/mozilla-central/rev/e40cbab6a972

but backed out because something in the push was causing orange
http://hg.mozilla.org/mozilla-central/rev/01befa5163ee
Comment 4 Timothy Nikkel (:tnikkel) 2010-05-13 15:39:53 PDT
http://hg.mozilla.org/mozilla-central/rev/f0c737a853ac
Comment 5 Daniel Veditz [:dveditz] 2010-06-11 15:46:05 PDT
Comment on attachment 444469 [details] [diff] [review]
patch

Approved for 1.9.2.6 and 1.9.1.11, a=dveditz for release-drivers
Comment 6 Timothy Nikkel (:tnikkel) 2010-06-14 15:16:29 PDT
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/9b99125fac02
Comment 7 Timothy Nikkel (:tnikkel) 2010-06-14 16:15:20 PDT
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/e99ea6fb56e7
Comment 8 Al Billings [:abillings] 2010-06-22 17:25:21 PDT
Verified for 1.9.2 on 64-bit Ubuntu 10.4 with Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.6pre) Gecko/20100622 Namoroka/3.6.6pre. Crashes the 1.9.2.4 release with attached testcase.
Comment 9 Timothy Nikkel (:tnikkel) 2010-10-08 12:14:49 PDT
Added crashtest
http://hg.mozilla.org/mozilla-central/rev/ec7b4a08a04e

Note You need to log in before you can comment on or make changes to this bug.