Last Comment Bug 671799 - Crash [@ nsUserFontSet::LogMessage] with data: URL
: Crash [@ nsUserFontSet::LogMessage] with data: URL
: crash, regression, testcase
Product: Core
Classification: Components
Component: Graphics (show other bugs)
: Trunk
: x86_64 Windows 7
: -- critical (vote)
: ---
Assigned To: Jonathan Kew (:jfkthame)
Depends on:
Blocks: 594645 494130
  Show dependency treegraph
Reported: 2011-07-14 23:58 PDT by Jesse Ruderman
Modified: 2011-07-15 08:23 PDT (History)
4 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (crashes Firefox when loaded) (131 bytes, text/html)
2011-07-14 23:58 PDT, Jesse Ruderman
no flags Details
patch, check whether mURI is null (1.10 KB, patch)
2011-07-15 01:04 PDT, Jonathan Kew (:jfkthame)
jd.bugzilla: review+
Details | Diff | Splinter Review
crashtests (1.27 KB, patch)
2011-07-15 07:49 PDT, Jonathan Kew (:jfkthame)
bzbarsky: review+
Details | Diff | Splinter Review

Description Jesse Ruderman 2011-07-14 23:58:40 PDT
Created attachment 546105 [details]
testcase (crashes Firefox when loaded)
Comment 1 Jonathan Kew (:jfkthame) 2011-07-15 01:04:20 PDT
Created attachment 546116 [details] [diff] [review]
patch, check whether mURI is null

The problem arises because when a relative URI is used in a data: document, it fails to resolve (naturally), which leaves mURI null in the font-face source. Solution is to check before trying to retrieve the spec, and provide a generic placeholder if not available. (I'm not sure if there are other cases where mURI could be null, but this should protect us from them however it arises.)
Comment 2 Boris Zbarsky [:bz] 2011-07-15 07:20:58 PDT
There are other cases where mURI could be null.  For example, "http://spaces in hostname/".

Might be worth it to add a crashtest.
Comment 3 Jonathan Kew (:jfkthame) 2011-07-15 07:32:12 PDT

I'll put together crashtests based on the examples in comment #0 and comment #2.
Comment 4 Jonathan Kew (:jfkthame) 2011-07-15 07:49:33 PDT
Created attachment 546154 [details] [diff] [review]

These testcases both hit the "null mURI" path in the @font-face load-failure logging code.
Comment 5 Boris Zbarsky [:bz] 2011-07-15 07:50:37 PDT
Comment on attachment 546154 [details] [diff] [review]

Comment 6 Jonathan Kew (:jfkthame) 2011-07-15 07:55:19 PDT
Pushed crashtests:

Note You need to log in before you can comment on or make changes to this bug.