Closed
Bug 698335
Opened 13 years ago
Closed 12 years ago
"ASSERTION: Invalid offset" with bidi, -moz-column, :first-letter
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla12
Tracking | Status | |
---|---|---|
firefox9 | --- | affected |
firefox10 | --- | affected |
firefox11 | --- | affected |
firefox12 | --- | verified |
status1.9.2 | --- | unaffected |
People
(Reporter: jruderman, Assigned: smontagu)
References
Details
(4 keywords, Whiteboard: [qa+])
Attachments
(3 files)
200 bytes,
text/html
|
Details | |
16.92 KB,
text/plain
|
Details | |
2.47 KB,
patch
|
roc
:
review+
akeybl
:
approval-mozilla-aurora-
akeybl
:
approval-mozilla-beta-
|
Details | Diff | Splinter Review |
###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file gfx/thebes/gfxSkipChars.cpp, line 92 ###!!! ASSERTION: Text run does not map enough text for our reflow: 'gfxSkipCharsIterator(iter).ConvertOriginalToSkipped(offset + length) <= mTextRun->GetLength()', file layout/generic/nsTextFrameThebes.cpp, line 7109 ###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file gfx/thebes/gfxSkipChars.cpp, line 92 ###!!! ASSERTION: unconstrained height on totally empty line: 'NS_UNCONSTRAINEDSIZE != aFloatAvailableSpace.mRect.height', file layout/generic/nsBlockFrame.cpp, line 3686 ###!!! ASSERTION: redo line on totally empty line with non-empty band...: 'aFloatAvailableSpace.mHasFloats', file layout/generic/nsBlockFrame.cpp, line 3691
Reporter | ||
Comment 1•13 years ago
|
||
Comment 2•13 years ago
|
||
Is this exploitable or just a DoS/hang? would more/fewer/different characters change the symptoms?
Assignee: nobody → smontagu
Comment 3•13 years ago
|
||
smontagu - any update here?
Assignee | ||
Comment 4•12 years ago
|
||
This is apparently regression from making a preformatted newline a new bidi paragraph: we need to test whether there are any fluid continuations even beyond the current paragraph, but children of the same block element and convert them to non-fluid.
Attachment #588753 -
Flags: review?(roc)
Attachment #588753 -
Flags: review?(roc) → review+
Assignee | ||
Comment 5•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/60add44419ef
Flags: in-testsuite+
OS: Mac OS X → All
Hardware: x86_64 → All
Target Milestone: --- → mozilla12
Assignee | ||
Comment 6•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/60add44419ef
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment 7•12 years ago
|
||
Do we need to land this on Aurora as a security bug or did it turn out benign and we can unhide the bug? If it really is a potentially sg:critical bug we maybe shouldn't have called it out in the Platform meeting, especially with a checked-in crashtest.
status1.9.2:
--- → unaffected
status-firefox10:
--- → affected
status-firefox11:
--- → affected
status-firefox12:
--- → fixed
Keywords: regression,
regressionwindow-wanted
Assignee | ||
Comment 8•12 years ago
|
||
Regression window is http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a666b4f809f0&tochange=953f9620f395, which is not what I expected: possibly bug 578977?
Keywords: regressionwindow-wanted
Assignee | ||
Comment 9•12 years ago
|
||
Comment on attachment 588753 [details] [diff] [review] Patch This doesn't seem exploitable to me, but since we have a simple patch let's fix it on aurora and beta. [Approval Request Comment] Regression caused by (bug #): 578977(? see comment 8) User impact if declined: hangs and possible crashes Testing completed (on m-c, etc.): baked 6 days on m-c, has crashtest. Risk to taking this patch (and alternatives if risky): minimal.
Attachment #588753 -
Flags: approval-mozilla-beta?
Attachment #588753 -
Flags: approval-mozilla-aurora?
Comment 10•12 years ago
|
||
(In reply to Simon Montagu from comment #8) > possibly bug 578977? Confirmed by reverting bug 578977 in an Aurora debug build on Linux. Bug 578977 did change some things that affects next-in-flows of first-letter frames, so it makes sense.
Blocks: 578977
status-firefox9:
--- → affected
given comment 9 I think we can hold off on this given timing for 10. But we should be able to land this on Aurora, we can cover that in the next triage/channel mtg.
Comment 12•12 years ago
|
||
Comment on attachment 588753 [details] [diff] [review] Patch [Triage Comment] We don't have any evidence that this is exploitable or causing significant user pain - let's let this ride the train.
Attachment #588753 -
Flags: approval-mozilla-beta?
Attachment #588753 -
Flags: approval-mozilla-beta-
Attachment #588753 -
Flags: approval-mozilla-aurora?
Attachment #588753 -
Flags: approval-mozilla-aurora-
Updated•12 years ago
|
Group: core-security
Comment 13•12 years ago
|
||
Verified using linux debug build on Ubuntu 11.10 with beta debug build (18.4.2012)- no hang/assertion when loading the test case from comment 0.
Updated•10 years ago
|
Depends on: CVE-2014-1536
You need to log in
before you can comment on or make changes to this bug.
Description
•