Closed Bug 698335 Opened 13 years ago Closed 12 years ago

"ASSERTION: Invalid offset" with bidi, -moz-column, :first-letter

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla12
Tracking Flags:
Tracking Status
firefox9 --- affected
firefox10 --- affected
firefox11 --- affected
firefox12 --- verified
status1.9.2 --- unaffected

People

(Reporter: jruderman, Assigned: smontagu)

References

Details

(4 keywords, Whiteboard: [qa+])

Attachments

(3 files)

testcase (hangs Firefox)
200 bytes, text/html
Details
stack traces
16.92 KB, text/plain
Details
Patch
2.47 KB, patch
roc
: review+
akeybl
: approval-mozilla-aurora-
akeybl
: approval-mozilla-beta-
Details | Diff | Splinter Review 
###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file gfx/thebes/gfxSkipChars.cpp, line 92

###!!! ASSERTION: Text run does not map enough text for our reflow: 'gfxSkipCharsIterator(iter).ConvertOriginalToSkipped(offset + length) <= mTextRun->GetLength()', file layout/generic/nsTextFrameThebes.cpp, line 7109

###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file gfx/thebes/gfxSkipChars.cpp, line 92

###!!! ASSERTION: unconstrained height on totally empty line: 'NS_UNCONSTRAINEDSIZE != aFloatAvailableSpace.mRect.height', file layout/generic/nsBlockFrame.cpp, line 3686

###!!! ASSERTION: redo line on totally empty line with non-empty band...: 'aFloatAvailableSpace.mHasFloats', file layout/generic/nsBlockFrame.cpp, line 3691
Attached file stack traces 

    
    

    
  
Is this exploitable or just a DoS/hang? would more/fewer/different characters change the symptoms?
Assignee: nobody → smontagu

    
    

    
  
smontagu - any update here?

    
    

    
  

      
      
      
      

        Attached patch
          
          
        PatchSplinter Review
      

    


  
This is apparently regression from making a preformatted newline a new bidi paragraph: we need to test whether there are any fluid continuations even beyond the current paragraph, but children of the same block element and convert them to non-fluid.

        Attachment #588753 -
        Flags: review?(roc)

    
    

    
  
https://hg.mozilla.org/integration/mozilla-inbound/rev/60add44419ef
Flags: in-testsuite+
OS: Mac OS X → All
Hardware: x86_64 → All
Target Milestone: --- → mozilla12

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/60add44419ef
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED

    
    

    
  
Do we need to land this on Aurora as a security bug or did it turn out benign and we can unhide the bug? If it really is a potentially sg:critical bug we maybe shouldn't have called it out in the Platform meeting, especially with a checked-in crashtest.

          status1.9.2:
          --- → unaffected

          status-firefox10:
          --- → affected

          status-firefox11:
          --- → affected

          status-firefox12:
          --- → fixed
Keywords: regression, 
          
            regressionwindow-wanted

    
    

    
  
Comment on attachment 588753 [details] [diff] [review]
Patch

This doesn't seem exploitable to me, but since we have a simple patch let's fix it on aurora and beta.

[Approval Request Comment]
Regression caused by (bug #): 578977(? see comment 8)
User impact if declined: hangs and possible crashes
Testing completed (on m-c, etc.): baked 6 days on m-c, has crashtest.
Risk to taking this patch (and alternatives if risky): minimal.

        Attachment #588753 -
        Flags: approval-mozilla-beta?

        Attachment #588753 -
        Flags: approval-mozilla-aurora?

    
    

    
  
(In reply to Simon Montagu from comment #8)
> possibly bug 578977?

Confirmed by reverting bug 578977 in an Aurora debug build on Linux.
Bug 578977 did change some things that affects next-in-flows of first-letter
frames, so it makes sense.
Blocks: 578977

          status-firefox9:
          --- → affected

    
    

    
  
given comment 9 I think we can hold off on this given timing for 10. But we should be able to land this on Aurora, we can cover that in the next triage/channel mtg.

    
    

    
  
Comment on attachment 588753 [details] [diff] [review]
Patch

[Triage Comment]
We don't have any evidence that this is exploitable or causing significant user pain - let's let this ride the train.

        Attachment #588753 -
        Flags: approval-mozilla-beta?

        Attachment #588753 -
        Flags: approval-mozilla-beta-

        Attachment #588753 -
        Flags: approval-mozilla-aurora?

        Attachment #588753 -
        Flags: approval-mozilla-aurora-
Group: core-security

    
  
Whiteboard: [qa+]

    
    

    
  
Verified using linux debug build on Ubuntu 11.10 with beta debug build (18.4.2012)- no hang/assertion when loading the test case from comment 0.

          status-firefox12:
          fixedverified
Depends on: CVE-2014-1536

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: