Closed Bug 722137 Opened 10 years ago Closed 10 years ago

"ASSERTION: Invalid offset" with RLE, astral char, wrapping

Categories

(Core :: Layout: Text and Fonts, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla12
Tracking Status
firefox-esr10 --- unaffected

People

(Reporter: jruderman, Assigned: smontagu)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(4 files)

Attached file testcase
###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file gfx/thebes/gfxSkipChars.cpp, line 92

###!!! ASSERTION: Text run does not map enough text for our reflow: 'gfxSkipCharsIterator(iter).ConvertOriginalToSkipped(offset + length) <= mTextRun->GetLength()', file layout/generic/nsTextFrameThebes.cpp, line 7399
Attached file stack traces
Attached patch PatchSplinter Review
The patch from bug 698335 should have used GetNextInFlow instead of GetNextSibling.
Attachment #592784 - Flags: review?(roc)
Attached patch TestSplinter Review
Assignee: nobody → smontagu
Attachment #592785 - Flags: review?(roc)
https://hg.mozilla.org/integration/mozilla-inbound/rev/159c690b5aa5
https://hg.mozilla.org/integration/mozilla-inbound/rev/7b5995e5d551
Flags: in-testsuite+
OS: Mac OS X → All
Hardware: x86_64 → All
Target Milestone: --- → mozilla12
Depends on: CVE-2013-1676
Group: core-security
You need to log in before you can comment on or make changes to this bug.