Closed Bug 736210 Opened 12 years ago Closed 12 years ago

"ASSERTION: Don't know how to merge this stuff" with astral char, ß text-transformed to SS

Categories

(Core :: Layout: Text and Fonts, defect)

x86_64
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla14
Tracking Status
firefox14 --- fixed

People

(Reporter: jruderman, Assigned: jfkthame)

References

Details

(Keywords: assertion, regression, testcase)

Attachments

(3 files)

Attached file testcase
###!!! ASSERTION: Don't know how to merge this stuff: 'mergeRunStart == k || (g.IsClusterStart() && g.IsLigatureGroupStart())', file layout/generic/nsTextRunTransformations.cpp, line 212

###!!! ASSERTION: Bad offset calculations: 'offset == aDest->GetLength()', file layout/generic/nsTextRunTransformations.cpp, line 236

I'm guessing this is a regression from bug 605021.

The first assertion is not the same as the one in bug 536242, fwiw.
Attached file stack traces
Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
Attachment #606657 - Flags: review?(smontagu)
I can't tell from the patch whether this is actually a security bug or not -- what does that change do?
AFAICT, this doesn't actually constitute a security problem. The error means that the association between underlying text characters and displayed glyphs is incorrect, because of an indexing error when reconstructing the transformed textrun, but it doesn't cause us to overrun a buffer or anything dangerous like that; the "offset" that's used as an index into the new run ends up short of the end of the run, not beyond it.

(To see an effect of the bug, try
  data:text/html;charset=utf-8,<div style="text-transform:uppercase">foo
(In reply to Jonathan Kew (:jfkthame) from comment #4)
> (To see an effect of the bug, try
>   data:text/html;charset=utf-8,<div style="text-transform:uppercase">foo

Excuse the truncated comment; apparently something (my browser? bugzilla?) didn't like the supplementary-plane character!
FTR, filed bug 738609 regarding the inability to include supplementary-plane text in a bugzilla comment.
Attachment #606657 - Flags: review?(smontagu) → review+
https://hg.mozilla.org/mozilla-central/rev/23cf3da09191
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: