"ASSERTION: Don't know how to merge this stuff" with astral char, ß text-transformed to SS

RESOLVED FIXED in Firefox 14

Status

()

Core
Layout: Text
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: Jesse Ruderman, Assigned: jfkthame)

Tracking

(Blocks: 2 bugs, {assertion, regression, testcase})

Trunk
mozilla14
x86_64
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox14 fixed)

Details

Attachments

(3 attachments)

(Reporter)

Description

5 years ago
Created attachment 606319 [details]
testcase

###!!! ASSERTION: Don't know how to merge this stuff: 'mergeRunStart == k || (g.IsClusterStart() && g.IsLigatureGroupStart())', file layout/generic/nsTextRunTransformations.cpp, line 212

###!!! ASSERTION: Bad offset calculations: 'offset == aDest->GetLength()', file layout/generic/nsTextRunTransformations.cpp, line 236

I'm guessing this is a regression from bug 605021.

The first assertion is not the same as the one in bug 536242, fwiw.
(Reporter)

Comment 1

5 years ago
Created attachment 606320 [details]
stack traces
(Assignee)

Comment 2

5 years ago
Created attachment 606657 [details] [diff] [review]
patch, don't set 'true' in charsToMerge array for surrogates
Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
Attachment #606657 - Flags: review?(smontagu)
I can't tell from the patch whether this is actually a security bug or not -- what does that change do?
(Assignee)

Comment 4

5 years ago
AFAICT, this doesn't actually constitute a security problem. The error means that the association between underlying text characters and displayed glyphs is incorrect, because of an indexing error when reconstructing the transformed textrun, but it doesn't cause us to overrun a buffer or anything dangerous like that; the "offset" that's used as an index into the new run ends up short of the end of the run, not beyond it.

(To see an effect of the bug, try
  data:text/html;charset=utf-8,<div style="text-transform:uppercase">foo
(Assignee)

Comment 5

5 years ago
(In reply to Jonathan Kew (:jfkthame) from comment #4)
> (To see an effect of the bug, try
>   data:text/html;charset=utf-8,<div style="text-transform:uppercase">foo

Excuse the truncated comment; apparently something (my browser? bugzilla?) didn't like the supplementary-plane character!
(Assignee)

Comment 6

5 years ago
FTR, filed bug 738609 regarding the inability to include supplementary-plane text in a bugzilla comment.
Attachment #606657 - Flags: review?(smontagu) → review+
(Assignee)

Comment 7

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/23cf3da09191
Target Milestone: --- → mozilla14

Comment 8

5 years ago
https://hg.mozilla.org/mozilla-central/rev/23cf3da09191
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
status-firefox14: --- → fixed
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.