As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 736210 - "ASSERTION: Don't know how to merge this stuff" with astral char, ß text-transformed to SS
: "ASSERTION: Don't know how to merge this stuff" with astral char, ß text-tran...
Status: RESOLVED FIXED
: assertion, regression, testcase
Product: Core
Classification: Components
Component: Layout: Text (show other bugs)
: Trunk
: x86_64 Mac OS X
: -- normal (vote)
: mozilla14
Assigned To: Jonathan Kew (:jfkthame)
:
:
Mentors:
Depends on:
Blocks: randomstyles textfuzzer 605021
  Show dependency treegraph
 
Reported: 2012-03-15 12:16 PDT by Jesse Ruderman
Modified: 2012-04-02 15:51 PDT (History)
2 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
fixed


Attachments
testcase (69 bytes, text/html)
2012-03-15 12:16 PDT, Jesse Ruderman
no flags Details
stack traces (22.30 KB, text/plain)
2012-03-15 12:16 PDT, Jesse Ruderman
no flags Details
patch, don't set 'true' in charsToMerge array for surrogates (937 bytes, patch)
2012-03-16 11:43 PDT, Jonathan Kew (:jfkthame)
smontagu: review+
Details | Diff | Splinter Review

Description User image Jesse Ruderman 2012-03-15 12:16:21 PDT
Created attachment 606319 [details]
testcase

###!!! ASSERTION: Don't know how to merge this stuff: 'mergeRunStart == k || (g.IsClusterStart() && g.IsLigatureGroupStart())', file layout/generic/nsTextRunTransformations.cpp, line 212

###!!! ASSERTION: Bad offset calculations: 'offset == aDest->GetLength()', file layout/generic/nsTextRunTransformations.cpp, line 236

I'm guessing this is a regression from bug 605021.

The first assertion is not the same as the one in bug 536242, fwiw.
Comment 1 User image Jesse Ruderman 2012-03-15 12:16:41 PDT
Created attachment 606320 [details]
stack traces
Comment 2 User image Jonathan Kew (:jfkthame) 2012-03-16 11:43:52 PDT
Created attachment 606657 [details] [diff] [review]
patch, don't set 'true' in charsToMerge array for surrogates
Comment 3 User image Daniel Veditz [:dveditz] 2012-03-21 10:54:54 PDT
I can't tell from the patch whether this is actually a security bug or not -- what does that change do?
Comment 4 User image Jonathan Kew (:jfkthame) 2012-03-23 05:18:33 PDT
AFAICT, this doesn't actually constitute a security problem. The error means that the association between underlying text characters and displayed glyphs is incorrect, because of an indexing error when reconstructing the transformed textrun, but it doesn't cause us to overrun a buffer or anything dangerous like that; the "offset" that's used as an index into the new run ends up short of the end of the run, not beyond it.

(To see an effect of the bug, try
  data:text/html;charset=utf-8,<div style="text-transform:uppercase">foo
Comment 5 User image Jonathan Kew (:jfkthame) 2012-03-23 05:20:53 PDT
(In reply to Jonathan Kew (:jfkthame) from comment #4)
> (To see an effect of the bug, try
>   data:text/html;charset=utf-8,<div style="text-transform:uppercase">foo

Excuse the truncated comment; apparently something (my browser? bugzilla?) didn't like the supplementary-plane character!
Comment 6 User image Jonathan Kew (:jfkthame) 2012-03-23 05:51:22 PDT
FTR, filed bug 738609 regarding the inability to include supplementary-plane text in a bugzilla comment.
Comment 8 User image Ed Morley [:emorley] 2012-03-24 14:14:47 PDT
https://hg.mozilla.org/mozilla-central/rev/23cf3da09191

Note You need to log in before you can comment on or make changes to this bug.