Closed Bug 790252 Opened 7 years ago Closed 5 years ago

out of bounds read in gfxTextRun::ShrinkToLigatureBoundaries

Categories

(Core :: Layout: Text and Fonts, defect)

x86_64
All
defect
Not set

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: inferno, Unassigned)

Details

(4 keywords, Whiteboard: [asan])

Attachments

(2 files)

Attached file Testcase
Reproduces on trunk

=================================================================
==8831== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7fba8f609c74 at pc 0x7fbab13c7a99 bp 0x7fffef0314d0 sp 0x7fffef0314c8
READ of size 4 at 0x7fba8f609c74 thread T0
    #0 0x7fbab13c7a98 in gfxShapedWord::CompressedGlyph::IsLigatureGroupStart() const src/../../dist/include/gfxFont.h:1918
    #1 0x7fbabc601ad6 in gfxTextRun::ShrinkToLigatureBoundaries(unsigned int*, unsigned int*) src/gfx/thebes/gfxFont.cpp:4711
    #2 0x7fbabc6126b6 in gfxTextRun::GetAdvanceWidth(unsigned int, unsigned int, gfxTextRun::PropertyProvider*) src/gfx/thebes/gfxFont.cpp:5230
    #3 0x7fbab139830c in nsTextFrame::TrimTrailingWhiteSpace(nsRenderingContext*) src/layout/generic/nsTextFrameThebes.cpp:8113
    #4 0x7fbab11ad5bc in nsLineLayout::TrimTrailingWhiteSpaceIn(nsLineLayout::PerSpanData*, int*) src/layout/generic/nsLineLayout.cpp:2299
    #5 0x7fbab11aca2a in nsLineLayout::TrimTrailingWhiteSpaceIn(nsLineLayout::PerSpanData*, int*) src/layout/generic/nsLineLayout.cpp:2246
    #6 0x7fbab11aca2a in nsLineLayout::TrimTrailingWhiteSpaceIn(nsLineLayout::PerSpanData*, int*) src/layout/generic/nsLineLayout.cpp:2246
    #7 0x7fbab11aeefc in nsLineLayout::TrimTrailingWhiteSpace() src/layout/generic/nsLineLayout.cpp:2367
    #8 0x7fbab0e4ea8e in nsBlockFrame::PlaceLine(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFloatManager::SavedState*, nsRect&, int&, bool*) src/layout/generic/nsBlockFrame.cpp:4181
    #9 0x7fbab0e478ac in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:3766
    #10 0x7fbab0e37ee1 in nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3484
    #11 0x7fbab0e26d6b in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2571
    #12 0x7fbab0e0d419 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) src/layout/generic/nsBlockFrame.cpp:2021
    #13 0x7fbab0dffd37 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1070
    #14 0x7fbab0e8edb0 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) src/layout/generic/nsBlockReflowContext.cpp:268
    #15 0x7fbab0e31b9d in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3208
    #16 0x7fbab0e26836 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2515
    #17 0x7fbab0e0d419 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) src/layout/generic/nsBlockFrame.cpp:2021
    #18 0x7fbab0dffd37 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1070
    #19 0x7fbab0e8edb0 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) src/layout/generic/nsBlockReflowContext.cpp:268
    #20 0x7fbab0e31b9d in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3208
    #21 0x7fbab0e26836 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2515
    #22 0x7fbab0e0d419 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) src/layout/generic/nsBlockFrame.cpp:2021
    #23 0x7fbab0dffd37 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1070
    #24 0x7fbab0eee758 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:946
    #25 0x7fbab10bfd05 in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsCanvasFrame.cpp:463
    #26 0x7fbab0eee758 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:946
    #27 0x7fbab1036959 in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) src/layout/generic/nsGfxScrollFrame.cpp:523
    #28 0x7fbab1030d58 in nsHTMLScrollFrame::TryLayout(ScrollReflowState*, nsHTMLReflowMetrics*, bool, bool, bool, unsigned int*) src/layout/generic/nsGfxScrollFrame.cpp:366
    #29 0x7fbab103c6c1 in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) src/layout/generic/nsGfxScrollFrame.cpp:680
    #30 0x7fbab103fd9a in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsGfxScrollFrame.cpp:864
    #31 0x7fbab0eee758 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:946
    #32 0x7fbab1423fbd in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsViewportFrame.cpp:200
    #33 0x7fbab0b7678f in PresShell::DoReflow(nsIFrame*, bool) src/layout/base/nsPresShell.cpp:7435
    #34 0x7fbab0ba2b5b in PresShell::ProcessReflowCommands(bool) src/layout/base/nsPresShell.cpp:7582
    #35 0x7fbab0ba13e1 in PresShell::FlushPendingNotifications(mozFlushType) src/layout/base/nsPresShell.cpp:3893
    #36 0x7fbab2448b6b in nsDocument::FlushPendingNotifications(mozFlushType) src/content/base/src/nsDocument.cpp:6352
    #37 0x7fbab25fab6f in nsGenericElement::GetPrimaryFrame(mozFlushType) src/content/base/src/nsGenericElement.cpp:1794
    #38 0x7fbab25fa775 in nsGenericElement::GetStyledFrame() src/content/base/src/nsGenericElement.cpp:519
    #39 0x7fbab25fbfa6 in nsGenericElement::GetScrollFrame(nsIFrame**) src/content/base/src/nsGenericElement.cpp:573
    #40 0x7fbab25ffe12 in nsGenericElement::GetClientAreaRect() src/content/base/src/nsGenericElement.cpp:744
    #41 0x7fbab2600ff5 in nsGenericElement::GetClientWidth() src/content/base/src/nsGenericElement.h:320
    #42 0x7fbab7ac193f in nsIDOMElement_GetClientWidth(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) src/objdir-ff-asan-sym/js/xpconnect/src/dom_quickstubs.cpp:4641
    #43 0x7fbac29d0258 in js::CallJSPropertyOp(JSContext*, int (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>), JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) src/js/src/jscntxtinlines.h:439
    #44 0x7fbac297d9ce in js_NativeGetInline(JSContext*, JS::Handle<JSObject*>, JSObject*, JSObject*, js::Shape*, unsigned int, JS::Value*) src/js/src/jsobj.cpp:4238
    #45 0x7fbac1de41f4 in JSObject::getGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) src/js/src/jsobjinlines.h:173
    #46 0x7fbac2b55620 in js::DirectProxyHandler::get(JSContext*, JSObject*, JSObject*, long, JS::Value*) src/js/src/jsproxy.cpp:587
    #47 0x7fbac33506e6 in js::DirectWrapper::get(JSContext*, JSObject*, JSObject*, long, JS::Value*) src/js/src/jswrapper.cpp:284
    #48 0x7fbac3350a6e in non-virtual thunk to js::DirectWrapper::get(JSContext*, JSObject*, JSObject*, long, JS::Value*) ??:0
    #49 0x7fbac2bcf07c in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) src/js/src/jsproxy.cpp:2376
    #50 0x7fbac2be19bd in proxy_GetGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) src/js/src/jsproxy.cpp:2634
    #51 0x7fbac1de3a85 in JSObject::getGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) src/js/src/jsobjinlines.h:170
    #52 0x7fbac273f176 in js::GetPropertyGenericMaybeCallXML(JSContext*, JSOp, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) src/js/src/jsinterpinlines.h:204
    #53 0x7fbac270f7d4 in js::GetPropertyOperation(JSContext*, unsigned char*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/jsinterpinlines.h:267
    #54 0x7fbac264fd11 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2285
    #55 0x7fbac25c5902 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) src/js/src/jsinterp.cpp:301
    #56 0x7fbac26d1df5 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:355
    #57 0x7fbac1f63e1c in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:119
    #58 0x7fbac26d713b in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:388
    #59 0x7fbac1e4021b in JS_CallFunctionValue src/js/src/jsapi.cpp:5908
    #60 0x7fbab42f70cf in nsXBLProtoImplAnonymousMethod::Execute(nsIContent*) src/content/xbl/src/nsXBLProtoImplMethod.cpp:331
    #61 0x7fbab4255053 in nsXBLPrototypeBinding::BindingAttached(nsIContent*) src/content/xbl/src/nsXBLPrototypeBinding.cpp:491
    #62 0x7fbab4227cec in nsXBLBinding::ExecuteAttachedHandler() src/content/xbl/src/nsXBLBinding.cpp:1083
    #63 0x7fbab43769ac in nsBindingManager::ProcessAttachedQueue(unsigned int) src/content/xbl/src/nsBindingManager.cpp:1011
0x7fba8f609c74 is located 12 bytes to the left of 136-byte region [0x7fba8f609c80,0x7fba8f609d08)
allocated by thread T0 here:
    #0 0x4c3ef0 in __interceptor_malloc ??:0
    #1 0x7fbac8d7c6c6 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:57
    #2 0x7fbabbda103e in operator new(unsigned long) src/../../dist/include/mozilla/mozalloc.h:200
    #3 0x7fbabbcb54c1 in mozilla::GenericFactory::CreateInstance(nsISupports*, nsID const&, void**) src/objdir-ff-asan-sym/xpcom/build/GenericFactory.cpp:16
    #4 0x7fbabbf8d696 in nsComponentManagerImpl::CreateInstance(nsID const&, nsISupports*, nsID const&, void**) src/xpcom/components/nsComponentManager.cpp:944
    #5 0x7fbabbc3eaf8 in CallCreateInstance(nsID const&, nsISupports*, nsID const&, void**) src/objdir-ff-asan-sym/xpcom/build/nsComponentManagerUtils.cpp:124
    #6 0x7fbabbc3fe69 in nsCreateInstanceByCID::operator()(nsID const&, void**) const src/objdir-ff-asan-sym/xpcom/build/nsComponentManagerUtils.cpp:167
    #7 0x7fbabbc33ddc in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) src/objdir-ff-asan-sym/xpcom/build/nsCOMPtr.cpp:110
    #8 0x7fbaaff730a6 in nsCOMPtr<nsIPersistentProperties>::operator=(nsCOMPtr_helper const&) src/../../../dist/include/nsCOMPtr.h:689
    #9 0x7fbaaff72699 in nsStringBundle::LoadProperties() src/intl/strres/src/nsStringBundle.cpp:101
    #10 0x7fbaaff789e8 in nsStringBundle::GetStringFromName(unsigned short const*, unsigned short**) src/intl/strres/src/nsStringBundle.cpp:234
    #11 0x7fbab00d1eac in nsPrefBranch::GetDefaultFromPropertiesFile(char const*, unsigned short**) src/modules/libpref/src/nsPrefBranch.cpp:697
    #12 0x7fbab00ce527 in nsPrefBranch::GetComplexValue(char const*, nsID const&, void**) src/modules/libpref/src/nsPrefBranch.cpp:211
    #13 0x7fbab0139ee7 in mozilla::Preferences::GetComplexValue(char const*, nsID const&, void**) src/../../../dist/include/mozilla/Preferences.h:48
    #14 0x7fbab013c229 in non-virtual thunk to mozilla::Preferences::GetComplexValue(char const*, nsID const&, void**) src/gfx/cairo/cairo/src/cairo-surface-subsurface.c:0
    #15 0x7fbabc0dd747 in NS_InvokeByIndex_P src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #16 0x7fbab74de4ee in CallMethodHelper::Invoke() src/js/xpconnect/src/XPCWrappedNative.cpp:3105
    #17 0x7fbab75412c5 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1469
    #18 0x7fbac26d1781 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:372
    #19 0x7fbac265e8c1 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2406
    #20 0x7fbac25c5902 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) src/js/src/jsinterp.cpp:301
    #21 0x7fbac26d1df5 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:355
    #22 0x7fbac1f63e1c in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:119
    #23 0x7fbac237a1a0 in js::CallOrConstructBoundFunction(JSContext*, unsigned int, JS::Value*) src/js/src/jsfun.cpp:1029
    #24 0x7fbac26d1782 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:372
Shadow byte and word:
  0x1ff751ec138e: fa
  0x1ff751ec1388: fa fa fa fa fa fa fa fa
More shadow bytes:
  0x1ff751ec1368: fb fb fb fb fb fb fb fb
  0x1ff751ec1370: fa fa fa fa fa fa fa fa
  0x1ff751ec1378: fa fa fa fa fa fa fa fa
  0x1ff751ec1380: fa fa fa fa fa fa fa fa
=>0x1ff751ec1388: fa fa fa fa fa fa fa fa
  0x1ff751ec1390: 00 00 00 00 00 00 00 00
  0x1ff751ec1398: 00 00 00 00 00 00 00 00
  0x1ff751ec13a0: 00 fb fb fb fb fb fb fb
  0x1ff751ec13a8: fb fb fb fb fb fb fb fb
Stats: 231M malloced (263M for red zones) by 464264 calls
Stats: 41M realloced by 20382 calls
Stats: 189M freed by 229561 calls
Stats: 55M really freed by 151996 calls
Stats: 436M (111693 full pages) mmaped in 109 calls
  mmaps   by size class: 8:278511; 9:40955; 10:12285; 11:14329; 12:2048; 13:1536; 14:1280; 15:256; 16:448; 17:1280; 18:128; 19:40; 20:20;
  mallocs by size class: 8:380694; 9:47466; 10:11148; 11:16959; 12:2383; 13:1705; 14:1478; 15:308; 16:549; 17:1368; 18:149; 19:40; 20:17;
  frees   by size class: 8:163882; 9:37998; 10:7691; 11:13766; 12:1511; 13:1243; 14:1285; 15:264; 16:468; 17:1351; 18:51; 19:37; 20:14;
  rfrees  by size class: 8:118090; 9:19328; 10:4086; 11:8537; 12:497; 13:464; 14:328; 15:146; 16:336; 17:156; 18:23; 19:4; 20:1;
Stats: malloc large: 1574 small slow: 2031
==8831== ABORTING
Component: General → Layout: Text
Product: Firefox → Core
Keywords: crash, testcase
Summary: heap-buffer-overflow in gfxTextRun::ShrinkToLigatureBoundaries → out of bounds read in gfxTextRun::ShrinkToLigatureBoundaries
Whiteboard: [asan]
Keywords: rtl
###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file ../../../gfx/thebes/gfxSkipChars.cpp, line 60

###!!! ASSERTION: Substring out of range: 'aStart + aLength <= mCharacterCount', file ../../../gfx/thebes/gfxFont.cpp, line 4879

###!!! ASSERTION: Substring out of range: 'aStart + aLength <= mCharacterCount', file ../../../gfx/thebes/gfxFont.cpp, line 5017

###!!! ASSERTION: Substring out of range: 'aStart + aLength <= mCharacterCount', file ../../../gfx/thebes/gfxFont.cpp, line 5226

###!!! ASSERTION: You can't dereference a NULL nsAutoPtr with operator->().: 'mRawPtr != 0', file ../../dist/include/nsAutoPtr.h, line 150

###!!! ASSERTION: aPos out of range: 'aPos < mCharacterCount', file ../../dist/include/gfxFont.h, line 2377

###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file ../../../layout/base/nsLayoutUtils.cpp, line 4549

###!!! ASSERTION: invalid use of GetDetailedGlyphs; check the caller!: 'mDetailedGlyphs != nullptr && !mCharacterGlyphs[aCharIndex].IsSimpleGlyph() && mCharacterGlyphs[aCharIndex].GetGlyphCount() > 0', file ../../../gfx/thebes/gfxFont.h, line 2844
Still asserts like crazy in a recent debug build:

###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file /Users/amccreight/mz/cent/layout/base/nsLayoutUtils.cpp, line 4603
###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file /Users/amccreight/mz/cent/layout/base/nsLayoutUtils.cpp, line 4603
###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file /Users/amccreight/mz/cent/gfx/thebes/gfxSkipChars.cpp, line 60
###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file /Users/amccreight/mz/cent/gfx/thebes/gfxSkipChars.cpp, line 60
###!!! ASSERTION: Substring out of range: 'aStart + aLength <= mCharacterCount', file /Users/amccreight/mz/cent/gfx/thebes/gfxFont.cpp, line 5238
###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file /Users/amccreight/mz/cent/gfx/thebes/gfxSkipChars.cpp, line 60
###!!! ASSERTION: Substring out of range: 'aStart + aLength <= mCharacterCount', file /Users/amccreight/mz/cent/gfx/thebes/gfxFont.cpp, line 5029
WARNING: NS_ENSURE_SUCCESS(rv, false) failed with result 0x8000FFFF: file /Users/amccreight/mz/cent/content/base/src/nsContentUtils.cpp, line 2993
WARNING: NS_ENSURE_TRUE(pusher.Push(aBoundElement)) failed: file /Users/amccreight/mz/cent/content/xbl/src/nsXBLProtoImplMethod.cpp, line 321
###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file /Users/amccreight/mz/cent/gfx/thebes/gfxSkipChars.cpp, line 60
###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file /Users/amccreight/mz/cent/gfx/thebes/gfxSkipChars.cpp, line 60
###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file /Users/amccreight/mz/cent/gfx/thebes/gfxSkipChars.cpp, line 60
###!!! ASSERTION: Substring out of range: 'aStart + aLength <= mCharacterCount', file /Users/amccreight/mz/cent/gfx/thebes/gfxFont.cpp, line 4891
###!!! ASSERTION: Invalid offset: 'aOffset <= mSkipChars->mCharCount', file /Users/amccreight/mz/cent/gfx/thebes/gfxSkipChars.cpp, line 60
###!!! ASSERTION: aPos out of range: 'aPos < mCharacterCount', file ../../dist/include/gfxFont.h, line 2382
###!!! ASSERTION: Substring out of range: 'aStart + aLength <= mCharacterCount', file /Users/amccreight/mz/cent/gfx/thebes/gfxFont.cpp, line 5238
###!!! ASSERTION: invalid use of GetDetailedGlyphs; check the caller!: 'mDetailedGlyphs != nullptr && !mCharacterGlyphs[aCharIndex].IsSimpleGlyph() && mCharacterGlyphs[aCharIndex].GetGlyphCount() > 0', file ../../dist/include/gfxFont.h, line 2849
###!!! ASSERTION: You can't dereference a NULL nsAutoPtr with operator->().: 'mRawPtr != 0', file ../../dist/include/nsAutoPtr.h, line 150
So far the evidence is we're just reading bogus data which will mess up layout/rendering but shouldn't be exploitable memory corruption.
Keywords: sec-moderate
Asserts on load, crashes if you press ⌘A.
What's the significance of the script running on DOMContentLoaded?  If I change it to load, it no longer triggers the bug.

This could indicate a weak spot in my DOM fuzzer, which only does things after load.
The main significance is we're done parsing but subresources haven't loaded yet.

But also, we make sure to process all pending restyles and reflows before firing onload; it might be that in this case that matters...
is bug Bug 973349 the same?
Works for me, m-c ASAN debug build on Linuux64, and debug builds for all branches.
No crash, no assertions.

Can anyone else still reproduce it?
Still WFM.
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: in-testsuite?
Resolution: --- → WORKSFORME
Group: core-security → core-security-release
Group: core-security-release
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.