Closed Bug 842630 Opened 10 years ago Closed 10 years ago

OOB in nsSVGTextFrame2::ResolvePositions with svg.text.css-frames.enabled

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla22

People

(Reporter: jruderman, Assigned: longsonr)

References

Details

(Keywords: assertion, testcase)

Attachments

(3 files)

testcase (crashes Firefox when loaded)
110 bytes, image/svg+xml
Details
stack
8.94 KB, text/plain
Details
patch
2.20 KB, patch
heycam
: review+
Details | Diff | Splinter Review 
With:
  user_pref("svg.text.css-frames.enabled", true);

the testcase causes an OOB array access in nsSVGTextFrame2::ResolvePositions, which is reported as:

Assertion failure: i < Length() (invalid array index), at nsTArray.h:632
Attached file stack 

    
  
Blocks: svgtext

    
  
Assignee: nobody → longsonr

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  

        Attachment #728767 -
        Flags: review?(cam)

        Attachment #728767 -
        Flags: review?(cam) → review+

    
  
Flags: in-testsuite+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/362d0632ed67
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22

          You need to log in
          before you can comment on or make changes to this bug.