OOB in nsSVGTextFrame2::ResolvePositions with svg.text.css-frames.enabled

RESOLVED FIXED in mozilla22

Status

()

--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: jruderman, Assigned: longsonr)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla22
x86_64
Mac OS X
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

(Reporter)

Description

6 years ago
Created attachment 715552 [details]
testcase (crashes Firefox when loaded)

With:
  user_pref("svg.text.css-frames.enabled", true);

the testcase causes an OOB array access in nsSVGTextFrame2::ResolvePositions, which is reported as:

Assertion failure: i < Length() (invalid array index), at nsTArray.h:632
(Reporter)

Comment 1

6 years ago
Created attachment 715556 [details]
stack
(Assignee)

Updated

6 years ago
Blocks: 655877
(Assignee)

Updated

6 years ago
Assignee: nobody → longsonr
(Assignee)

Comment 2

6 years ago
Created attachment 728767 [details] [diff] [review]
patch
Attachment #728767 - Flags: review?(cam)
Attachment #728767 - Flags: review?(cam) → review+
(Assignee)

Updated

6 years ago
Flags: in-testsuite+
https://hg.mozilla.org/mozilla-central/rev/362d0632ed67
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
You need to log in before you can comment on or make changes to this bug.