Closed Bug 885608 Opened 7 years ago Closed 7 years ago

OOB in mozilla::TextRenderedRunIterator::Next with svg.text.css-frames.enabled and <mask>

Categories

(Core :: SVG, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla24
Tracking Status
firefox23 --- unaffected
firefox24 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: jruderman, Assigned: heycam)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [adv-main24-])

Crash Data

Attachments

(2 files)

Attached image testcase
With:
  user_pref("svg.text.css-frames.enabled", true);

Assertion failure: i < Length() (invalid array index), at ../../dist/include/nsTArray.h:867

Or, easy to see with ASan, an OOB read [@ mozilla::TextRenderedRunIterator::Next]

Security-sensitive for now because bug 880925 comment 8.  (That bug had the same symptoms.)
Attached patch patchSplinter Review
Looks like we need to watch for character data mutations in non-display text and ensure we schedule a reflow for it.  We want ScheduleReflowSVGNonDisplayText to be the thing that causes the text to reflow now, not the invalidation of the rendering observer (the <mask>) since we don't synchronously reflow in UpdateGlyphPositioning any more (after bug 876831).
Assignee: nobody → cam
Status: NEW → ASSIGNED
Attachment #765778 - Flags: review?(longsonr)
Attachment #765778 - Flags: review?(longsonr) → review+
https://hg.mozilla.org/mozilla-central/rev/15ecbcd8e3fc
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Was this a regression caused by bug 876831?

That would make this Firefox 24 only.
Turns out it wasn't bug 876831, but it must have been in the same time frame.  Firefox 23 is unaffected.
Whiteboard: [adv-main24-]
Group: core-security
Keywords: regression, sec-high
You need to log in before you can comment on or make changes to this bug.