Closed Bug 885608 Opened 7 years ago Closed 7 years ago
OOB in mozilla::Text
Rendered Run Iterator::Next with svg .text .css-frames .enabled and <mask>
With: user_pref("svg.text.css-frames.enabled", true); Assertion failure: i < Length() (invalid array index), at ../../dist/include/nsTArray.h:867 Or, easy to see with ASan, an OOB read [@ mozilla::TextRenderedRunIterator::Next] Security-sensitive for now because bug 880925 comment 8. (That bug had the same symptoms.)
Looks like we need to watch for character data mutations in non-display text and ensure we schedule a reflow for it. We want ScheduleReflowSVGNonDisplayText to be the thing that causes the text to reflow now, not the invalidation of the rendering observer (the <mask>) since we don't synchronously reflow in UpdateGlyphPositioning any more (after bug 876831).
Assignee: nobody → cam
Status: NEW → ASSIGNED
Attachment #765778 - Flags: review?(longsonr)
Attachment #765778 - Flags: review?(longsonr) → review+
Was this a regression caused by bug 876831? That would make this Firefox 24 only.
Turns out it wasn't bug 876831, but it must have been in the same time frame. Firefox 23 is unaffected.
You need to log in before you can comment on or make changes to this bug.