Closed
Bug 885608
Opened 11 years ago
Closed 11 years ago
OOB in mozilla::TextRenderedRunIterator::Next with svg.text.css-frames.enabled and <mask>
Categories
(Core :: SVG, defect)
Tracking
()
RESOLVED
FIXED
mozilla24
Tracking | Status | |
---|---|---|
firefox23 | --- | unaffected |
firefox24 | --- | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: jruderman, Assigned: heycam)
References
Details
(5 keywords, Whiteboard: [adv-main24-])
Crash Data
Attachments
(2 files)
272 bytes,
image/svg+xml
|
Details | |
5.35 KB,
patch
|
longsonr
:
review+
|
Details | Diff | Splinter Review |
With: user_pref("svg.text.css-frames.enabled", true); Assertion failure: i < Length() (invalid array index), at ../../dist/include/nsTArray.h:867 Or, easy to see with ASan, an OOB read [@ mozilla::TextRenderedRunIterator::Next] Security-sensitive for now because bug 880925 comment 8. (That bug had the same symptoms.)
Assignee | ||
Comment 1•11 years ago
|
||
Looks like we need to watch for character data mutations in non-display text and ensure we schedule a reflow for it. We want ScheduleReflowSVGNonDisplayText to be the thing that causes the text to reflow now, not the invalidation of the rendering observer (the <mask>) since we don't synchronously reflow in UpdateGlyphPositioning any more (after bug 876831).
Updated•11 years ago
|
Attachment #765778 -
Flags: review?(longsonr) → review+
Assignee | ||
Comment 2•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/15ecbcd8e3fc
Comment 3•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/15ecbcd8e3fc
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
status-firefox24:
--- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Comment 4•11 years ago
|
||
Was this a regression caused by bug 876831? That would make this Firefox 24 only.
status-firefox23:
--- → ?
Assignee | ||
Comment 5•11 years ago
|
||
Turns out it wasn't bug 876831, but it must have been in the same time frame. Firefox 23 is unaffected.
Assignee | ||
Updated•11 years ago
|
Updated•11 years ago
|
Whiteboard: [adv-main24-]
Updated•11 years ago
|
Group: core-security
Keywords: regression,
sec-high
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•