885608 - OOB in mozilla::TextRenderedRunIterator::Next with svg.text.css-frames.enabled and <mask>

Status: RESOLVED FIXED

(Core :: SVG, defect)

Description

[Jesse Ruderman]

Attachment: testcase

With:
  user_pref("svg.text.css-frames.enabled", true);

Assertion failure: i < Length() (invalid array index), at ../../dist/include/nsTArray.h:867

Or, easy to see with ASan, an OOB read [@ mozilla::TextRenderedRunIterator::Next]

Security-sensitive for now because bug 880925 comment 8.  (That bug had the same symptoms.)

Comment 1

[Cameron McCormack (:heycam)]

Attachment: patch

Looks like we need to watch for character data mutations in non-display text and ensure we schedule a reflow for it.  We want ScheduleReflowSVGNonDisplayText to be the thing that causes the text to reflow now, not the invalidation of the rendering observer (the <mask>) since we don't synchronously reflow in UpdateGlyphPositioning any more (after bug 876831).

Comment 2

[Cameron McCormack (:heycam)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/15ecbcd8e3fc

Comment 3

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/15ecbcd8e3fc

Comment 4

[Al Billings [:abillings - ex-MoCo]]

Was this a regression caused by bug 876831?

That would make this Firefox 24 only.

Comment 5

[Cameron McCormack (:heycam)]

Turns out it wasn't bug 876831, but it must have been in the same time frame.  Firefox 23 is unaffected.