Bug 695037

Summary: [abrt] firefox-3.6.16-1.fc14: __libc_message: Process /usr/lib64/firefox-3.6/firefox was killed by signal 6 (SIGABRT)
Product: [Fedora] Fedora Reporter: Ulrich Drepper <drepper>
Component: firefoxAssignee: Gecko Maintainer <gecko-bugs-nobody>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 14CC: gecko-bugs-nobody
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:e2630096e2052c488be967cf49a4ce607ce5d43b
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-07 13:31:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
File: backtrace none

Description Ulrich Drepper 2011-04-09 23:18:29 UTC 
abrt version: 1.1.17
architecture: x86_64
Attached file: backtrace, 210673 bytes
cmdline: /usr/lib64/firefox-3.6/firefox
component: firefox
Attached file: coredump, 570810368 bytes
crash_function: __libc_message
executable: /usr/lib64/firefox-3.6/firefox
kernel: 2.6.35.11-83.fc14.x86_64
package: firefox-3.6.16-1.fc14
rating: 4
reason: Process /usr/lib64/firefox-3.6/firefox was killed by signal 6 (SIGABRT)
release: Fedora release 14 (Laughlin)
time: 1302380365
uid: 500

How to reproduce
-----
1.browser was running in the background
2.
3.
Comment 1 Ulrich Drepper 2011-04-09 23:18:34 UTC 
Created attachment 491020 [details]
File: backtrace
Comment 2 Ulrich Drepper 2011-04-09 23:22:00 UTC 
Buffer overflow in gfxTextRun::BreakAndMeasureText.  Looks dangerous.  Can be triggered remotely if it happens in page rendering.


#7  0x00000032952fa0f0 in __stack_chk_fail () at stack_chk_fail.c:29
No locals.
#8  0x0000003e626759ba in gfxTextRun::BreakAndMeasureText (this=0x7f69c33bc800, aStart=167, aMaxLength=16, aLineBreakBefore=<value optimized out>, aWidth=58920, aProvider=0x7fffc09a2e20, aSuppressInitialBreak=1, aTrimWhitespace=0x7fffc09a3010, aMetrics=0x7fffc09a2ee0, aBoundingBoxType=gfxFont::LOOSE_INK_EXTENTS, aRefContext=0x7f69b18e28c0, aUsedHyphenation=0x7fffc09a3024, aLastBreak=0x7fffc09a3028, aCanWordWrap=0, aBreakPriority=0x7fffc09a3020) at gfxFont.cpp:2579
Comment 3 Martin Stransky 2011-12-07 13:31:37 UTC 
We're using mozilla crash reporter now, ABRT is no more used for Firefox/Thunderbird. If you can reliably reproduce the crash (you have a testcase, reproduction steps, etc.) please reopen the bug and attach the reproduction info and assign it directly to me (stransky).

Thanks!