695037 – [abrt] firefox-3.6.16-1.fc14: __libc_message: Process /usr/lib64/firefox-3.6/firefox was killed by signal 6 (SIGABRT)

Bug 695037 - [abrt] firefox-3.6.16-1.fc14: __libc_message: Process /usr/lib64/firefox-3.6/firefox was killed by signal 6 (SIGABRT)

Summary: [abrt] firefox-3.6.16-1.fc14: __libc_message: Process /usr/lib64/firefox-3.6/...

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	firefox
Sub Component:
Version:	14
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Gecko Maintainer
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:e2630096e2052c488be967cf49a...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-04-09 23:18 UTC by Ulrich Drepper
Modified:	2011-12-07 13:31 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-07 13:31:37 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
File: backtrace (205.74 KB, text/plain) 2011-04-09 23:18 UTC, Ulrich Drepper	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Ulrich Drepper 2011-04-09 23:18:29 UTC

abrt version: 1.1.17
architecture: x86_64
Attached file: backtrace, 210673 bytes
cmdline: /usr/lib64/firefox-3.6/firefox
component: firefox
Attached file: coredump, 570810368 bytes
crash_function: __libc_message
executable: /usr/lib64/firefox-3.6/firefox
kernel: 2.6.35.11-83.fc14.x86_64
package: firefox-3.6.16-1.fc14
rating: 4
reason: Process /usr/lib64/firefox-3.6/firefox was killed by signal 6 (SIGABRT)
release: Fedora release 14 (Laughlin)
time: 1302380365
uid: 500

How to reproduce
-----
1.browser was running in the background
2.
3.

Comment 1 Ulrich Drepper 2011-04-09 23:18:34 UTC

Created attachment 491020 [details]
File: backtrace

Comment 2 Ulrich Drepper 2011-04-09 23:22:00 UTC

Buffer overflow in gfxTextRun::BreakAndMeasureText.  Looks dangerous.  Can be triggered remotely if it happens in page rendering.


#7  0x00000032952fa0f0 in __stack_chk_fail () at stack_chk_fail.c:29
No locals.
#8  0x0000003e626759ba in gfxTextRun::BreakAndMeasureText (this=0x7f69c33bc800, aStart=167, aMaxLength=16, aLineBreakBefore=<value optimized out>, aWidth=58920, aProvider=0x7fffc09a2e20, aSuppressInitialBreak=1, aTrimWhitespace=0x7fffc09a3010, aMetrics=0x7fffc09a2ee0, aBoundingBoxType=gfxFont::LOOSE_INK_EXTENTS, aRefContext=0x7f69b18e28c0, aUsedHyphenation=0x7fffc09a3024, aLastBreak=0x7fffc09a3028, aCanWordWrap=0, aBreakPriority=0x7fffc09a3020) at gfxFont.cpp:2579

Comment 3 Martin Stransky 2011-12-07 13:31:37 UTC

We're using mozilla crash reporter now, ABRT is no more used for Firefox/Thunderbird. If you can reliably reproduce the crash (you have a testcase, reproduction steps, etc.) please reopen the bug and attach the reproduction info and assign it directly to me (stransky).

Thanks!

Note You need to log in before you can comment on or make changes to this bug.