Closed Bug 250917 Opened 21 years ago Closed 21 years ago

source code to crash firefox [@nsImageLoader::Load]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
1.7 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 241300

People

(Reporter: i-net-money, Assigned: bzbarsky)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040711 Firefox/0.9.0+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040711 Firefox/0.9.0+ I've tested it with 0.9x and the newset nighty - both of them crash. The ebay page mentioned above contains the source. But the page crashes fx insteadly (after loading). To crash firefox with the isolated code some "handwork" is needed. Heres the source (one-liner, but it can be splitted into several lines): l<body bgcolor="" background="cid:"> Conditions to crash - there must be some output (which can be seen by the user) before the source, e.g. <a></a> will not work, but any letter does - I only got it working in the body tag - It doesn't matter which attribut comes first, but make sure firefox can understand it - the background attribut must be second or later - it will also work if this attribut is the 3rd or 4th... - the second's attribut value must be like in the source, but it doesn't matter if there are chars after the : Some more info can be found here, in a german firefox helper forum http://firebird.stw.uni-duisburg.de/forum/viewtopic.php?t=5785&postdays=0&postorder=asc&start=0 It seems that Firefox only crashes under Windows. Nizzers firefox doesnt crash (he's using linux) Busstop said that Mozilla 1.3 doesn't crash. You can "block" this bug by installing webdeveloper toolbar (should be the right one) and blocking page colors. If the page colors are blocked firefox doesn't crash on the mentioned ebay page nor on the isolated code. Reproducible: Always Steps to Reproduce: a) - the webpage b) - the isolated code a) 1. visit the site and wait until loading is ready b) 1. close firefox 2. open the html file in firefox 3. minimize fx/remove focus 4. switch back Actual Results: a) Firefox crashes after loading b) Firefox crashes after switching back Expected Results: a+b) do not crash
Was unable to reproduce in Mozilla. Sent TB421159Q for Firefox crash. See http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB421159Q for stack etc.
Summary: source code to crash firefox → source code to crash firefox [@nsImageLoader::Load]
Confirm crash, haven't checked if this is a security issue so leaving that flag still on.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
Looks like possibly a dupe of bug 241300 which was fixed on the trunk but not Aviary; I'll let bz decide if he wants to dupe it or let this bug track the aviary version. Since this happens on common sites we should fix for FF1.0 Not a security issue (bug 241300 is public) clearing security flag. Stack from Talkback in case the server DB gets wiped again. nsImageLoader::Load [mozilla/layout/base/src/nsImageLoader.cpp, line 100] nsPresContext::LoadImage [mozilla/layout/base/src/nsPresContext.cpp, line 971] nsCSSRendering::PaintBackgroundWithSC [mozilla/layout/html/style/src/nsCSSRendering.cpp, line 2864] nsCSSRendering::PaintBackground [mozilla/layout/html/style/src/nsCSSRendering.cpp, line 2790] nsFrame::PaintSelf [mozilla/layout/html/base/src/nsFrame.cpp, line 922] nsHTMLContainerFrame::Paint [mozilla/layout/html/base/src/nsHTMLContainerFrame.cpp, line 87] CanvasFrame::Paint [mozilla/layout/html/base/src/nsHTMLFrame.cpp, line 394] PresShell::Paint [mozilla/layout/html/base/src/nsPresShell.cpp, line 5563] nsView::Paint [mozilla/view/src/nsView.cpp, line 264] nsViewManager::RenderDisplayListElement [mozilla/view/src/nsViewManager.cpp, line 1429] nsViewManager::RenderViews [mozilla/view/src/nsViewManager.cpp, line 1347] nsViewManager::Refresh [mozilla/view/src/nsViewManager.cpp, line 906] nsViewManager::DispatchEvent [mozilla/view/src/nsViewManager.cpp, line 1878] HandleEvent [mozilla/view/src/nsView.cpp, line 79] nsWindow::DispatchEvent [mozilla/widget/src/windows/nsWindow.cpp, line 1067] nsWindow::ProcessMessage [mozilla/widget/src/windows/nsWindow.cpp, line 3825] nsWindow::WindowProc [mozilla/widget/src/windows/nsWindow.cpp, line 1349] USER32.dll + 0x3a50 (0x77d43a50) USER32.dll + 0x3b1f (0x77d43b1f) USER32.dll + 0x44f5 (0x77d444f5) USER32.dll + 0x4525 (0x77d44525) ntdll.dll + 0x25da3 (0x77f75da3) USER32.dll + 0x3ddf (0x77d43ddf) nsAppShellService::Run [mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 495] main [mozilla/browser/app/nsBrowserApp.cpp, line 58] kernel32.dll + 0x214c7 (0x77e814c7)
Assignee: firefox → bzbarsky
Group: security
Component: General → Layout
Flags: blocking-aviary1.0?
Product: Firefox → Browser
Version: unspecified → 1.0 Branch
*** This bug has been marked as a duplicate of 241300 ***
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
Version: 1.0 Branch → 1.7 Branch
Flags: blocking-aviary1.0?
Crash Signature: [@nsImageLoader::Load]
You need to log in before you can comment on or make changes to this bug.