Closed Bug 236436 Opened 20 years ago Closed 20 years ago

Browser crashes during XMLHttpRequest with null URL

Categories

(Core :: XML, defect)

Product:
Core
Component:
XML
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.7beta

People

(Reporter: bugzilla, Assigned: hjtoi-bugzilla)

Details

(Keywords: crash, testcase, Whiteboard: TB30990334H)

Attachments

(2 files)

Testcase
489 bytes, text/html
Details
fix
982 bytes, patch
jst
: review+
jst
: superreview+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; cs-CZ; rv:1.6) Gecko/20040113
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; cs-CZ; rv:1.6) Gecko/20040113

Create new XMLHttpRequest and call open() with null URL:

xmlreq = new XMLHttpRequest();
xmlreq.open("GET", null); // <- Mozilla crashes!!!

Probably the URL parameter is not properly checked in nsXMLHttpRequest::Open()
http://lxr.mozilla.org/mozilla/source/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp#719

xref: bug #230310

Reproducible: Always
Steps to Reproduce:
Attached file Testcase 

    
    

    
  
Confirming using actual nightbuild and 1.7a on W2K and last month's nightbuild
on Linux - all is crashing.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, 
          
            testcase

    
  
OS: Windows 2000 → All

    
  
Whiteboard: TB30990334H

    
    

    
  
And to be more precisely, it crashes right here:

http://lxr.mozilla.org/mozilla/source/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp#749

748     nsCOMPtr<nsIURI> targetURI;
749     rv = NS_NewURI(getter_AddRefs(targetURI), url, mBaseURI);
750     if (NS_FAILED(rv)) return NS_ERROR_FAILURE;

with callstack:

NTDLL! 77fa144b()
nsDebugImpl::Assertion(nsDebugImpl * const 0x00266d08, const char * 0x100f6a60
`string', const char * 0x100f6974 `string', const char * 0x100f697c `string',
int 133) line 276
nsDebug::Assertion(const char * 0x100f6a60 `string', const char * 0x100f6974
`string', const char * 0x100f697c `string', int 133) line 109
nsDependentCString::Rebind(const char * 0x00000000) line 133 + 31 bytes
nsDependentCString::nsDependentCString(const char * 0x00000000) line 179 + 47 bytes
NS_NewURI(nsIURI * * 0x0012da88, const char * 0x00000000, nsIURI * 0x034c5760,
nsIIOService * 0x00000000) line 136 + 23 bytes
nsXMLHttpRequest::Open(nsXMLHttpRequest * const 0x03444028, const char *
0x0337d2a0, const char * 0x00000000) line 756 + 47 bytes
...
...
...


    
    

    
  
Missing a null pointer check I think, have a fix. Have not yet compiled to make
sure.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.7beta

    
    

    
  
Comment on attachment 143093 [details] [diff] [review]
fix

Confirmed that it indeed fixes the crash, so just a trivial null pointer check.

        Attachment #143093 -
        Flags: superreview?(jst)

        Attachment #143093 -
        Flags: review?(jst)

    
    

    
  
Comment on attachment 143093 [details] [diff] [review]
fix

r+sr=jst

        Attachment #143093 -
        Flags: superreview?(jst)

        Attachment #143093 -
        Flags: superreview+

        Attachment #143093 -
        Flags: review?(jst)

        Attachment #143093 -
        Flags: review+

    
    

    
  
Checked in.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: