Closed
Bug 327066
Opened 18 years ago
Closed 18 years ago
document.createEvent('TextEvent') crashes
Categories
(Core :: DOM: Events, defect, P1)
Core
DOM: Events
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha1
People
(Reporter: bugzilla.mozilla.org-3, Assigned: mrbkap)
References
()
Details
(4 keywords, Whiteboard: [sg:nse][rft-dl])
Attachments
(2 files)
1.65 KB,
patch
|
jst
:
review+
jst
:
superreview+
jst
:
approval-branch-1.8.1+
dveditz
:
approval1.8.0.2+
|
Details | Diff | Splinter Review |
2.93 KB,
patch
|
Details | Diff | Splinter Review |
Steps to reproduce (WARNING! This will crash your browser): 1. Click on above URL 2. Crash and burn TB IDs from a recent 1.8 nightly: TB15134809G, TB15134839Y, TB15134942E Also happens with FF 1.5.0.1.
Assignee | ||
Comment 1•18 years ago
|
||
This is a null pointer dereference in the event code, it's not exploitable, so clearing the security group flag. This is a regression from bug 238773. I have a fix.
Assignee: nobody → events
Group: security
Component: General → DOM: Events
Keywords: regression,
testcase
OS: Windows 2000 → All
Priority: -- → P1
Product: Firefox → Core
QA Contact: general → ian
Hardware: PC → All
Whiteboard: [sg:nse]
Target Milestone: --- → mozilla1.9alpha
Version: 1.5 Branch → Trunk
Assignee | ||
Comment 2•18 years ago
|
||
This is a diff -w (to account for some whitespace inconsistancies below the patch). Presumably, the old code set aEvent early, whereas this moved code doesn't bother (and insteads sets mEvent). This patch simply uses mEvent, which is set to aEvent if that isn't null, and a new event otherwise.
Assignee: events → mrbkap
Status: NEW → ASSIGNED
Attachment #211787 -
Flags: superreview?(jst)
Attachment #211787 -
Flags: review?(jst)
Comment 3•18 years ago
|
||
Comment on attachment 211787 [details] [diff] [review] Fix r+sr=jst
Attachment #211787 -
Flags: superreview?(jst)
Attachment #211787 -
Flags: superreview+
Attachment #211787 -
Flags: review?(jst)
Attachment #211787 -
Flags: review+
Assignee | ||
Comment 4•18 years ago
|
||
For the record, this is what I just checked in.
Assignee | ||
Comment 5•18 years ago
|
||
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 6•18 years ago
|
||
Comment on attachment 211787 [details] [diff] [review] Fix This is a pretty trivial null-defense fix...
Attachment #211787 -
Flags: approval1.8.0.2?
Attachment #211787 -
Flags: approval-branch-1.8.1?(jst)
Assignee | ||
Updated•18 years ago
|
Blocks: nsdomevent_separate
Updated•18 years ago
|
Attachment #211787 -
Flags: approval-branch-1.8.1?(jst) → approval-branch-1.8.1+
Updated•18 years ago
|
Flags: blocking1.8.0.2+
Comment 7•18 years ago
|
||
Comment on attachment 211787 [details] [diff] [review] Fix approved for 1.8.0 branch, a=dveditz
Attachment #211787 -
Flags: approval1.8.0.2? → approval1.8.0.2+
Assignee | ||
Comment 8•18 years ago
|
||
Fix checked into the 1.8 branches, though I neglected to mention my a= in the checkin comment.
Keywords: fixed1.8.0.2,
fixed1.8.1
Updated•18 years ago
|
Whiteboard: [sg:nse] → [sg:nse][rft-dl]
Comment 9•18 years ago
|
||
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060302 Firefox/1.5.0.1, no crash with js event in URL bar.
Keywords: fixed1.8.0.2 → verified1.8.0.2
You need to log in
before you can comment on or make changes to this bug.
Description
•