Closed
Bug 424300
Opened 16 years ago
Closed 15 years ago
Crash [@ nsHTMLEditRules::WillDeleteSelection]
Categories
(Core :: DOM: Editor, defect)
Core
DOM: Editor
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: smaug)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical?])
Crash Data
Attachments
(2 files)
507 bytes,
text/html
|
Details | |
878 bytes,
patch
|
peterv
:
review+
peterv
:
superreview+
|
Details | Diff | Splinter Review |
Crashes in nsHTMLEditRules::WillDeleteSelection because leftParent is null and rightParent is not (it is an nsHTMLBodyElement).
Comment 1•15 years ago
|
||
(I just tested this on mozilla-central latest-trunk nightly build on WinXP SP3) Turning security-sensitive and blocking1.9.1? just to be safe as !exploitable shows this to be PROBABLY_EXPLOITABLE. 0:000> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception *** WARNING: Unable to verify checksum for C:\Documents and Settings\Administrator\Desktop\firefox\js3250.dll Exception Faulting Address: 0x0 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation Faulting Instruction:105f2668 mov edx,dword ptr [eax] Basic Block: 105f2668 mov edx,dword ptr [eax] Tainted Input Operands: eax 105f266a push ecx 105f266b mov ecx,eax Tainted Input Operands: eax 105f266d call dword ptr [edx+44h] Tainted Input Operands: ecx, edx Exception Hash (Major/Minor): 0x2f222a7a.0x440b1d43 Stack Trace: xul!nsWSRunObject::GetNextWSNode+0x7f xul!nsWSRunObject::GetNextWSNode+0x33 xul!nsWSRunObject::GetWSNodes+0x4de xul!nsWSRunObject::nsWSRunObject+0x7b xul!nsWSRunObject::PrepareToDeleteRange+0x86 xul!nsHTMLEditRules::WillDeleteSelection+0xf9c xul!nsHTMLEditRules::WillDoAction+0x266 xul!nsPlaintextEditor::DeleteSelection+0x146 xul!nsEditor::DeleteSelectionAndPrepareToCreateNode+0x71 xul!nsHTMLEditor::InsertElementAtSelection+0x111 xul!nsInsertTagCommand::DoCommandParams+0x27f xul!nsControllerCommandTable::DoCommandParams+0x4b xul!nsBaseCommandController::DoCommandWithParams+0x67 xul!nsCommandManager::DoCommand+0x73 xul!nsHTMLDocument::ExecCommand+0x264 xul!NS_InvokeByIndex_P+0x27 xul!XPCWrappedNative::CallMethod+0x4fb xul!NS_NewAtom+0x46 xul!nsCOMPtr_base::~nsCOMPtr_base+0xe xul!nsDocumentSH::NewResolve+0x78 xul!nsHTMLDocumentSH::NewResolve+0x83 xul!XPCCallContext::XPCCallContext+0x118 xul!XPC_WN_CallMethod+0x114 js3250!js_Interpret+0x31d0 xul!XPCWrappedNative::GetNewOrUsed+0x749 xul!XPCConvert::NativeInterface2JSObject+0x193 xul!XPCConvert::NativeInterface2JSObject+0x274 Instruction Address: 0x105f2668 Description: Data from Faulting Address controls Code Flow Short Description: TaintedDataControlsCodeFlow Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at xul!nsWSRunObject::GetNextWSNode+0x7f (Hash=0x2f222a7a.0x440b1d43) The data from the faulting address is later used as the target for a branch.
Group: core-security
Flags: blocking1.9.1?
OS: Mac OS X → All
Hardware: x86 → All
Whiteboard: [sg:critical?]
Assignee | ||
Updated•15 years ago
|
Assignee: nobody → Olli.Pettay
Assignee | ||
Comment 2•15 years ago
|
||
Yet another null check fix. This requires the patch for bug 481139. I'm not quite happy to this fix, since this leaves ###!!! ASSERTION: bad action nesting!: 'mActionNesting>0' assertion. But fixing that would require larger changes. Rearchitecting editor for 1.9.1 doesn't sound too good idea. Peter, any comments?
Attachment #369880 -
Flags: superreview?(peterv)
Attachment #369880 -
Flags: review?(peterv)
Flags: blocking1.9.1? → wanted1.9.1+
Comment 3•15 years ago
|
||
Hmm, if leftParent is null then mHTMLEditor->GetBlockNodeParent(startNode) returned null? What is startNode?
Assignee | ||
Comment 4•15 years ago
|
||
startNode is #document.
Updated•15 years ago
|
Attachment #369880 -
Flags: superreview?(peterv)
Attachment #369880 -
Flags: superreview+
Attachment #369880 -
Flags: review?(peterv)
Attachment #369880 -
Flags: review+
Assignee | ||
Comment 5•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/5d9d6c5d237f
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Crash Signature: [@ nsHTMLEditRules::WillDeleteSelection]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•