424300 - Crash [@ nsHTMLEditRules::WillDeleteSelection]

Status: RESOLVED FIXED

(Core :: DOM: Editor, defect)

Description

[Jesse Ruderman]

Attachment: testcase (crashes Firefox when loaded)

Crashes in nsHTMLEditRules::WillDeleteSelection because leftParent is null and rightParent is not (it is an nsHTMLBodyElement).

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(I just tested this on mozilla-central latest-trunk nightly build on WinXP SP3)

Turning security-sensitive and blocking1.9.1? just to be safe as !exploitable shows this to be PROBABLY_EXPLOITABLE.

0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** WARNING: Unable to verify checksum for C:\Documents and Settings\Administrator\Desktop\firefox\js3250.dll
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:105f2668 mov edx,dword ptr [eax]

Basic Block:
    105f2668 mov edx,dword ptr [eax]
       Tainted Input Operands: eax
    105f266a push ecx
    105f266b mov ecx,eax
       Tainted Input Operands: eax
    105f266d call dword ptr [edx+44h]
       Tainted Input Operands: ecx, edx

Exception Hash (Major/Minor): 0x2f222a7a.0x440b1d43

Stack Trace:
xul!nsWSRunObject::GetNextWSNode+0x7f
xul!nsWSRunObject::GetNextWSNode+0x33
xul!nsWSRunObject::GetWSNodes+0x4de
xul!nsWSRunObject::nsWSRunObject+0x7b
xul!nsWSRunObject::PrepareToDeleteRange+0x86
xul!nsHTMLEditRules::WillDeleteSelection+0xf9c
xul!nsHTMLEditRules::WillDoAction+0x266
xul!nsPlaintextEditor::DeleteSelection+0x146
xul!nsEditor::DeleteSelectionAndPrepareToCreateNode+0x71
xul!nsHTMLEditor::InsertElementAtSelection+0x111
xul!nsInsertTagCommand::DoCommandParams+0x27f
xul!nsControllerCommandTable::DoCommandParams+0x4b
xul!nsBaseCommandController::DoCommandWithParams+0x67
xul!nsCommandManager::DoCommand+0x73
xul!nsHTMLDocument::ExecCommand+0x264
xul!NS_InvokeByIndex_P+0x27
xul!XPCWrappedNative::CallMethod+0x4fb
xul!NS_NewAtom+0x46
xul!nsCOMPtr_base::~nsCOMPtr_base+0xe
xul!nsDocumentSH::NewResolve+0x78
xul!nsHTMLDocumentSH::NewResolve+0x83
xul!XPCCallContext::XPCCallContext+0x118
xul!XPC_WN_CallMethod+0x114
js3250!js_Interpret+0x31d0
xul!XPCWrappedNative::GetNewOrUsed+0x749
xul!XPCConvert::NativeInterface2JSObject+0x193
xul!XPCConvert::NativeInterface2JSObject+0x274
Instruction Address: 0x105f2668

Description: Data from Faulting Address controls Code Flow
Short Description: TaintedDataControlsCodeFlow
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at xul!nsWSRunObject::GetNextWSNode+0x7f (Hash=0x2f222a7a.0x440b1d43)

The data from the faulting address is later used as the target for a branch.

Comment 2

[Olli Pettay [:smaug][bugs@pettay.fi]]

Attachment: null check

Yet another null check fix. This requires the patch for bug 481139.

I'm not quite happy to this fix, since this leaves ###!!! ASSERTION: bad action nesting!: 'mActionNesting>0' assertion.
But fixing that would require larger changes. Rearchitecting editor for 1.9.1
doesn't sound too good idea.
Peter, any comments?

Comment 3

[Peter Van der Beken [:peterv]]

Hmm, if leftParent is null then mHTMLEditor->GetBlockNodeParent(startNode) returned null? What is startNode?

Comment 4

[Olli Pettay [:smaug][bugs@pettay.fi]]

startNode is #document.

Comment 5

[Olli Pettay [:smaug][bugs@pettay.fi]]

http://hg.mozilla.org/mozilla-central/rev/5d9d6c5d237f