Closed
Bug 456727
Opened 16 years ago
Closed 15 years ago
document designMode on, replace/delete HTML tag, queryCommand*('backcolor'); causes NULL pointer
Categories
(Core :: DOM: Editor, defect)
Core
DOM: Editor
Tracking
()
RESOLVED
FIXED
People
(Reporter: u315569, Assigned: MatsPalmgren_bugz)
References
()
Details
(Keywords: crash, verified1.9.0.9, verified1.9.1, Whiteboard: [sg:dos][fixed by bug 448329])
Attachments
(1 file)
|
183 bytes,
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.30 Safari/525.13
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
This HTML crashes FireFox with a NULL pointer:
<BODY onload="
document.designMode='on';
document.replaceChild(document.createElement('HTML'), document.firstChild);
document.queryCommandValue('backcolor');
">
Reproducible: Always
Steps to Reproduce:
1. Load the supplied URL in FireFox 3
or
1. Create a HTML file with this contents:
<BODY onload="
document.designMode='on';
document.replaceChild(document.createElement('HTML'), document.firstChild);
document.queryCommandValue('backcolor');
">
2. Load the file in FireFox 3.
Actual Results:
NULL pointer Access Violation
Expected Results:
normal page load, potentially with JavaScript error.
Variation:
<BODY onload="
document.designMode='on';//string
document.removeChild(document.firstChild);//object
document.queryCommandState('BackColor');
">
Also NULL pointer, but in different part of the code. Likely both 'queryCommandState' and 'queryCommandValue' use the same object which can be set to null by deleting or replacing the HTML element.Summary: document designMode on, replace HTML tag, queryCommandValue('backcolor'); causes NULL pointer → document designMode on, replace/delete HTML tag, queryCommand*('backcolor'); causes NULL pointer
Another variation: using 'queryCommandIndeterm' gives same result as 'queryCommandValue'.
|
||
Updated•16 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Updated•16 years ago
|
Component: General → Editor
Product: Firefox → Core
QA Contact: general → editor
Version: unspecified → Trunk
|
|
||
Comment 4•16 years ago
|
||
|
||
Updated•16 years ago
|
Flags: wanted1.9.1?
Flags: blocking1.9.1?
Flags: wanted1.9.1?
Flags: wanted1.9.1+
Flags: blocking1.9.1?
|
||
Updated•15 years ago
|
Flags: wanted1.9.0.x?
|
|
||
Comment 6•15 years ago
|
||
This is http://milw0rm.com/exploits/8091.
|
||
Comment 7•15 years ago
|
||
wanted1.9.0.x is good since this bug was filed into the milw0rm database today.
|
||
Updated•15 years ago
|
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.8?
|
|
||
Updated•15 years ago
|
Flags: blocking1.9.1?
|
||
Updated•15 years ago
|
Whiteboard: [sg:low dos] → [sg:dos]
|
||
Comment 9•15 years ago
|
||
Hmm, this doesn't seem to crash in current trunk build. Is this a duplicate of bug 448329?
|
|
||
Comment 10•15 years ago
|
||
Mats: Can you confirm that the patch in bug 448329 fixes this?
Assignee: nobody → mats.palmgren
Flags: blocking1.9.1? → blocking1.9.1-
|
|
||
Updated•15 years ago
|
Flags: blocking1.9.0.8? → blocking1.9.0.8+
|
|
||
Comment 11•15 years ago
|
||
qawanted: Please determine if the patch in bug 448329 fixes this bug.
Keywords: qawanted
|
Assignee | |
Comment 13•15 years ago
|
||
I backed out bug 448329 locally and debugged this bug, both testcases in comment 0 and 1 crashed with a null-pointer access at nsHTMLEditor.cpp:2412 which is now fixed by bug 448329. I pushed the tests: http://hg.mozilla.org/mozilla-central/rev/d3ce1f2c44bb http://hg.mozilla.org/releases/mozilla-1.9.1/rev/4ad867d7a548
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: in-testsuite+
Keywords: qawanted
OS: Windows Vista → All
Hardware: x86 → All
Resolution: --- → FIXED
|
||
Comment 14•15 years ago
|
||
Before checkin of bug 448329 on 1.9.1, the testcase clearly crashes immediately. It does not crash after the checkin, confirming what Mats says.
|
|
||
Updated•15 years ago
|
Whiteboard: [sg:dos] → [sg:dos][fixed by bug 448329]
|
|
Assignee | |
Comment 16•15 years ago
|
||
Adding fixed1.9.0.8, fixed1.9.1 since bug 448329 is, to avoid this bug showing up in queries.
Keywords: fixed1.9.0.8,
fixed1.9.1
|
|
||
Comment 17•15 years ago
|
||
The variation from comment 1 was uploaded to milw0rm by Aditya K Sood (secniche.org) with no credit to SkyLined or mention of this bug: http://www.milw0rm.com/exploits/8219
|
|
||
Comment 18•15 years ago
|
||
Verified for 1.9.0.8 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.8pre) Gecko/2009031604 GranParadiso/3.0.8pre. Definitely crashes earlier 1.9.0 versions. Verified for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090316 Shiretoko/3.1b4pre
|
|
||
Comment 19•15 years ago
|
||
Hm, this was already on milw0rm as http://www.milw0rm.com/exploits/8091 The title for 8219 says "onbeforeunload" but the testcase itself uses onload like 8091 (and is otherwise identical except for two added alerts).
|
||
Comment 21•15 years ago
|
||
Showed up in milw0rm too.
You need to log in
before you can comment on or make changes to this bug.
Description
•