Closed Bug 83722 Opened 23 years ago Closed 23 years ago

embedding widget will crash with generated content, file:/// as base url and an <img> tag in the document

Categories

(Core Graveyard :: Embedding: GTK Widget, defect)

Product:
Core Graveyard
Component:
Embedding: GTK Widget
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla0.9.1

People

(Reporter: blizzard, Assigned: blizzard)

Details

(Keywords: crash, Whiteboard: critical for mozilla 0.9.1, a=chofmann) 

This crash was reported to me out of band and I don't have an easy test case
that I can just put in the bug.

Anyway, if you use the streaming methods in the embedding widget to render
content that includes an image tag you would get a crash in the nsStdURL code. 
The problem is that the embedding code uses a Simple URI instead of a Standard
URI so when you try and resolve the relative image path against the base uri
handler the simple uri handler just dups the bad relative string instead of
re-resolving it.

You end up with a null scheme after the parse and in a comparison it falls over
because in nsStdURL::SchemeIs() mScheme is null and this code dereferences it:

    // mScheme is guaranteed to be lower case.
    if (*i_Scheme == *mScheme || *i_Scheme == (*mScheme - ('a' - 'A')) ) {
        *o_Equals = PL_strcasecmp(mScheme, i_Scheme) ? PR_FALSE : PR_TRUE;
    } else {
        *o_Equals = PR_FALSE;
    }

Anyway, the solution to the crash is simple.  Just use a standard URL instead of
a simple one.

Index: EmbedStream.cpp
===================================================================
RCS file: /cvsroot/mozilla/embedding/browser/gtk/src/EmbedStream.cpp,v
retrieving revision 1.5
diff -u -r1.5 EmbedStream.cpp
--- EmbedStream.cpp     2001/04/10 05:59:23     1.5
+++ EmbedStream.cpp     2001/06/01 21:56:24
@@ -37,8 +37,6 @@
 
 NS_IMPL_ISUPPORTS1(EmbedStream, nsIInputStream)
 
-static NS_DEFINE_CID(kSimpleURICID,            NS_SIMPLEURI_CID);
-
 EmbedStream::EmbedStream()
 {
   NS_INIT_REFCNT();
@@ -108,7 +106,7 @@
 
   // create a new uri object
   nsCOMPtr<nsIURI> uri;
-  uri = do_CreateInstance(kSimpleURICID, &rv);
+  uri = do_CreateInstance(NS_STANDARDURL_CONTRACTID, &rv);
   if (NS_FAILED(rv))
     return rv;
Status: NEW → ASSIGNED
Whiteboard: critical for mozilla 0.9.1, waiting for r=, sr=, a=
Target Milestone: --- → mozilla0.9.1
r=valeski
sr=tor
Keywords: crash
Whiteboard: critical for mozilla 0.9.1, waiting for r=, sr=, a= → critical for mozilla 0.9.1, waiting for a=
a=chofmann
Whiteboard: critical for mozilla 0.9.1, waiting for a= → critical for mozilla 0.9.1, a=chofmann
Checked in on the branch and tip.  Thanks, guys.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.