<xsl:output method="text"/> triggers an assertion in debug builds.

RESOLVED FIXED in Firefox 45

Status

()

defect
RESOLVED FIXED
4 years ago
2 years ago

People

(Reporter: baku, Assigned: peterv)

Tracking

({sec-low})

Trunk
mozilla45
Points:
---

Firefox Tracking Flags

(firefox43 affected, firefox45 fixed)

Details

(Whiteboard: [post-critsmash-triage][adv-main45+])

Attachments

(2 attachments)

(Reporter)

Description

4 years ago
Soon a crashtest to reproduce this issue.
(Reporter)

Updated

4 years ago
Group: dom-core-security
(Reporter)

Comment 1

4 years ago
Posted patch crash.patchSplinter Review
ASSERTION: Bad readystate: 'mDocument->IsXULDocument() || mDocument->GetReadyStateEnum() == nsIDocument::READYSTATE_INTERACTIVE || (mDocument->GetReadyStateEnum() == nsIDocument::READYSTATE_UNINITIALIZED && NS_IsAboutBlank(mDocument->GetDocumentURI()))', file /home/baku/Sources/m/sw/src/layout/base/nsDocumentViewer.cpp, line 974
Does that patch crash, or just assert? I think this might be a dup.
(Reporter)

Comment 3

4 years ago
It could do a dup, I didn't actually check. The test asserts, and in debug builds it crashes.
Where does it crash? Since if there is a crash, that is something new.
(the assertion is NS_ASSERTION and that shouldn't crash by default)
(Reporter)

Comment 6

4 years ago
You are right, it asserts.
How bad is this assertion?
(Reporter)

Updated

4 years ago
Flags: needinfo?(peterv)
(Assignee)

Comment 8

4 years ago
Posted patch v1Splinter Review
Looks like an oversight that this code wasn't added to txMozillaTextOutput (it was added in txMozillaXMLOutput). I looked into sharing code between them but it's not trivial.
Assignee: nobody → peterv
Status: NEW → ASSIGNED
Flags: needinfo?(peterv)
Attachment #8664777 - Flags: review?(bzbarsky)
(Assignee)

Comment 9

4 years ago
And I have no idea if hitting the assertion is bad in this case.
Comment on attachment 8664777 [details] [diff] [review]
v1

Review of attachment 8664777 [details] [diff] [review]:
-----------------------------------------------------------------

Stealing. Feel free to ask bz for review as well if you want though.
Attachment #8664777 - Flags: review?(bzbarsky) → review+
(Assignee)

Comment 11

4 years ago
So is having the readyState enum be READYSTATE_UNINITIALIZED a security bug?
Flags: needinfo?(bzbarsky)
I don't actually know offhand.  :(  I want to say "no".
Flags: needinfo?(bzbarsky)
Peter: can this patch land? then we don't have to worry whether it's exploitable.
Flags: needinfo?(peterv)
Keywords: sec-low
https://hg.mozilla.org/mozilla-central/rev/407dff8daf62
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
Group: dom-core-security → core-security-release
(Assignee)

Updated

3 years ago
Duplicate of this bug: 1243327
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main45+]
Group: core-security-release
(Assignee)

Updated

2 years ago
Depends on: 1330492
You need to log in before you can comment on or make changes to this bug.