Maliciously crafted data triggers firefox to crash immediately
Categories
(Core :: DOM: UI Events & Focus Handling, defect)
Tracking
()
People
(Reporter: sinha.aryan11, Assigned: masayuki)
References
Details
(Keywords: crash, csectype-dos, sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main99+])
Crash Data
Attachments
(2 files)
Summary:
I was testing another website during which I came across this vulnerability in Firefox, I confirmed that whether it is happening in any other browser, strangely I found that only Firefox, Developer, and Nightly are crashing. Hence I believe this is a bug at the Mozilla's Firefox end.
Description:
I was testing Atlassian (JIRA) and found that tickets with a really small specific certain data lead firefox to crash immediately, when ctrl+A is pressed over them.
Sharing my Atlassian test a/c creds to quickly validate the issue. Attaching a video POC as well.
Login URL: https://id.atlassian.com/login
Email: aryan_sinha21@bugcrowdninja.com
Password: z4HGd9XEssTy54T
Reproduction Steps:
I have already created a ticket with data causing the firefox to crash, you can access it by:
- Once you log in with the creds that I mentioned. Go to- https://aryansinha.atlassian.net/browse/TES-3
- Scroll down the page, find the table in which I have listed the data along with multiple other tables. Click over that table with listed data and press ctrl+A. Firefox will immediately crash.
I have tested this in the following FIrefox's browser clients- Firefox, Developer, and Nightly.
Well honestly I would say I am not sure what led the firefox to crash, it was just the observation. Hence I would request the team to investigate the same at your end.
Thanks!
|
||
Comment 1•3 years ago
•
|
||
Please tick the checkbox to enable sending us crash reports, send us a crash report, and then link it in a comment here (ideally from Nightly).
|
Reporter | |
Comment 2•3 years ago
|
||
Hi Gijs,
Please find the crash report here- https://crash-stats.mozilla.org/report/index/4f5822b4-a95b-41aa-a84a-39a140211117
Let me know if I can help with any other information, Thanks..!!
|
||
Comment 3•3 years ago
|
||
The crash stack looks IME related.
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Comment 4•3 years ago
|
||
Bug 1729003 is a preexisting bug on this crash signature.
Looking at crash stats, there are around 1300 crash with this signature and NotifyIME in the proto signature, for what that is worth.
|
|
Reporter | |
Comment 5•3 years ago
|
||
Thanks for the information Andrew. Are we in a process to fix this bug? As this could be a security problem as there are multiple ways to trigger this on victims' browser, one of such is javascript code snippets to trick victim process ctrl+A.
|
|
||
Comment 6•3 years ago
|
||
Yes, hopefully somebody can look at it. Generally speaking, crashing the browser is usually not a severe security issue, because users can restart the browser and just not visit the web page again, but we do try to avoid crashes.
|
||
Comment 7•3 years ago
|
||
This doesn't look like a security issue to me either, but it's a __fastfail() crash which we wouldn't have caught just a few months ago. It's bad enough that Windows thinks the process is compromised beyond redemption.
We are deep in Microsoft code at the point where the crash occurs, but given that most of the functions on the stack look like wrappers it might be that we're feeding Windows IME some malformed data. My Windows knowledge in this area is limited; Msayuki, Makoto can you please help us debug this issue? I'm sure you're more familiar with this code than I am.
|
||
Comment 8•3 years ago
|
||
My understand is that FastFailExcetion means that exception handler cannot catch an exception. General reason is that stack is corrupt, then Windows cannot look for exception handler.
So I guess that this is Microsoft's TSF bug on Windows 10 20H2+?
|
Assignee | |
Comment 9•3 years ago
|
||
6 textinputframework.dll long CQueryTextAsync::Then(class std::function<long (long, struct MsgString*)) cfi
7 textinputframework.dll long TextInputClient::NotifyTextChangedInternal(class ClientOwnerRegistration*, int, int, int, int, int, struct EditOperationInfo&, unsigned char, unsigned char) cfi
It seems that TSF queried text, selection, text extent etc in TextInputClient::NotifyTextChangedInternal. So it could be the direct cause of the crash what we return. However, TSF shouldn't crash even if apps return odd result. Before asking MS, we shold get a log of TSFTextStore and investigate what happens.
|
|
||
Comment 10•3 years ago
|
||
I might be able to extract some information from the minidump by opening in VS if that could be useful. What would we be looking for? The parameters we passed into the textinputframework.dll calls?
|
|
Assignee | |
Comment 11•3 years ago
|
||
Here is a log after selection change notification:
I/ContentCacheWidgets 0x1aa68d95b10 AssignContent(aNotification=NOTIFY_IME_OF_SELECTION_CHANGE), Succeeded, mText.Length()=1816, mSelection={ mAnchor=0, mFocus=1816, mWritingMode=h-ltr, mAnchorCharRects[eNextCharRect]=(x=451, y=-95, w=1, h=24), mFocusCharRects[ePrevCharRect]=(x=452, y=3524, w=1, h=24), mFocusCharRects[eNextCharRect]=(x=452, y=3524, w=1, h=24), mRect=(x=452, y=-91, w=895, h=3578), Reversed()=false, StartOffset()=0, EndOffset()=1816, Collapsed()=false, Length()=1816 }, mFirstCharRect=(x=451, y=-95, w=1, h=24), mCaret={ mOffset=0, mRect=(x=451, y=-95, w=1, h=24) }, mTextRectArray=<Nothing>, mWidgetHasComposition=false, mPendingCompositionCount=0, mCompositionStart=<Nothing>, mPendingCommitLength=0, mEditorRect=(x=452, y=-95, w=1173, h=3646), mLastCommitStringTextRectArray=<Nothing>
D/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::OnSelectionChangeInternal(aIMENotification={ mSelectionChangeData={ mOffset=0, mString.Length()=1816, GetWritingMode()=h-ltr, mReversed=false, mCausedByComposition=false, mCausedBySelectionEvent=false, mOccurredDuringComposition=false } }), mDestroyed=false, mSink=0x1aa4f720ff8, mSinkMask=TS_AS_TEXT_CHANGE | TS_AS_SEL_CHANGE | TS_AS_LAYOUT_CHANGE | TS_AS_ATTR_CHANGE | TS_AS_STATUS_CHANGE, mIsRecordingActionsWithoutLock=false, mComposition=<Nothing>
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::MaybeFlushPendingNotifications(), calling TSFTextStore::NotifyTSFOfSelectionChange()...
D/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::NotifyTSFOfSelectionChange(), selection isn't actually changed.
I/ContentCacheWidgets 0x1aa68d95b10 AssignContent(aNotification=NOTIFY_IME_OF_POSITION_CHANGE), Succeeded, mText.Length()=1816, mSelection={ mAnchor=0, mFocus=1816, mWritingMode=h-ltr, mAnchorCharRects[eNextCharRect]=(x=451, y=-95, w=1, h=24), mFocusCharRects[ePrevCharRect]=(x=452, y=3524, w=1, h=24), mFocusCharRects[eNextCharRect]=(x=452, y=3524, w=1, h=24), mRect=(x=452, y=-91, w=895, h=3578), Reversed()=false, StartOffset()=0, EndOffset()=1816, Collapsed()=false, Length()=1816 }, mFirstCharRect=(x=451, y=-95, w=1, h=24), mCaret={ mOffset=0, mRect=(x=451, y=-95, w=1, h=24) }, mTextRectArray=<Nothing>, mWidgetHasComposition=false, mPendingCompositionCount=0, mCompositionStart=<Nothing>, mPendingCommitLength=0, mEditorRect=(x=452, y=-95, w=1173, h=3646), mLastCommitStringTextRectArray=<Nothing>
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::OnLayoutChangeInternal(), calling NotifyTSFOfLayoutChange()...
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::NotifyTSFOfLayoutChange(), calling ITextStoreACPSink::OnLayoutChange()...
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::RequestLock(dwLockFlags=TS_LF_READ, phrSession=0x8f691fcb20), mLock=not-specified, mDestroyed=false
I/nsTextStoreWidgets 0x1aa5c00d310 Locking (TS_LF_READ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
<snip>
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::GetTextExt(vcView=1, acpStart=0, acpEnd=1816, prc=0x8f691fc2a0, pfClipped=0x8f691fc268), IsHandlingCompositionInParent()=false, IsHandlingCompositionInContent()=false, mContentForTSF=<Nothing>, mSelectionForTSF={ mACP={ acpStart=0, acpEnd=1816, style={ ase=TS_AE_END, fInterimChar=FALSE } }, mWritingMode=h-ltr, Collapsed()=false, Length=1816 }, mComposition=<Nothing>, mDeferNotifyingTSF=false, mWaitingQueryLayout=false, IMEHandler::IsA11yHandlingNativeCaret()=true
I/ContentCacheWidgets 0x1aa68d95b10 HandleQueryContentEvent(aEvent={ mMessage=eQueryTextRect, mInput={ mOffset=0, mLength=1816 } }, aWidget=0x1aa544d1e00), mText.Length()=1816
I/ContentCacheWidgets 0x1aa68d95b10 GetUnionTextRects(aOffset=0, aLength=1816, aRoundToExistingOffset=false), mTextRectArray=<Nothing>, mSelection={ mAnchor=0, mFocus=1816, mWritingMode=h-ltr, mAnchorCharRects[eNextCharRect]=(x=451, y=-95, w=1, h=24), mFocusCharRects[ePrevCharRect]=(x=452, y=3524, w=1, h=24), mFocusCharRects[eNextCharRect]=(x=452, y=3524, w=1, h=24), mRect=(x=452, y=-91, w=895, h=3578), Reversed()=false, StartOffset()=0, EndOffset()=1816, Collapsed()=false, Length()=1816 }, mLastCommitStringTextRectArray=<Nothing>
I/ContentCacheWidgets 0x1aa68d95b10 HandleQueryContentEvent(), Succeeded, aEvent={ mMessage=eQueryTextRect mReply={ mOffsetAndData={ mOffset=0, mData="CARRIAGE RETURN (0x000D) LINE FEED (0x000A) NO-BREAK SPACE (0x00A0) NO-BREAK SPACE (0x00A0) NO-BREAK SPACE (0x00A0) SPACE (0x0020) NO-BREAK SPACE (0x00A0) NO-BREAK SPACE (0x00A0) NO-BREAK SPACE (0x00A0) SPACE (0x0020) ... LINE FEED (0x000A) CARRIAGE RETURN (0x000D) LINE FEED (0x000A) NO-BREAK SPACE (0x00A0) CARRIAGE RETURN (0x000D) LINE FEED (0x000A) CARRIAGE RETURN (0x000D) LINE FEED (0x000A) CARRIAGE RETURN (0x000D) LINE FEED (0x000A)", Length()=1816, EndOffset()=1816 }, mHasSelection=false, mWritingMode=h-ltr, mContentsRoot=0x0000000000000000, mFocusedWidget=0x000001AA544D1E00, mRect=(x=452, y=-91, w=895, h=3578) } }
<snip>
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::GetTextExt() succeeded: *prc={ left=915, top=88, right=1810, bottom=1940 }, *pfClipped=true
<snip>
I/nsTextStoreWidgets 0x1aa5c00d310 Unlocked (TS_LF_READ) <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::RequestLock() succeeded: *phrSession=S_OK
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::NotifyTSFOfLayoutChange(), called ITextStoreACPSink::OnLayoutChange()
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::NotifyTSFOfLayoutChange(), succeeded notifying TIP of our layout change
D/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::OnLayoutChangeInternal(), calling MaybeFlushPendingNotifications()...
I/ContentCacheWidgets 0x1aa68d95b10 AssignContent(aNotification=NOTIFY_IME_OF_POSITION_CHANGE), Succeeded, mText.Length()=1816, mSelection={ mAnchor=0, mFocus=1816, mWritingMode=h-ltr, mAnchorCharRects[eNextCharRect]=(x=451, y=-95, w=1, h=24), mFocusCharRects[ePrevCharRect]=(x=452, y=3524, w=1, h=24), mFocusCharRects[eNextCharRect]=(x=452, y=3524, w=1, h=24), mRect=(x=452, y=-91, w=895, h=3578), Reversed()=false, StartOffset()=0, EndOffset()=1816, Collapsed()=false, Length()=1816 }, mFirstCharRect=(x=451, y=-95, w=1, h=24), mCaret={ mOffset=0, mRect=(x=451, y=-95, w=1, h=24) }, mTextRectArray=<Nothing>, mWidgetHasComposition=false, mPendingCompositionCount=0, mCompositionStart=<Nothing>, mPendingCommitLength=0, mEditorRect=(x=452, y=-95, w=1173, h=3646), mLastCommitStringTextRectArray=<Nothing>
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::OnLayoutChangeInternal(), calling NotifyTSFOfLayoutChange()...
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::NotifyTSFOfLayoutChange(), calling ITextStoreACPSink::OnLayoutChange()...
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::RequestLock(dwLockFlags=TS_LF_READ, phrSession=0x8f691fcb20), mLock=not-specified, mDestroyed=false
I/nsTextStoreWidgets 0x1aa5c00d310 Locking (TS_LF_READ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
<snip>
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::GetTextExt(vcView=1, acpStart=0, acpEnd=1816, prc=0x8f691fc2a0, pfClipped=0x8f691fc268), IsHandlingCompositionInParent()=false, IsHandlingCompositionInContent()=false, mContentForTSF=<Nothing>, mSelectionForTSF={ mACP={ acpStart=0, acpEnd=1816, style={ ase=TS_AE_END, fInterimChar=FALSE } }, mWritingMode=h-ltr, Collapsed()=false, Length=1816 }, mComposition=<Nothing>, mDeferNotifyingTSF=false, mWaitingQueryLayout=false, IMEHandler::IsA11yHandlingNativeCaret()=true
I/ContentCacheWidgets 0x1aa68d95b10 HandleQueryContentEvent(aEvent={ mMessage=eQueryTextRect, mInput={ mOffset=0, mLength=1816 } }, aWidget=0x1aa544d1e00), mText.Length()=1816
I/ContentCacheWidgets 0x1aa68d95b10 GetUnionTextRects(aOffset=0, aLength=1816, aRoundToExistingOffset=false), mTextRectArray=<Nothing>, mSelection={ mAnchor=0, mFocus=1816, mWritingMode=h-ltr, mAnchorCharRects[eNextCharRect]=(x=451, y=-95, w=1, h=24), mFocusCharRects[ePrevCharRect]=(x=452, y=3524, w=1, h=24), mFocusCharRects[eNextCharRect]=(x=452, y=3524, w=1, h=24), mRect=(x=452, y=-91, w=895, h=3578), Reversed()=false, StartOffset()=0, EndOffset()=1816, Collapsed()=false, Length()=1816 }, mLastCommitStringTextRectArray=<Nothing>
I/ContentCacheWidgets 0x1aa68d95b10 HandleQueryContentEvent(), Succeeded, aEvent={ mMessage=eQueryTextRect mReply={ mOffsetAndData={ mOffset=0, mData="CARRIAGE RETURN (0x000D) LINE FEED (0x000A) NO-BREAK SPACE (0x00A0) NO-BREAK SPACE (0x00A0) NO-BREAK SPACE (0x00A0) SPACE (0x0020) NO-BREAK SPACE (0x00A0) NO-BREAK SPACE (0x00A0) NO-BREAK SPACE (0x00A0) SPACE (0x0020) ... LINE FEED (0x000A) CARRIAGE RETURN (0x000D) LINE FEED (0x000A) NO-BREAK SPACE (0x00A0) CARRIAGE RETURN (0x000D) LINE FEED (0x000A) CARRIAGE RETURN (0x000D) LINE FEED (0x000A) CARRIAGE RETURN (0x000D) LINE FEED (0x000A)", Length()=1816, EndOffset()=1816 }, mHasSelection=false, mWritingMode=h-ltr, mContentsRoot=0x0000000000000000, mFocusedWidget=0x000001AA544D1E00, mRect=(x=452, y=-91, w=895, h=3578) } }
<snip>
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::GetTextExt() succeeded: *prc={ left=915, top=88, right=1810, bottom=1940 }, *pfClipped=true
<snip>
I/nsTextStoreWidgets 0x1aa5c00d310 Unlocked (TS_LF_READ) <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::RequestLock() succeeded: *phrSession=S_OK
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::NotifyTSFOfLayoutChange(), called ITextStoreACPSink::OnLayoutChange()
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::NotifyTSFOfLayoutChange(), succeeded notifying TIP of our layout change
D/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::OnLayoutChangeInternal(), calling MaybeFlushPendingNotifications()...
I/ContentCacheWidgets 0x1aa68d95b10 AssignContent(aNotification=NOTIFY_IME_OF_TEXT_CHANGE), Succeeded, mText.Length()=1806, mSelection={ mAnchor=0, mFocus=1816, mWritingMode=h-ltr, mAnchorCharRects[eNextCharRect]=(x=451, y=-95, w=1, h=24), mFocusCharRects[ePrevCharRect]=(x=0, y=0, w=0, h=0), mFocusCharRects[eNextCharRect]=(x=452, y=3524, w=1, h=24), mRect=(x=452, y=-91, w=895, h=3578), Reversed()=false, StartOffset()=0, EndOffset()=1816, Collapsed()=false, Length()=1816 }, mFirstCharRect=(x=451, y=-95, w=1, h=24), mCaret={ mOffset=0, mRect=(x=451, y=-95, w=1, h=24) }, mTextRectArray=<Nothing>, mWidgetHasComposition=false, mPendingCompositionCount=0, mCompositionStart=<Nothing>, mPendingCommitLength=0, mEditorRect=(x=452, y=-95, w=1173, h=3646), mLastCommitStringTextRectArray=<Nothing>
D/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::OnTextChangeInternal(aIMENotification={ mMessage=0x00000004, mTextChangeData={ mStartOffset=1061, mRemoveEndOffset=1071, mAddedEndOffset=1061, mCausedOnlyByComposition=false, mIncludingChangesDuringComposition=false, mIncludingChangesWithoutComposition=true } }), mDestroyed=false, mSink=0x1aa4f720ff8, mSinkMask=TS_AS_TEXT_CHANGE | TS_AS_SEL_CHANGE | TS_AS_LAYOUT_CHANGE | TS_AS_ATTR_CHANGE | TS_AS_STATUS_CHANGE, mComposition=<Nothing>
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::MaybeFlushPendingNotifications(), calling TSFTextStore::NotifyTSFOfTextChange()...
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::NotifyTSFOfTextChange(), calling ITextStoreACPSink::OnTextChange(0, { acpStart=1061, acpOldEnd=1071, acpNewEnd=1061 })...
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::RequestLock(dwLockFlags=TS_LF_READ, phrSession=0x8f691fc9f4), mLock=not-specified, mDestroyed=false
I/nsTextStoreWidgets 0x1aa5c00d310 Locking (TS_LF_READ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::GetSelection(ulIndex=4294967295, ulCount=1, pSelection=0x8f691fc560, pcFetched=0x8f691fc6b0)
I/ContentCacheWidgets 0x1aa68d95b10 HandleQueryContentEvent(aEvent={ mMessage=eQuerySelectedText }, aWidget=0x1aa544d1e00)
E/ContentCacheWidgets 0x1aa68d95b10 HandleQueryContentEvent(), FAILED because mSelection is not valid
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::GetSelection() returns fake selection range for avoiding a crash in TSF, *pSelection={ acpStart=0, acpEnd=0, style={ ase=TS_AE_START, fInterimChar=FALSE } }
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::GetText(acpStart=437, acpEnd=-1, pchPlain=0x7ffd1c4ca7e0, cchPlainReq=128, pcchPlainOut=0x8f691fbb10, prgRunInfo=0x7ffd1c4ca8f0, ulRunInfoReq=33, pulRunInfoOut=0x7ffd1c4ca8e4, pacpNext=0x7ffd1c4ca8e0), mComposition=<Nothing>
I/ContentCacheWidgets 0x1aa68d95b10 HandleQueryContentEvent(aEvent={ mMessage=eQuerySelectedText }, aWidget=0x1aa544d1e00)
E/ContentCacheWidgets 0x1aa68d95b10 HandleQueryContentEvent(), FAILED because mSelection is not valid
E/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::ContentForTSF(), FAILED, due to SelectionForTSF() failure
E/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::GetText() FAILED due to ContentForTSF() failure
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::GetText(acpStart=469, acpEnd=495, pchPlain=0x1aa4f712290, cchPlainReq=26, pcchPlainOut=0x8f691fbe28, prgRunInfo=0x8f691fbbf0, ulRunInfoReq=16, pulRunInfoOut=0x8f691fbbc0, pacpNext=0x8f691fbbc4), mComposition=<Nothing>
I/ContentCacheWidgets 0x1aa68d95b10 HandleQueryContentEvent(aEvent={ mMessage=eQuerySelectedText }, aWidget=0x1aa544d1e00)
E/ContentCacheWidgets 0x1aa68d95b10 HandleQueryContentEvent(), FAILED because mSelection is not valid
E/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::ContentForTSF(), FAILED, due to SelectionForTSF() failure
E/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::GetText() FAILED due to ContentForTSF() failure
|
|
Assignee | |
Comment 12•3 years ago
|
||
First, the flattened plaintext of the editor has 1816 characters.
And first TSF requests selection text (union) rect and editor rect in screen. The latter is omitted from the log, but the complicated thing, computing union rect is succeeded and returns { left=915, top=88, right=1810, bottom=1940 }. Then, we send layout change information twice. Although I don't know for what (caused by scrolling?). Then, we notified text change between 1061 ~ 1071 is removed.
Then, TSF retrieves selection range. At this time, we failed because mSelection is not valid. For avoiding to make TSF confused, we return collapsed selection at start of the document ({ acpStart=0, acpEnd=0, style={ ase=TS_AE_START, fInterimChar=FALSE } }). Then, TSF tries to retrieve text at 437 ~ end and 469 - 495. Both we fail to return correct value and we return E_FAIL.
It seems that TSF or Microsoft's IME common code does not handle the error correctly. I don't reproduce this bug with ATOK which is a third party's Japanese IME. I tested this on Win11.
|
|
Assignee | |
Comment 13•3 years ago
|
||
Asking Microsoft's developer about the stack with telling that we return E_FAIL from GetText()...
|
|
Assignee | |
Comment 14•3 years ago
|
||
(I'll keep investigating why mSelection becomes invalid with the flow.)
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 15•2 years ago
|
||
Filed our side failure as normal bug (bug 1746104).
|
|
Assignee | |
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Comment 16•2 years ago
|
||
(Set to S2 due to the crash, feel free to modify if you don't agree)
|
|
Assignee | |
Comment 17•2 years ago
|
||
Unfortunately, fixing only bug 1746104 is not enough because I confirmed that there is another bug which makes ContentCacheInParent has different length text for selection and text. I'm still not sure what causes it, but I think that it should be relaxed for avoiding crash for now.
|
|
Assignee | |
Comment 18•2 years ago
|
||
Okay, I got the another bug which caused TSFTextStore fails to get selection. I filed bug 1752956 for fixing it.
|
|
Assignee | |
Comment 19•2 years ago
|
||
Now, the patches have landed. So this must be fixed in Nightly channel.
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Comment 20•2 years ago
|
||
Unfortunately this does not appear to be exploitable beyond a Denial of Service attack and is therefore not eligible for our Bug Bounty program
|
||
Comment 21•2 years ago
|
||
Hi Aryan! Could you please help us verifying if the issue is fixed on your end, with latest Nightly 99?
I'm unable to reproduce the crash on Win 10 (Nightly 96.0a1, 2021-11-06), although I tested with the same Jira ticket posted in comment 0.
|
|
Reporter | |
Comment 22•2 years ago
|
||
Hey Ciprian,
I'm so sorry for the delayed response here. I was extensively busy and away from my personal mechine. I retested and tried reproducing the behaviour at my end and can confirm that the issue is no longer being reproduced.
Thanks and regards!
|
|
||
Comment 23•2 years ago
|
||
No worries, thanks for taking the time to test this! Marking the bug as verified fixed per comment 22.
|
||
Updated•2 years ago
|
|
|
||
Comment 24•2 years ago
|
||
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
Description
•