Closed
Bug 189485
Opened 22 years ago
Closed 16 years ago
A crash occurs when OBJECT'S data attribute value is empty
Categories
(Core Graveyard :: Plug-ins, defect, P2)
Core Graveyard
Plug-ins
Tracking
(Not tracked)
RESOLVED
FIXED
Future
People
(Reporter: chrispetersen, Assigned: danielle.pham)
Details
(Keywords: crash, testcase)
Attachments
(3 files)
Build: 2003-01-15-07 Platform: All Expected Results: The application should not crash What I got: Application crash when intializing the OBJECT element Steps to reproduce: 1) Open attached test case which contains a OBJECT referencing a java applet via CLASSID. The test case includes a DATA="" attribute. 2) Application crashes.
|
Reporter | |
Comment 1•22 years ago
|
||
|
|
Reporter | |
Comment 2•22 years ago
|
||
|
|
Reporter | |
Comment 3•22 years ago
|
||
This problem reproduces under Win32 trunk , MACH-0 OS X trunk, CFM OS X trunk and latest Chimera build.
|
||
Comment 4•22 years ago
|
||
Crash on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b) Gecko/20030114 on WinXP. (do not crash on systems without Java plugin).
|
||
Comment 5•22 years ago
|
||
confirming crash using build 20030117 on Linux + JRE 1.4.1_01.
Keywords: crash
|
||
Updated•22 years ago
|
Priority: -- → P2
Target Milestone: --- → Future
Keywords: talkbackid
Whiteboard: TB2104382K
Xiaobin it looks like you have written the code (/deploy/src/plugin/share/adapter/ns7) where it crashes could you please look at it.
Assignee: peterlubczynski-bugs → Xiaobin.Lu
I filed a bug in suns database which is not public visible yet (internal id 338622) to get some traction on this
|
||
Comment 10•20 years ago
|
||
the bug in suns database is: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6201524
|
||
Updated•19 years ago
|
Keywords: talkbackid
Whiteboard: TB2104382K
|
Assignee | |
Comment 11•19 years ago
|
||
It does not seem that any browser can be able to render the testcase attachment.html (https://bugzilla.mozilla.org/attachment.cgi?id=111844) provided in bugzilla 189485 (https://bugzilla.mozilla.org/show_bug.cgi? id=189485). I tried it with IE6.0, Mozilla1.8, Firefox1.0.6. Regardless of the browser used, only the text "This text should appear if the browser can't render this applet object" and no applet is loaded, no crash can be seen. I also asked another engineer (Xiaobin Lu, who's originally the owner of bugzilla bug# 189485) to run this testcase and he also got the same result with me. I looked into the contents of the crash stack trace under MAC OS attached in 189485 (https://bugzilla.mozilla.org/attachment.cgi?id=111842). The stack trace shows old JPI code that no longer exist in JRE 1.4.2, 1.5.0, 1.6.0. So the questions are: 1) Which JRE version that was used when the crash happened? 2) Can you resubmit the testcase with which we can be able to see the crash. Please also attach JitterText.class applet. 3) Does problem still exists with our latest JRE updates (1.4.2_08, 1.5.0_04)? Without these information, I cannot proceed to work on this bug. danielle.pham@sun.com
|
||
Comment 12•19 years ago
|
||
danielle.pham@sun.com: macosx normally uses 1.3 for mrj unless you use jep
|
|
||
Comment 13•19 years ago
|
||
This thing does crash as before on winxp the firefox nightly. I just filed a new talkback. http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB9382117G this is with Java Version 1.5.0 (Build 1.5.0_04-b05)
|
||
Comment 14•19 years ago
|
||
Danielle, Would you please take over the ownership of this bug? Thanks.
|
||
Comment 15•17 years ago
|
||
The Problem still exists in Firefox 2.0.0.3 and is not restricted to the Java plugin. The plugin of Adobe Reader 8.0.0 also crashes when the parameter "data" is empty. Internet Explorer 7 simply shows "Crash through object tag" and the inner text instead of the object. The general problem seems to be that Firefox crashes when a plugin crashes. FF should be able to safely handle crashing plugins.
|
||
Comment 16•17 years ago
|
||
On my 2007-05-09 and 2007-05-30 Linux builds of Firefox 3.0, *any* object element with an empty (not absent) data attribute can freeze Firefox. Even something as simple as this: <object data=""></object> This behavior is not present in Firefox 2.0. Sometimes the object will just steal the content of the following object, shifting the content of all objects by one, leaving the last object with an error page about not finding "<path>/undefined". If there are no object elements following to steal from, Firefox will always freeze, and sometimes it will freeze even if there are following valid objects. This may be due to a different issue, since plugins shouldn't be involved here. It could have something to do with bug 96976. I think it would be a serious error to release Firefox 3.0 while it can be frozen with just 25 characters.
|
||
Comment 17•17 years ago
|
||
Attached Test Case:
189485_String_Term_Crash.html
Open test cast with affected Firefox version on confirmed operating system
using one of the tested Java versions.
Test case demonstrates crash, hang, or improper rending of an object
containing an empty attribute value.
Confirmed affected operating systems:
Windows XP SP1
Fedora Core 4
Test with Java versions:
DK/JRE 5.0 update 5
DK/JRE 5.0 update 11
J2SDK/J2RE 1.4.1_02
J2SDK/J2RE 1.4.2_01
J2SDK/J2RE 1.4.2_14
Firefox versions:
Firefox 2.0.0.6
Firefox 3
Klocwork source code analysis report:
Defect Name:
Result of function that may return NULL will be dereferenced.
Location:
firefox/ firefox2.0.0.6/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp
line: 6462
Details:
Pointer 's++' returned from call to function 'ElementAt' at line 6454 may be
NULL and will be dereferenced at line 6462.
Traceback:
nsPluginHostImpl.cpp:6351: !inPostData|| !outPostData|| !outPostDataLen is false
nsPluginHostImpl.cpp:6437: headersLen is true
nsPluginHostImpl.cpp:6447: ! ( *outPostData=p= (char* )nsMemory::Alloc(newBufferLen) ) is false
nsPluginHostImpl.cpp:6452: cntSingleLF is true
nsPluginHostImpl.cpp:6453: i<cntSingleLF is true
nsPluginHostImpl.cpp:6454: 'plf' has a NULL value, which is returned by function 'ElementAt'.
nsPluginHostImpl.cpp:6461: s:=plf
nsPluginHostImpl.cpp:6462: 's++' is explicitly dereferenced.
Comments:
I am part of the Professional Services team at Klocwork and was asked to use
the Klocwork source code analysis tool on some open source projects. From the
list of defects found in the Firefox 2.0.0.6 source, I believe this particular
defect is related to the empty object data attribute.
The malicious object is rendered properly on Windows Vista using Firefox
version: 2.0.0.6, Java build 1.5.0_12-b04 full JDK. The same setup on Windows
XP results in a crash.
If the test case is opened while Firefox is already loaded, Firefox might
simply hang instead of crash. If Firefox is opened through opening of the test
case, the crash is consistent.
Internet Explorer 7 is unable to render the malformed object properly, but
does not result in a crash.
Suggested severity is critical.
A duplicate of this defect is also incorrectly reported as irreproducible in
Sun’s bug tracking database.|
|
||
Comment 18•17 years ago
|
||
|
|
Assignee | |
Comment 19•17 years ago
|
||
I could reproduce the problem. Will take a look at it.
|
|
Assignee | |
Comment 20•17 years ago
|
||
I put an engineering build JRE bundle with this fix for Windows on: http://www.annepoon.com/java/jre-6u4-sep14.exe Please verify if problem is gone with this bundle. The corresponding Sun bug ID for this is 6604926. I'll try to get fix in to the next update release of 6.0 (6u4).
|
|
Assignee | |
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
||
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•