Closed Bug 1895681 Opened 1 year ago Closed 1 year ago

When dragging a file from windows "Phone link", hovering over firefox crashes the browser

Categories

(Core :: Widget: Win32, defect, P3)

Product:
Core
Component:
Widget: Win32
Version:
Firefox 125
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
128 Branch
Tracking Flags:
Tracking Status
firefox128 --- fixed

People

(Reporter: simon-leclere, Assigned: rkraesig)

Details

Crash Data

Attachments

(2 files)

The bug in video
9.82 MB, video/x-matroska
Details
Bug 1895681 - [1/1] Check STGMEDIUM's contents for nullptr r?cmartin,#win-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Attached video The bug in video

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0

Steps to reproduce:

  1. Configure "Phone Link" app on windows and on your android device (I use windows 11 and a samsung galaxy S21)

  2. When using phone link, you can screen mirror your phone directly on your pc. You can also drag and drop files from your pc in your phone and from you phone to your pc (from Files app or the gallery).

  3. Open the gallery, select a picture by long-clicking it, then release the click and repress it to grab it. You can now move your mouse outside the window and download the file on your pc. If the mouse (still clicked with a file grabbed) just hover a firefox window, it makes the app crash.

Actual results:

Firefox crashed

Expected results:

Nothing if I don'release the click.

The Bugbug bot thinks this bug should belong to the 'Core::Widget: Win32' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Widget: Win32
Product: Firefox → Core

Can you go type about:crashes into the browser address bar, you should see a link to a crash report. Can you open that link and shre the link here?

The URL should look something like this : https://crash-stats.mozilla.org/report/index/39302a99-7b5b-45ad-af56-776ec0240507

Flags: needinfo?(simon-leclere)

Okay my bad again, this time I swear the link is correct :
https://crash-stats.mozilla.org/report/index/70bb237e-13e3-4b53-a90c-ee8700240508

Crash Signature: [@ nsClipboard::SaveStorageOrStream ]
Flags: needinfo?(rkraesig)

I don't see any changes in the relevant code that line up with the start of this crash signature (according to the graph). Also, we're seeing a simultaneous onset of identical crashes in the esr branch and in v120. The crash addresses also suggest that stm.pstm is NULL, which I believe should never happen when stm.tymed == TYMED_ISTREAM.

All in all, this smells like a bug in Phone Link. (But if so, it's one we can and should be resistant to, rather than crashing on.)

(@mayank: there's generally no need to ni? me on bugs freshly added to Widget: Win32.)

Severity: -- → S3
Flags: needinfo?(rkraesig)
Priority: -- → P3

The pstg / pstm member of an appropriately-tagged STGMEDIUM should
probably never be null -- but this has been witnessed in the wild
nonetheless.

Fail, rather than crashing, if this turns out to be the case.

Assignee: nobody → rkraesig
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Pushed by rkraesig@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ac9546a9950c [1/1] Check STGMEDIUM's contents for nullptr r=cmartin,win-reviewers

https://hg.mozilla.org/mozilla-central/rev/ac9546a9950c

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox128: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 128 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: