If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Browser crashes during XMLHttpRequest with null URL

RESOLVED FIXED in mozilla1.7beta

Status

()

Core
XML
--
critical
RESOLVED FIXED
14 years ago
14 years ago

People

(Reporter: Met - Martin Hassman, Assigned: Heikki Toivonen (remove -bugzilla when emailing directly))

Tracking

({crash, testcase})

Trunk
mozilla1.7beta
x86
All
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: TB30990334H)

Attachments

(2 attachments)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; cs-CZ; rv:1.6) Gecko/20040113
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; cs-CZ; rv:1.6) Gecko/20040113

Create new XMLHttpRequest and call open() with null URL:

xmlreq = new XMLHttpRequest();
xmlreq.open("GET", null); // <- Mozilla crashes!!!

Probably the URL parameter is not properly checked in nsXMLHttpRequest::Open()
http://lxr.mozilla.org/mozilla/source/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp#719

xref: bug #230310

Reproducible: Always
Steps to Reproduce:
(Reporter)

Comment 1

14 years ago
Created attachment 142899 [details]
Testcase

Comment 2

14 years ago
Confirming using actual nightbuild and 1.7a on W2K and last month's nightbuild
on Linux - all is crashing.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, testcase

Updated

14 years ago
OS: Windows 2000 → All

Updated

14 years ago
Whiteboard: TB30990334H

Comment 3

14 years ago
And to be more precisely, it crashes right here:

http://lxr.mozilla.org/mozilla/source/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp#749

748     nsCOMPtr<nsIURI> targetURI;
749     rv = NS_NewURI(getter_AddRefs(targetURI), url, mBaseURI);
750     if (NS_FAILED(rv)) return NS_ERROR_FAILURE;

with callstack:

NTDLL! 77fa144b()
nsDebugImpl::Assertion(nsDebugImpl * const 0x00266d08, const char * 0x100f6a60
`string', const char * 0x100f6974 `string', const char * 0x100f697c `string',
int 133) line 276
nsDebug::Assertion(const char * 0x100f6a60 `string', const char * 0x100f6974
`string', const char * 0x100f697c `string', int 133) line 109
nsDependentCString::Rebind(const char * 0x00000000) line 133 + 31 bytes
nsDependentCString::nsDependentCString(const char * 0x00000000) line 179 + 47 bytes
NS_NewURI(nsIURI * * 0x0012da88, const char * 0x00000000, nsIURI * 0x034c5760,
nsIIOService * 0x00000000) line 136 + 23 bytes
nsXMLHttpRequest::Open(nsXMLHttpRequest * const 0x03444028, const char *
0x0337d2a0, const char * 0x00000000) line 756 + 47 bytes
...
...
...
Missing a null pointer check I think, have a fix. Have not yet compiled to make
sure.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.7beta
Created attachment 143093 [details] [diff] [review]
fix
Comment on attachment 143093 [details] [diff] [review]
fix

Confirmed that it indeed fixes the crash, so just a trivial null pointer check.
Attachment #143093 - Flags: superreview?(jst)
Attachment #143093 - Flags: review?(jst)
Comment on attachment 143093 [details] [diff] [review]
fix

r+sr=jst
Attachment #143093 - Flags: superreview?(jst)
Attachment #143093 - Flags: superreview+
Attachment #143093 - Flags: review?(jst)
Attachment #143093 - Flags: review+
Checked in.
Status: ASSIGNED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.