Closed Bug 265206 Opened 20 years ago Closed 20 years ago

Crash in html mode when input tag name is immediately followed by char 0x00

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 264956

People

(Reporter: moz, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a5) Gecko/20041014

Gecko crashes when parsing the document given by the demonstration URL.

This document contains those caracters :
3c 48 54 4d 4c 3e 3c 49 4e 50 55 54 00 41 41 41 41 41 41 41 41 41 41 3e 0a
 <  H  T  M  L  >  <  I  N  P  U  T  .  A  A  A  A  A  A  A  A  A  A  >  .  

The bug is described there :
http://marc.theaimsgroup.com/?l=bugtraq&m=109811406620511&w=2


Reproducible: Always
Steps to Reproduce:
1.Go to the specified URL

Actual Results:  
A null pointer crash

Expected Results:  
No crash :)

Here is the message I get in the console :
###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().:
'mRawPtr != 0', file ../../../../dist/includ
e/xpcom\nsCOMPtr.h, line 711

The crash occurs in the RuleProcessorData constructor. Here is the piece of code
where it occurs :

if (mIsHTMLContent) {
      PRBool isChecked = PR_FALSE;
      if (mContentTag == nsHTMLAtoms::option) {
        nsCOMPtr<nsIDOMHTMLOptionElement> optEl = do_QueryInterface(mContent);
        optEl->GetSelected(&isChecked);
      } else if (mContentTag == nsHTMLAtoms::input) {
        nsCOMPtr<nsIDOMHTMLInputElement> inputEl = do_QueryInterface(mContent);

****************************************************************************
inputEl contains a NULL pointer, thus leading to a crash when using a -> operator
****************************************************************************        

       inputEl->GetChecked(&isChecked);
      }
      mIsChecked = isChecked;
    }

---------------------------------------------------------------------------
Here is a stack trace :

NTDLL! 7848144b()
nsDebugImpl::Assertion(nsDebugImpl * const 0x0026a5a8, const char * 0x023955fc
`string', const char * 0x02395640 `string', const char * 0x02396c68 `string',
int 711) line 290
nsDebug::Assertion(const char * 0x023955fc `string', const char * 0x02395640
`string', const char * 0x02396c68 `string', int 711) line 109
nsCOMPtr<nsIDOMHTMLInputElement>::operator->() line 711 + 34 bytes
RuleProcessorData::RuleProcessorData(nsPresContext * 0x03b52190, nsIContent *
0x03cef2d0, nsRuleWalker * 0x03ccf8c8, nsCompatibility * 0x00000000) line 2897 +
12 bytes
ElementRuleProcessorData::ElementRuleProcessorData(nsPresContext * 0x03b52190,
nsIContent * 0x03cef2d0, nsRuleWalker * 0x03ccf8c8) line 110
nsStyleSet::ResolveStyleFor(nsIContent * 0x03cef2d0, nsStyleContext *
0x03ceb1b0) line 580
nsCSSFrameConstructor::ResolveStyleContext(nsPresContext * 0x03b52190, nsIFrame
* 0x03ceb3ac, nsIContent * 0x03cef2d0) line 6573 + 20 bytes
nsCSSFrameConstructor::ConstructFrame(nsIPresShell * 0x03cd9280, nsPresContext *
0x03b52190, nsFrameConstructorState & {...}, nsIContent * 0x03cef2d0, nsIFrame *
0x03ceb3ac, nsFrameItems & {...}) line 7320 + 24 bytes
nsCSSFrameConstructor::ContentAppended(nsPresContext * 0x03b52190, nsIContent *
0x03cdc298, int 0) line 8565
PresShell::ContentAppended(nsIDocument * 0x03c09198, nsIContent * 0x03cdc298,
int 0) line 5118
nsDocument::ContentAppended(nsIContent * 0x03cdc298, int 0) line 2070
nsHTMLDocument::ContentAppended(nsIContent * 0x03cdc298, int 0) line 1125
HTMLContentSink::NotifyAppend(nsIContent * 0x03cdc298, unsigned int 0) line 4028
SinkContext::FlushTags(int 1) line 1798
HTMLContentSink::CloseBody(HTMLContentSink * const 0x03ccd3a0) line 2790
CNavDTD::CloseBody() line 3172 + 27 bytes
CNavDTD::CloseContainer(nsHTMLTag eHTMLTag_body, nsHTMLTag eHTMLTag_body, int 0)
line 3492 + 8 bytes
CNavDTD::CloseContainersTo(int 1, nsHTMLTag eHTMLTag_body, int 0) line 3550 + 20
bytes
CNavDTD::CloseContainersTo(nsHTMLTag eHTMLTag_body, int 0) line 3708 + 20 bytes
CNavDTD::DidBuildModel(CNavDTD * const 0x03cda078, unsigned int 0, int 1,
nsIParser * 0x03ccb218, nsIContentSink * 0x03ccd3a0) line 603 + 22 bytes
nsParser::DidBuildModel(unsigned int 0) line 1248 + 46 bytes
nsParser::ResumeParse(int 1, int 1, int 1) line 1843
nsParser::OnStopRequest(nsParser * const 0x03ccb21c, nsIRequest * 0x03c94708,
nsISupports * 0x00000000, unsigned int 0) line 2487 + 21 bytes
nsDocumentOpenInfo::OnStopRequest(nsDocumentOpenInfo * const 0x03c947c0,
nsIRequest * 0x03c94708, nsISupports * 0x00000000, unsigned int 0) line 360
nsFileChannel::OnStopRequest(nsFileChannel * const 0x03c94710, nsIRequest *
0x03c94fb8, nsISupports * 0x00000000, unsigned int 0) line 539
nsInputStreamPump::OnStateStop() line 505
nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x03c94fbc,
nsIAsyncInputStream * 0x03c94a58) line 341 + 11 bytes
nsInputStreamReadyEvent::EventHandler(PLEvent * 0x03c95054) line 119
already fixed 

*** This bug has been marked as a duplicate of 264956 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.