Crash in html mode when input tag name is immediately followed by char 0x00

RESOLVED DUPLICATE of bug 264956

Status

()

RESOLVED DUPLICATE of bug 264956
14 years ago
14 years ago

People

(Reporter: moz, Unassigned)

Tracking

Trunk
x86
Windows 2000
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a5) Gecko/20041014

Gecko crashes when parsing the document given by the demonstration URL.

This document contains those caracters :
3c 48 54 4d 4c 3e 3c 49 4e 50 55 54 00 41 41 41 41 41 41 41 41 41 41 3e 0a
 <  H  T  M  L  >  <  I  N  P  U  T  .  A  A  A  A  A  A  A  A  A  A  >  .  

The bug is described there :
http://marc.theaimsgroup.com/?l=bugtraq&m=109811406620511&w=2


Reproducible: Always
Steps to Reproduce:
1.Go to the specified URL

Actual Results:  
A null pointer crash

Expected Results:  
No crash :)

Here is the message I get in the console :
###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().:
'mRawPtr != 0', file ../../../../dist/includ
e/xpcom\nsCOMPtr.h, line 711

The crash occurs in the RuleProcessorData constructor. Here is the piece of code
where it occurs :

if (mIsHTMLContent) {
      PRBool isChecked = PR_FALSE;
      if (mContentTag == nsHTMLAtoms::option) {
        nsCOMPtr<nsIDOMHTMLOptionElement> optEl = do_QueryInterface(mContent);
        optEl->GetSelected(&isChecked);
      } else if (mContentTag == nsHTMLAtoms::input) {
        nsCOMPtr<nsIDOMHTMLInputElement> inputEl = do_QueryInterface(mContent);

****************************************************************************
inputEl contains a NULL pointer, thus leading to a crash when using a -> operator
****************************************************************************        

       inputEl->GetChecked(&isChecked);
      }
      mIsChecked = isChecked;
    }

---------------------------------------------------------------------------
Here is a stack trace :

NTDLL! 7848144b()
nsDebugImpl::Assertion(nsDebugImpl * const 0x0026a5a8, const char * 0x023955fc
`string', const char * 0x02395640 `string', const char * 0x02396c68 `string',
int 711) line 290
nsDebug::Assertion(const char * 0x023955fc `string', const char * 0x02395640
`string', const char * 0x02396c68 `string', int 711) line 109
nsCOMPtr<nsIDOMHTMLInputElement>::operator->() line 711 + 34 bytes
RuleProcessorData::RuleProcessorData(nsPresContext * 0x03b52190, nsIContent *
0x03cef2d0, nsRuleWalker * 0x03ccf8c8, nsCompatibility * 0x00000000) line 2897 +
12 bytes
ElementRuleProcessorData::ElementRuleProcessorData(nsPresContext * 0x03b52190,
nsIContent * 0x03cef2d0, nsRuleWalker * 0x03ccf8c8) line 110
nsStyleSet::ResolveStyleFor(nsIContent * 0x03cef2d0, nsStyleContext *
0x03ceb1b0) line 580
nsCSSFrameConstructor::ResolveStyleContext(nsPresContext * 0x03b52190, nsIFrame
* 0x03ceb3ac, nsIContent * 0x03cef2d0) line 6573 + 20 bytes
nsCSSFrameConstructor::ConstructFrame(nsIPresShell * 0x03cd9280, nsPresContext *
0x03b52190, nsFrameConstructorState & {...}, nsIContent * 0x03cef2d0, nsIFrame *
0x03ceb3ac, nsFrameItems & {...}) line 7320 + 24 bytes
nsCSSFrameConstructor::ContentAppended(nsPresContext * 0x03b52190, nsIContent *
0x03cdc298, int 0) line 8565
PresShell::ContentAppended(nsIDocument * 0x03c09198, nsIContent * 0x03cdc298,
int 0) line 5118
nsDocument::ContentAppended(nsIContent * 0x03cdc298, int 0) line 2070
nsHTMLDocument::ContentAppended(nsIContent * 0x03cdc298, int 0) line 1125
HTMLContentSink::NotifyAppend(nsIContent * 0x03cdc298, unsigned int 0) line 4028
SinkContext::FlushTags(int 1) line 1798
HTMLContentSink::CloseBody(HTMLContentSink * const 0x03ccd3a0) line 2790
CNavDTD::CloseBody() line 3172 + 27 bytes
CNavDTD::CloseContainer(nsHTMLTag eHTMLTag_body, nsHTMLTag eHTMLTag_body, int 0)
line 3492 + 8 bytes
CNavDTD::CloseContainersTo(int 1, nsHTMLTag eHTMLTag_body, int 0) line 3550 + 20
bytes
CNavDTD::CloseContainersTo(nsHTMLTag eHTMLTag_body, int 0) line 3708 + 20 bytes
CNavDTD::DidBuildModel(CNavDTD * const 0x03cda078, unsigned int 0, int 1,
nsIParser * 0x03ccb218, nsIContentSink * 0x03ccd3a0) line 603 + 22 bytes
nsParser::DidBuildModel(unsigned int 0) line 1248 + 46 bytes
nsParser::ResumeParse(int 1, int 1, int 1) line 1843
nsParser::OnStopRequest(nsParser * const 0x03ccb21c, nsIRequest * 0x03c94708,
nsISupports * 0x00000000, unsigned int 0) line 2487 + 21 bytes
nsDocumentOpenInfo::OnStopRequest(nsDocumentOpenInfo * const 0x03c947c0,
nsIRequest * 0x03c94708, nsISupports * 0x00000000, unsigned int 0) line 360
nsFileChannel::OnStopRequest(nsFileChannel * const 0x03c94710, nsIRequest *
0x03c94fb8, nsISupports * 0x00000000, unsigned int 0) line 539
nsInputStreamPump::OnStateStop() line 505
nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x03c94fbc,
nsIAsyncInputStream * 0x03c94a58) line 341 + 11 bytes
nsInputStreamReadyEvent::EventHandler(PLEvent * 0x03c95054) line 119

Comment 1

14 years ago
already fixed 

*** This bug has been marked as a duplicate of 264956 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.