Closed
Bug 265206
Opened 20 years ago
Closed 20 years ago
Crash in html mode when input tag name is immediately followed by char 0x00
Categories
(Core :: DOM: HTML Parser, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 264956
People
(Reporter: moz, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a5) Gecko/20041014 Gecko crashes when parsing the document given by the demonstration URL. This document contains those caracters : 3c 48 54 4d 4c 3e 3c 49 4e 50 55 54 00 41 41 41 41 41 41 41 41 41 41 3e 0a < H T M L > < I N P U T . A A A A A A A A A A > . The bug is described there : http://marc.theaimsgroup.com/?l=bugtraq&m=109811406620511&w=2 Reproducible: Always Steps to Reproduce: 1.Go to the specified URL Actual Results: A null pointer crash Expected Results: No crash :) Here is the message I get in the console : ###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../../../dist/includ e/xpcom\nsCOMPtr.h, line 711 The crash occurs in the RuleProcessorData constructor. Here is the piece of code where it occurs : if (mIsHTMLContent) { PRBool isChecked = PR_FALSE; if (mContentTag == nsHTMLAtoms::option) { nsCOMPtr<nsIDOMHTMLOptionElement> optEl = do_QueryInterface(mContent); optEl->GetSelected(&isChecked); } else if (mContentTag == nsHTMLAtoms::input) { nsCOMPtr<nsIDOMHTMLInputElement> inputEl = do_QueryInterface(mContent); **************************************************************************** inputEl contains a NULL pointer, thus leading to a crash when using a -> operator **************************************************************************** inputEl->GetChecked(&isChecked); } mIsChecked = isChecked; } --------------------------------------------------------------------------- Here is a stack trace : NTDLL! 7848144b() nsDebugImpl::Assertion(nsDebugImpl * const 0x0026a5a8, const char * 0x023955fc `string', const char * 0x02395640 `string', const char * 0x02396c68 `string', int 711) line 290 nsDebug::Assertion(const char * 0x023955fc `string', const char * 0x02395640 `string', const char * 0x02396c68 `string', int 711) line 109 nsCOMPtr<nsIDOMHTMLInputElement>::operator->() line 711 + 34 bytes RuleProcessorData::RuleProcessorData(nsPresContext * 0x03b52190, nsIContent * 0x03cef2d0, nsRuleWalker * 0x03ccf8c8, nsCompatibility * 0x00000000) line 2897 + 12 bytes ElementRuleProcessorData::ElementRuleProcessorData(nsPresContext * 0x03b52190, nsIContent * 0x03cef2d0, nsRuleWalker * 0x03ccf8c8) line 110 nsStyleSet::ResolveStyleFor(nsIContent * 0x03cef2d0, nsStyleContext * 0x03ceb1b0) line 580 nsCSSFrameConstructor::ResolveStyleContext(nsPresContext * 0x03b52190, nsIFrame * 0x03ceb3ac, nsIContent * 0x03cef2d0) line 6573 + 20 bytes nsCSSFrameConstructor::ConstructFrame(nsIPresShell * 0x03cd9280, nsPresContext * 0x03b52190, nsFrameConstructorState & {...}, nsIContent * 0x03cef2d0, nsIFrame * 0x03ceb3ac, nsFrameItems & {...}) line 7320 + 24 bytes nsCSSFrameConstructor::ContentAppended(nsPresContext * 0x03b52190, nsIContent * 0x03cdc298, int 0) line 8565 PresShell::ContentAppended(nsIDocument * 0x03c09198, nsIContent * 0x03cdc298, int 0) line 5118 nsDocument::ContentAppended(nsIContent * 0x03cdc298, int 0) line 2070 nsHTMLDocument::ContentAppended(nsIContent * 0x03cdc298, int 0) line 1125 HTMLContentSink::NotifyAppend(nsIContent * 0x03cdc298, unsigned int 0) line 4028 SinkContext::FlushTags(int 1) line 1798 HTMLContentSink::CloseBody(HTMLContentSink * const 0x03ccd3a0) line 2790 CNavDTD::CloseBody() line 3172 + 27 bytes CNavDTD::CloseContainer(nsHTMLTag eHTMLTag_body, nsHTMLTag eHTMLTag_body, int 0) line 3492 + 8 bytes CNavDTD::CloseContainersTo(int 1, nsHTMLTag eHTMLTag_body, int 0) line 3550 + 20 bytes CNavDTD::CloseContainersTo(nsHTMLTag eHTMLTag_body, int 0) line 3708 + 20 bytes CNavDTD::DidBuildModel(CNavDTD * const 0x03cda078, unsigned int 0, int 1, nsIParser * 0x03ccb218, nsIContentSink * 0x03ccd3a0) line 603 + 22 bytes nsParser::DidBuildModel(unsigned int 0) line 1248 + 46 bytes nsParser::ResumeParse(int 1, int 1, int 1) line 1843 nsParser::OnStopRequest(nsParser * const 0x03ccb21c, nsIRequest * 0x03c94708, nsISupports * 0x00000000, unsigned int 0) line 2487 + 21 bytes nsDocumentOpenInfo::OnStopRequest(nsDocumentOpenInfo * const 0x03c947c0, nsIRequest * 0x03c94708, nsISupports * 0x00000000, unsigned int 0) line 360 nsFileChannel::OnStopRequest(nsFileChannel * const 0x03c94710, nsIRequest * 0x03c94fb8, nsISupports * 0x00000000, unsigned int 0) line 539 nsInputStreamPump::OnStateStop() line 505 nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x03c94fbc, nsIAsyncInputStream * 0x03c94a58) line 341 + 11 bytes nsInputStreamReadyEvent::EventHandler(PLEvent * 0x03c95054) line 119
already fixed *** This bug has been marked as a duplicate of 264956 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•