Closed Bug 265583 Opened 20 years ago Closed 20 years ago

Crash [@nsCSSFrameConstructor::GetFrame]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 265181

People

(Reporter: mozilla, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [sg:nse])

Crash Data

Attachments

(1 file)

testcase
17.68 KB, text/html
Details 
Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:1.8a5) Gecko/20041021

When running the Zalewski cgi test program I discovered a reproducible crash
with a garbage HTML file that I will attach shortly. The OS/2 debugger tells me
that it is in nsCSSFrameConstructor::GetFrame in the line
   return frame->GetContentInsertionFrame();
While the crash is not specific to OS/2 or the trunk (I can reproduce it with
1.7.3 on OS/2 and with 1.7.3 on Linux) I didn't create a debug build for Linux
yet and I don't have talkback.

Perhaps there is security involved...
Attached file testcase 
The garbled HTML as created by the Zalewski test program
Group: security
Confirmed on Linux with Mozilla 1.7.?
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: crash in nsCSSFrameConstructor::GetFrame → Crash [@nsCSSFrameConstructor::GetFrame]
Whiteboard: [sg:nse]
confirmed, winxp, firefox 0.10.1
TB1456593G
the patch in bug 265181 fixes this crash
Depends on: 265181
Blocks: Zalewski
Can someone please confirm that the patch to bug 265404 fixed this? Cannot
reproduce any more, so from my point of view this can be resolved.

*** This bug has been marked as a duplicate of 265181 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
No longer depends on: 265181
Crash Signature: [@nsCSSFrameConstructor::GetFrame]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: