Closed Bug 293877 Opened 20 years ago Closed 19 years ago

firefox crashes when using the following html, maybe buffer overflow

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows Server 2003
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: mathertel, Unassigned)

Details

(Keywords: crash)

Attachments

(1 file)

testcase
887 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8b2) Gecko/20050508 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8b2) Gecko/20050508 Firefox/1.0+

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN" >
<html>
  <head>
    <script language="JavaScript" >

/** test for moving & start */
function _testMove(evtObj)
{
  window.event = evtObj;
  window.event.srcElement = evtObj.target;
 
} // _testMove

document.addEventListener("mousedown", _testMove, false);

// ----- end of utils.js -----

</script>
  </head>
  <body>
    <input id="inputField" style="width:200px" onkeyDown="KeyDown()">
    <script language="javascript">
<!--

function KeyDown() {
  inspectObj(window.event);
}

function inspectObj(obj) {
  var s = "InspectObj:";
  for (p in obj)
    try {
      s += "\n";
      if (typeof(obj[p]) == "function") {
        s += String(p) + " [function]";
      } else {
        s += String(p) + " [" + typeof(obj[p]) + "]: " + obj[p];
      } // if
    } catch (e) {}
    alert(s);
}

//-->
    </script>
  </body>
</html>


Reproducible: Always

Steps to Reproduce:
1. open the page
2. click into the field
3. press arrow-down

Actual Results:  
the alert box is displayed, but when closing it ff has an access violation when
reading from location 0x000000000

Expected Results:  
NEVER CRASH !


Hint:
onclick: a event object is attached to the window.
onkeydown: the old event object is accessed.
Attached file testcase 
No crash in Firefox 1.0.4 or 2005-05-11 trunk on winxp. Please update to a more
recent trunk build and confirm that you still crash.
WFM, doesn't crash for me either.  I'm using Mozilla/5.0 (Macintosh; U; PPC Mac
OS X Mach-O; en-US; rv:1.8b4) Gecko/20050719 Firefox/1.0+.  Please reopen if you
still see this bug in Deer Park Alpha 2 or a more recent trunk build.

Un-hiding. Trying to read from 0x00000000 is usually not a sign of a security
vulnerability.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Keywords: crash
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: