Closed Bug 306782 Opened 19 years ago Closed 19 years ago

[@ nsCSSFrameConstructor::GetFloatContainingBlock], [@ 0x4e800020] and other addresses

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
1.8 Branch
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 265367

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [sg:dupe 265267] wait for 306663 to be opened)

Crash Data

Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b4) Gecko/20050901 Firefox/1.0+ crashes with the following testcase. Trunk does not. I think this is an exploitable crash.
Attached file testcase (not reduced)
Crash reports for this testcase: TB8952610X, TB8952630Q Crash reports with similar JavaScript used as a bookmarklet on various pages: TB8922738K, TB8923005W, TB8923133W (from bug 306663).
Steps to reproduce: 1. Load the testcase. 2. Watch for about 3 seconds. Result: Firefox crashes.
No crash with a Gecko 1.8 branch hourly. Fixed by the patch for bug 265367.
*** Bug 306787 has been marked as a duplicate of this bug. ***
*** Bug 306789 has been marked as a duplicate of this bug. ***
*** Bug 306798 has been marked as a duplicate of this bug. ***
I'm marking this as a dup of a public bug, but this bug should remain security-sensitive until we decide to make the JavaScript code from bug 306663 public. *** This bug has been marked as a duplicate of 265367 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 265267] wait for 306663 to be opened
Group: security
Crash Signature: [@ nsCSSFrameConstructor::GetFloatContainingBlock] [@ 0x4e800020]
You need to log in before you can comment on or make changes to this bug.