307280 - StirDOM/csszen crash [@ nsBlockFrame::Destroy]

Status: RESOLVED WORKSFORME

(Core :: Layout, defect)

Description

[Jesse Ruderman]

Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20050906
Firefox/1.6a1

Testcase crashes while status bar counter says "1400".

Filing as security-sensitive because the unsimplified testcase uses code from
bug 306663.

Comment 1

[Jesse Ruderman]

Attachment: testcase (not reduced)

Comment 2

[Jesse Ruderman]

Attachment: apple crash report with stack trace

Comment 3

[Jesse Ruderman]

I've seen non-zero "random addresses" at the top of the stack, so I think this
crash is exploitable.

Comment 4

[Jesse Ruderman]

This is also one of the more common StirDOM crashes, so it makes it harder to
test for other crashes.

Comment 5

[Boris Zbarsky [:bzbarsky]]

Probably depends on bug 278472

Comment 6

[Jesse Ruderman]

WFM Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1)
Gecko/20050922 Firefox/1.6a1

Trunk Sept 20 - crash
Trunk Step 22 - no crash
Gecko1.8 Sept 22 - no crash

Might have been fixed by the patch in bug 307277, which went in during that
window and fixed another Stir DOM crash found on CSS Zen Garden.

I'll file a new bug if I encounter other crashes with the same signature.

bz, should this bug no longer depend on bug 278472?

Please leave this bug as security-sensitive until a fixed Firefox release has
gone out (most likely Firefox 1.5) *and* bug 306663 has been made public.

Comment 7

[Boris Zbarsky [:bzbarsky]]

No idea on the dependency; I set it based on the stacks you posted...