Closed Bug 307809 Opened 19 years ago Closed 19 years ago

Crash involving nested elements with style="display: -moz-grid-group;" [@ nsGridRowLayout::GetGrid]


(Core :: Layout, defect)

Not set





(Reporter: jruderman, Assigned: bzbarsky)



(Keywords: crash, fixed1.8.1, verified1.8.0.8, Whiteboard: [sg:nse null-deref])

Crash Data


(3 files)

Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20050908

Filing as security-sensitive because the testcase includes code from bug 306939
and I didn't manage to make a simplified testcase.
Attached file testcase (not reduced)
Crashes while the status bar counter says 1411.
Attached file reduced testcase
Summary: RandomStyles crash [@ nsGridRowLayout::GetGrid] → Crash involving nested elements with style="display: -moz-grid-group;" [@ nsGridRowLayout::GetGrid]
Blocks: 306940
Attached patch Proposed fixSplinter Review
The nsGrid::GetScrolledBox will happily return non-boxes if it's passed one,
but if it gets a scrollframe for a non-box it'll return null.  So we need to
guard against it here.	Or change what nsGrid::GetScrolledBox does.
Attachment #198651 - Flags: superreview?(dbaron)
Attachment #198651 - Flags: review?(bryner)
No longer blocks: 306940
Blocks: 314502
Attachment #198651 - Flags: superreview?(dbaron)
Attachment #198651 - Flags: superreview+
Attachment #198651 - Flags: review?(bryner)
Attachment #198651 - Flags: review+
Assignee: nobody → bzbarsky
Target Milestone: --- → mozilla1.9alpha
Closed: 19 years ago
Resolution: --- → FIXED
Flags: testcase+
Any reason not to take this safe fix on the 1.8/1.8.0 branches?
Flags: blocking1.8.1?
Flags: blocking1.8.0.6?
Whiteboard: [sg:nse null-deref] reveals 306939 testcase
Flags: blocking1.8.1? → blocking1.8.1+
Main reason is that I have no idea what this code really does and what the implications of this change really are...
Flags: blocking1.8.0.6? → blocking1.8.0.6+
DBaron - any thoughts on risk for 1.8 branch?
Minusing for based on Boris's discomfort (might be trading a safe null-deref for a worse crash elsewhere). We'll do more testing on the trunk and see if this can go into safely.
Flags: blocking1.8.0.8?
Flags: blocking1.8.0.7-
Flags: blocking1.8.0.7+
DBaron/Bz any thoughts for 1.8.1?  If we are going to take this for we'll need it for 1.8.1 as well.. 
Boris:  I'm pretty happy with this patch.  The code being changed is determining if the child's layout manager is an nsIGridPart.  If it's not a box at all, then it's certainly doesn't have an nsIGridPart layout manager (nsFrame's box code is nothing like an nsIGridPart).  So it seems quite safe to me.

Are you still concerned with the patch?
No, as long as someone understands why this is generally the right thing to do, I'm happy.
Comment on attachment 198651 [details] [diff] [review]
Proposed fix

a=schrep for 181drivers.
Attachment #198651 - Flags: approval1.8.1? → approval1.8.1+
Checked in to MOZILLA_1_8_BRANCH.
Keywords: fixed1.8.1
Restoring lost blocking flag
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9? → blocking1.8.0.8+
Comment on attachment 198651 [details] [diff] [review]
Proposed fix

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #198651 - Flags: approval1.8.0.8+
Fixed on 1.8.0 branch for
Keywords: fixed1.8.0.8
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv: Gecko/20061020 Firefox/, no crash with reduced testcase.
Group: security
Whiteboard: [sg:nse null-deref] reveals 306939 testcase → [sg:nse null-deref]
Flags: in-testsuite+ → in-testsuite?
Crash Signature: [@ nsGridRowLayout::GetGrid]
You need to log in before you can comment on or make changes to this bug.