26.96 KB, text/plain
245 bytes, text/html
1.26 KB, patch
|Details | Diff | Splinter Review|
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20050908 Firefox/1.6a1 Filing as security-sensitive because the testcase includes code from bug 306939 and I didn't manage to make a simplified testcase.
Crashes while the status bar counter says 1411.
Summary: RandomStyles crash [@ nsGridRowLayout::GetGrid] → Crash involving nested elements with style="display: -moz-grid-group;" [@ nsGridRowLayout::GetGrid]
The nsGrid::GetScrolledBox will happily return non-boxes if it's passed one, but if it gets a scrollframe for a non-box it'll return null. So we need to guard against it here. Or change what nsGrid::GetScrolledBox does.
Assignee: nobody → bzbarsky
Target Milestone: --- → mozilla1.9alpha
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Any reason not to take this safe fix on the 1.8/1.8.0 branches?
Whiteboard: [sg:nse null-deref] reveals 306939 testcase
Main reason is that I have no idea what this code really does and what the implications of this change really are...
DBaron - any thoughts on risk for 1.8 branch?
Minusing for 184.108.40.206 based on Boris's discomfort (might be trading a safe null-deref for a worse crash elsewhere). We'll do more testing on the trunk and see if this can go into 220.127.116.11 safely.
DBaron/Bz any thoughts for 1.8.1? If we are going to take this for 18.104.22.168 we'll need it for 1.8.1 as well..
Boris: I'm pretty happy with this patch. The code being changed is determining if the child's layout manager is an nsIGridPart. If it's not a box at all, then it's certainly doesn't have an nsIGridPart layout manager (nsFrame's box code is nothing like an nsIGridPart). So it seems quite safe to me. Are you still concerned with the patch?
No, as long as someone understands why this is generally the right thing to do, I'm happy.
Attachment #198651 - Flags: approval1.8.1?
Comment on attachment 198651 [details] [diff] [review] Proposed fix a=schrep for 181drivers.
Attachment #198651 - Flags: approval1.8.1? → approval1.8.1+
Checked in to MOZILLA_1_8_BRANCH.
Restoring lost blocking flag
Comment on attachment 198651 [details] [diff] [review] Proposed fix approved for 1.8.0 branch, a=dveditz for drivers
Attachment #198651 - Flags: approval22.214.171.124+
Fixed on 1.8.0 branch for 126.96.36.199.
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:188.8.131.52pre) Gecko/20061020 Firefox/184.108.40.206pre, no crash with reduced testcase.
Whiteboard: [sg:nse null-deref] reveals 306939 testcase → [sg:nse null-deref]
Crash Signature: [@ nsGridRowLayout::GetGrid]
You need to log in before you can comment on or make changes to this bug.