Closed
Bug 307854
Opened 19 years ago
Closed 19 years ago
crash in table layout code, involves XBL [@ nsCellMap::GetCellInfoAt] [@ BasicTableLayoutStrategy::Initialize] [@ BasicTableLayoutStrategy::AssignNonPctColumnWidths]
Categories
(Core :: Layout: Tables, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 288790
People
(Reporter: jruderman, Assigned: bernd_mozilla)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:dupe 288799] hold for 306663-derived testcase)
Crash Data
Attachments
(2 files)
|
27.67 KB,
text/plain
|
Details | |
|
999 bytes,
patch
|
Details | Diff | Splinter Review |
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20050908 Firefox/1.6a1 Steps to reproduce: 1. Install XForms (get the XPI from the mac-xpi subdirectory of the directory from which you got your nightly build). 2. Load the testcase. Result: Crash while status bar counter says 2900. Filing as security-sensitive because (1) The crash looks exploitable based on stack traces. (2) Some users install XForms. (3) The crash might not actually involve XForms. (4) Testcase is not simplified and includes code from bug 306663.
|
Reporter | |
Comment 1•19 years ago
|
||
|
|
Reporter | |
Comment 2•19 years ago
|
||
Corresponds to TB9206231M. I don't know whether it is significant that the second item on the stack differs between Talkback and Apple.
|
|
Reporter | |
Comment 3•19 years ago
|
||
I've seen all kinds of addresses on the tops of these stacks: 0, 28, 0x02641758, 0x032db448 (SIGILL!), 0x2c696e74, 0x7ffffffc. That makes me pretty sure the crash is exploitable.
|
||
Comment 4•19 years ago
|
||
Is this just an XTF issue? There are known problems with XTF and table pseudo-elements (problems == "the two don't coexist") that I mentioned at some point in review comments on the XTF frame construction code and that never got addressed.
|
||
Comment 5•19 years ago
|
||
The patch fixes the problem in this test case, but I think the actual problem is somewhere else. We're using XBL for <xforms:output>'s layout, not XTF...
the testcase without xforms does crash with dpalpha 2 but is wfm with current trunk under winxp. So i guess thats Boris leaf patch.
|
|
Reporter | |
Comment 12•19 years ago
|
||
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20050915 Firefox/1.6a1 I can still reproduce using the original testcase (with xforms installed). It still crashes while the counter says "2900". I can still reproduce using Smaug's testcase in comment 6. It crashes while the status bar counter says "5100".
Summary: StirDOM crash in table layout code when XForms is installed [@ nsCellMap::GetCellInfoAt] [@ BasicTableLayoutStrategy::Initialize] [@ BasicTableLayoutStrategy::AssignNonPctColumnWidths] → StirDOM crash in table layout code, involves XBL [@ nsCellMap::GetCellInfoAt] [@ BasicTableLayoutStrategy::Initialize] [@ BasicTableLayoutStrategy::AssignNonPctColumnWidths]
|
||
Comment 16•19 years ago
|
||
Yet another testcase. This testcase gives the same stacktrace, but follows a different codepath to trigger the bug. It might be interesting, because I think the testcase could be in essence simpler than the previous one. But it currently still depends on the xforms xbl code.
|
|
||
Comment 17•19 years ago
|
||
This testcase gives for me also a crash at BasicTableLayoutStrategy::AssignNonPctColumnWidths, and it's simpler than testcase3.
|
|
Reporter | |
Updated•19 years ago
|
Whiteboard: [sg:fix]
|
Assignee | |
Comment 18•19 years ago
|
||
Martijn, it seems to me that this bug is a dupe of the bug that you filed (bug 288790), Boris did fix this today. At least my debug build with that patch does not crash anymore. But be warned too often my WFM is bogus.
|
|
Reporter | |
Comment 19•19 years ago
|
||
All testcases in this bug WFM with my opt build (checkout an hour or two ago). I'm going to mark this as a dup, but leave it as security-sensitive until bug 306663 is made public. *** This bug has been marked as a duplicate of 288790 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
|
|
Reporter | |
Updated•19 years ago
|
Whiteboard: [sg:fix]
|
||
Updated•19 years ago
|
Whiteboard: [sg:dupe 288799] hold for stirDOM code
|
|
||
Updated•18 years ago
|
Summary: StirDOM crash in table layout code, involves XBL [@ nsCellMap::GetCellInfoAt] [@ BasicTableLayoutStrategy::Initialize] [@ BasicTableLayoutStrategy::AssignNonPctColumnWidths] → crash in table layout code, involves XBL [@ nsCellMap::GetCellInfoAt] [@ BasicTableLayoutStrategy::Initialize] [@ BasicTableLayoutStrategy::AssignNonPctColumnWidths]
Whiteboard: [sg:dupe 288799] hold for stirDOM code → [sg:dupe 288799] hold for 306663-derived testcase
|
|
||
Updated•18 years ago
|
Attachment #195516 -
Attachment is private: true
|
|
||
Updated•18 years ago
|
Attachment #195516 -
Attachment is private: false
|
|
||
Updated•18 years ago
|
Group: security
|
||
Updated•13 years ago
|
Crash Signature: [@ nsCellMap::GetCellInfoAt]
[@ BasicTableLayoutStrategy::Initialize]
[@ BasicTableLayoutStrategy::AssignNonPctColumnWidths]
You need to log in
before you can comment on or make changes to this bug.
Description
•