Closed
Bug 317934
Opened 19 years ago
Closed 19 years ago
CVE-2006-0294 [FIX]Crash with evil testcase, switching from position:relative to static
Categories
(Core :: Layout, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha1
People
(Reporter: martijn.martijn, Assigned: bzbarsky)
Details
(5 keywords, Whiteboard: [sg:critical?])
Attachments
(3 files)
|
701 bytes,
text/html
|
Details | |
|
9.49 KB,
text/plain
|
Details | |
|
11.65 KB,
patch
|
roc
:
review+
roc
:
superreview+
mtschrep
:
approval1.8.0.1+
mtschrep
:
approval1.8.1+
|
Details | Diff | Splinter Review |
See upcoming testcase, when clicking on the button, current Mozilla builds crash.
This doesn't happen in Mozilla1.7.
Talkback ID: TB12309372W
0x00000000
nsIView::Destroy [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 307]
nsSplittableFrame::Destroy [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsSplittableFrame.cpp, line 71]
nsPositionedInlineFrame::Destroy [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsInlineFrame.cpp, line 1052]
nsFrameList::DestroyFrames [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsFrameList.cpp, line 138]
nsPositionedInlineFrame::Destroy [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsInlineFrame.cpp, line 1052]
nsBlockFrame::RemoveFrame [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsBlockFrame.cpp, line 5516]
nsFrameManager::RemoveFrame [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsFrameManager.cpp, line 704]
nsCSSFrameConstructor::ContentRemoved [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9946]
nsCSSFrameConstructor::RecreateFramesForContent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11495]
nsCSSFrameConstructor::RestyleElement [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10377]
nsCSSFrameConstructor::ProcessOneRestyle [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13211]
nsCSSFrameConstructor::ProcessPendingRestyles [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13259]
nsCSSFrameConstructor::RestyleEvent::HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13324]
SHELL32.dll + 0x520c24 (0x778b0c24)
|
Reporter | |
Comment 1•19 years ago
|
||
|
|
Reporter | |
Updated•19 years ago
|
Severity: normal → critical
|
|
Reporter | |
Comment 2•19 years ago
|
||
Well, this seems to have regressed between 2005-06-20 and 2005-06-22:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-06-20+05%3A00%3A00&maxdate=2005-06-22+12%3A00%3A00&cvsroot=%2Fcvsroot
I don't have really an idea which bug could have caused the regression.
|
||
Comment 4•19 years ago
|
||
I crashed with builds back to 2005-06-10 but then couldn't crash with any build. valgrind caught it trying to use already-freed memory.
|
Assignee | |
Comment 5•19 years ago
|
||
I see this only when we process the restyle for the inner <q> first. Then when we're processing the restyle for the outer <q> we get to destroying the brand-new frame the inner restyle created for the positioned <span> and crash when trying to delete its view...
The inner frame shouldn't have a view anymore ... did we somehow fail to remove the view from its parent when we reframed the inner element?
|
|
Assignee | |
Comment 7•19 years ago
|
||
This looks like a regression from bug 292116 -- changing the parent means we get a mismatch between the frame and view trees....
Attachment #204322 -
Flags: superreview?(roc)
Attachment #204322 -
Flags: review?(roc)
|
|
Assignee | |
Updated•19 years ago
|
Assignee: nobody → bzbarsky
Group: security
Flags: blocking1.8.1?
Flags: blocking1.8.0.1?
Priority: -- → P1
Summary: Crash with evil testcase, switching from position:relative to static → [FIX]Crash with evil testcase, switching from position:relative to static
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 204322 [details] [diff] [review]
This should fix it...
don't you need to initialize appendAfterFrame to nsnull to avoid a 'possible use of uninitialized' warning?
Attachment #204322 -
Flags: superreview?(roc)
Attachment #204322 -
Flags: superreview+
Attachment #204322 -
Flags: review?(roc)
Attachment #204322 -
Flags: review+
|
|
Assignee | |
Comment 9•19 years ago
|
||
I didn't get those warnings when I compiled, so I assumed that gcc is finally sorta-smart enough...
I'll init them if warnings appear when I check in.
|
|
Assignee | |
Comment 10•19 years ago
|
||
Fixed.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 11•19 years ago
|
||
Comment on attachment 204322 [details] [diff] [review]
This should fix it...
This is a double-delete, hence potentially exploitable... I think we should take this on the 1.8 branch, after it bakes on the trunk a tad.
Attachment #204322 -
Flags: approval1.8.0.1?
I can't speak to any *potential* regressions, but the crash itself is certainly fixed in trunk build 2005-11-29-09 of SeaMonkey trunk on Windows XP.
Verified (trunk)
Status: RESOLVED → VERIFIED
|
||
Comment 13•19 years ago
|
||
Comment on attachment 204322 [details] [diff] [review]
This should fix it...
Please land on 1.8 and 1.8.1 branches.
Attachment #204322 -
Flags: approval1.8.1+
Attachment #204322 -
Flags: approval1.8.0.1?
Attachment #204322 -
Flags: approval1.8.0.1+
|
|
Assignee | |
Comment 14•19 years ago
|
||
Could someone please land this for me? If not, I'll do it in early January...
|
||
Updated•19 years ago
|
Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.1?
Flags: blocking1.8.0.1+
|
|
Assignee | |
Comment 15•19 years ago
|
||
*** Committing to MOZILLA_1_8_BRANCH...
nsCSSFrameConstructor.h
new revision: 1.187.6.4; previous revision: 1.187.6.3
nsCSSFrameConstructor.cpp
new revision: 1.1110.6.13; previous revision: 1.1110.6.12
*** Committing layout/base/nsCSSFrameConstructor.cpp on MOZILLA_1_8_0_BRANCH...
new revision: 1.1110.6.12.2.1; previous revision: 1.1110.6.12
*** Committing layout/base/nsCSSFrameConstructor.h on MOZILLA_1_8_0_BRANCH...
new revision: 1.187.6.3.2.1; previous revision: 1.187.6.3
Keywords: fixed1.8.0.1,
fixed1.8.1
|
||
Comment 16•19 years ago
|
||
v.fixed on 1.8.0.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1, no crash with testcase in comment #1
Keywords: fixed1.8.0.1 → verified1.8.0.1
|
||
Comment 17•19 years ago
|
||
v test case does not crash 1.8.0.1, 1.8.1, 1.9a1 windows/linux
Keywords: fixed1.8.1 → verified1.8.1
|
|
||
Updated•19 years ago
|
Flags: testcase?
|
|
||
Updated•19 years ago
|
Flags: testcase? → testcase+
|
|
||
Updated•19 years ago
|
Whiteboard: [sg:critical?]
|
|
||
Updated•19 years ago
|
Flags: blocking1.7.13-
Flags: blocking-aviary1.0.8-
|
||
Updated•19 years ago
|
Summary: [FIX]Crash with evil testcase, switching from position:relative to static → CVE-2006-0294 [FIX]Crash with evil testcase, switching from position:relative to static
|
|
||
Updated•19 years ago
|
Group: security
|
|
||
Updated•18 years ago
|
Flags: in-testsuite+ → in-testsuite?
|
|
||
Comment 18•16 years ago
|
||
crash test landed
http://hg.mozilla.org/mozilla-central/rev/876c3596f749
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•