Firefox crashes when pasting RichText into Gmail (Google) body form with RichText enabled [@ nsVoidArray::FastElementAt]

RESOLVED WORKSFORME

Status

()

--
critical
RESOLVED WORKSFORME
13 years ago
7 years ago

People

(Reporter: smearedblackink, Unassigned)

Tracking

({crash})

Trunk
x86
Windows Server 2003
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

While attempting to paste an AOL Instant Messenger Triton Conversation into a Gmail email body form with RichText enabled Firefox 1.5 abruptly crashes.

This could possibly be a security problem disclosing private email information.

Reproducible: Always

Steps to Reproduce:
1. Compose a new email message at http://www.gmail.com/
2. Enable Rich formatting
3. Paste (Ctrl+V) an AOL Instant Messenger Triton Conversation into the main body form.

Actual Results:  
Once you have pressed Ctrl+V to paste the text into the form Firefox should will immediately. It won't even display the text that was copied into the Gmail form.

Expected Results:  
The copied text should be placed into the Gmail Body form without error.

Computer Configuration:
Microsoft Windows XP Professional x64 Edition, Version 2003, Service Pack 1
Intel Pentium D, Dual Core, 3.0Ghz
2.00 GB of RAM

--------
Crash Information from Windows Error Reporting Software:
AppName: firefox.exe
AppVer : 1.8.20051.11116
ModName: xpcom_core.dll
Modver : 1.8.20051.11116
Offset : 00004453
I can confirm this crash pasting from AIM Triton Beta, but no crash pasting an equivalent-looking conversation from AIM 5.9.3797 (the older AIM pastes plain text, rich formatting is stripped)

The crash is a null de-ref of mImpl in nsVoidArray::FastElementAt(). nodelist comes back empty from CreateListOfNodesToPaste and it doesn't return an error. Asserts seem to show we're not expecting this.
http://lxr.mozilla.org/mozilla/source/editor/libeditor/html/nsHTMLDataTransfer.cpp#385

Here's the stack:

 	nsVoidArray::FastElementAt(int aIndex=0x00000000) Line 72 + 0x9	C++
 	nsCOMArray_base::ObjectAt(int aIndex=0x00000000) Line 101	C++
 	nsCOMArray<nsIDOMNode>::ObjectAt(int aIndex=0x00000000) Line 153 + 0xf	C++
 	nsCOMArray<nsIDOMNode>::operator[](int aIndex=0x00000000) Line 164	C++
>	nsHTMLEditor::InsertHTMLWithContext(const nsAString_internal & aInputString={...}, const nsAString_internal & aContextStr={...}, const nsAString_internal & aInfoStr={...}, const nsAString_internal & aFlavor={...}, nsIDOMDocument * aSourceDoc=0x00000000, nsIDOMNode * aDestNode=0x00000000, int aDestOffset=0x00000000, int aDeleteSelection=0x00000001) Line 464 + 0x24	C++
 	nsHTMLEditor::InsertFromTransferable(nsITransferable * transferable=0x03971170, nsIDOMDocument * aSourceDoc=0x00000000, const nsAString_internal & aContextStr={...}, const nsAString_internal & aInfoStr={...}, nsIDOMNode * aDestinationNode=0x00000000, int aDestOffset=0x00000000, int aDoDeleteSelection=0x00000001) Line 1325 + 0x44	C++
 	nsHTMLEditor::Paste(int aSelectionType=0x00000001) Line 1927 + 0x30	C++
 	nsPasteCommand::DoCommand(const char * aCommandName=0x0012c390, nsISupports * aCommandRefCon=0x0483d200) Line 418 + 0x1e	C++
 	nsControllerCommandTable::DoCommand(const char * aCommandName=0x0012c390, nsISupports * aCommandRefCon=0x0483d200) Line 191 + 0x21	C++
 	nsBaseCommandController::DoCommand(const char * aCommand=0x0012c390) Line 131 + 0x27	C++
 	nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver * aReceiver=0x02ec8388, nsIDOMEvent * aEvent=0x04ca2f08) Line 355 + 0x2e	C++
 	nsXBLWindowHandler::WalkHandlersInternal(nsIDOMEvent * aEvent=0x04ca2f08, nsIAtom * aEventType=0x00f34ed8, nsXBLPrototypeHandler * aHandler=0x0362a670) Line 305 + 0x18	C++
 	nsXBLWindowKeyHandler::WalkHandlers(nsIDOMEvent * aKeyEvent=0x04ca2f08, nsIAtom * aEventType=0x00f34ed8) Line 193 + 0x20	C++
 	nsXBLWindowKeyHandler::KeyPress(nsIDOMEvent * aKeyEvent=0x04ca2f08) Line 248 + 0x18	C++
 	DispatchToInterface(nsIDOMEvent * aEvent=0x04ca2f08, nsIDOMEventListener * aListener=0x03158fd0, unsigned int (nsIDOMEvent *)* aMethod=0x025278d0, const nsID & aIID={...}, int * aHasInterface=0x0012c7f8) Line 141 + 0xd	C++
 	nsEventListenerManager::HandleEvent(nsPresContext * aPresContext=0x031b5d58, nsEvent * aEvent=0x0012f388, nsIDOMEvent * * aDOMEvent=0x0012ed40, nsIDOMEventTarget * aCurrentTarget=0x02ec8388, unsigned int aFlags=0x00000202, nsEventStatus * aEventStatus=0x0012f104) Line 1779 + 0x23	C++
 	nsWindowRoot::HandleChromeEvent(nsPresContext * aPresContext=0x031b5d58, nsEvent * aEvent=0x0012f388, nsIDOMEvent * * aDOMEvent=0x0012ed40, unsigned int aFlags=0x00000202, nsEventStatus * aEventStatus=0x0012f104) Line 254 + 0x37	C++
 	nsGlobalWindow::HandleDOMEvent(nsPresContext * aPresContext=0x031b5d58, nsEvent * aEvent=0x0012f388, nsIDOMEvent * * aDOMEvent=0x0012ed40, unsigned int aFlags=0x00000202, nsEventStatus * aEventStatus=0x0012f104) Line 1570 + 0x3e	C++
 	nsXULDocument::HandleDOMEvent(nsPresContext * aPresContext=0x031b5d58, nsEvent * aEvent=0x0012f388, nsIDOMEvent * * aDOMEvent=0x0012ed40, unsigned int aFlags=0x00000202, nsEventStatus * aEventStatus=0x0012f104) Line 1250 + 0x38	C++
 	nsXULElement::HandleDOMEvent(nsPresContext * aPresContext=0x031b5d58, nsEvent * aEvent=0x0012f388, nsIDOMEvent * * aDOMEvent=0x0012ed40, unsigned int aFlags=0x00000202, nsEventStatus * aEventStatus=0x0012f104) Line 2178 + 0x3e	C++
 	nsXULElement::HandleDOMEvent(nsPresContext * aPresContext=0x031b5d58, nsEvent * aEvent=0x0012f388, nsIDOMEvent * * aDOMEvent=0x0012ed40, unsigned int aFlags=0x00000202, nsEventStatus * aEventStatus=0x0012f104) Line 2172 + 0x3e	C++
 	nsXULElement::HandleDOMEvent(nsPresContext * aPresContext=0x031b5d58, nsEvent * aEvent=0x0012f388, nsIDOMEvent * * aDOMEvent=0x0012ed40, unsigned int aFlags=0x00000202, nsEventStatus * aEventStatus=0x0012f104) Line 2172 + 0x3e	C++
 	nsXULElement::HandleDOMEvent(nsPresContext * aPresContext=0x031b5d58, nsEvent * aEvent=0x0012f388, nsIDOMEvent * * aDOMEvent=0x0012ed40, unsigned int aFlags=0x00000202, nsEventStatus * aEventStatus=0x0012f104) Line 2172 + 0x3e	C++
 	nsXULElement::HandleDOMEvent(nsPresContext * aPresContext=0x031b5d58, nsEvent * aEvent=0x0012f388, nsIDOMEvent * * aDOMEvent=0x0012ed40, unsigned int aFlags=0x00000202, nsEventStatus * aEventStatus=0x0012f104) Line 2172 + 0x3e	C++
 	nsXULElement::HandleDOMEvent(nsPresContext * aPresContext=0x031b5d58, nsEvent * aEvent=0x0012f388, nsIDOMEvent * * aDOMEvent=0x0012ed40, unsigned int aFlags=0x00000202, nsEventStatus * aEventStatus=0x0012f104) Line 2172 + 0x3e	C++
 	nsXULElement::HandleDOMEvent(nsPresContext * aPresContext=0x031b5d58, nsEvent * aEvent=0x0012f388, nsIDOMEvent * * aDOMEvent=0x0012ed40, unsigned int aFlags=0x00000202, nsEventStatus * aEventStatus=0x0012f104) Line 2172 + 0x3e	C++
 	nsXULElement::HandleDOMEvent(nsPresContext * aPresContext=0x031b5d58, nsEvent * aEvent=0x0012f388, nsIDOMEvent * * aDOMEvent=0x0012ed40, unsigned int aFlags=0x00000202, nsEventStatus * aEventStatus=0x0012f104) Line 2172 + 0x3e	C++
 	nsXULElement::HandleChromeEvent(nsPresContext * aPresContext=0x031b5d58, nsEvent * aEvent=0x0012f388, nsIDOMEvent * * aDOMEvent=0x0012ed40, unsigned int aFlags=0x00000202, nsEventStatus * aEventStatus=0x0012f104) Line 2833 + 0x25	C++
 	nsGlobalWindow::HandleDOMEvent(nsPresContext * aPresContext=0x031b5d58, nsEvent * aEvent=0x0012f388, nsIDOMEvent * * aDOMEvent=0x0012ed40, unsigned int aFlags=0x00000202, nsEventStatus * aEventStatus=0x0012f104) Line 1570 + 0x3e	C++
 	nsDocument::HandleDOMEvent(nsPresContext * aPresContext=0x031b5d58, nsEvent * aEvent=0x0012f388, nsIDOMEvent * * aDOMEvent=0x0012ed40, unsigned int aFlags=0x00000202, nsEventStatus * aEventStatus=0x0012f104) Line 4010 + 0x37	C++
 	nsGenericElement::HandleDOMEvent(nsPresContext * aPresContext=0x031b5d58, nsEvent * aEvent=0x0012f388, nsIDOMEvent * * aDOMEvent=0x0012ed40, unsigned int aFlags=0x00000207, nsEventStatus * aEventStatus=0x0012f104) Line 2206 + 0x30	C++
 	PresShell::HandleEventInternal(nsEvent * aEvent=0x0012f388, nsIView * aView=0x039e2968, unsigned int aFlags=0x00000001, nsEventStatus * aStatus=0x0012f104) Line 6420 + 0x41	C++
 	PresShell::HandleEvent(nsIView * aView=0x039e2968, nsGUIEvent * aEvent=0x0012f388, nsEventStatus * aEventStatus=0x0012f104, int aForceHandle=0x00000001, int & aHandled=0x00000001) Line 6203 + 0x19	C++
 	nsViewManager::HandleEvent(nsView * aView=0x039e2968, nsGUIEvent * aEvent=0x0012f388, int aCaptured=0x00000000) Line 2512 + 0x34	C++
 	nsViewManager::DispatchEvent(nsGUIEvent * aEvent=0x0012f388, nsEventStatus * aStatus=0x0012f290) Line 2246 + 0x1a	C++
 	HandleEvent(nsGUIEvent * aEvent=0x0012f388) Line 171 + 0x21	C++
 	nsWindow::DispatchEvent(nsGUIEvent * event=0x0012f388, nsEventStatus & aStatus=nsEventStatus_eIgnore) Line 1252 + 0xc	C++
 	nsWindow::DispatchWindowEvent(nsGUIEvent * event=0x0012f388) Line 1272 + 0x1d	C++
 	nsWindow::DispatchKeyEvent(unsigned int aEventType=0x00000083, unsigned short aCharCode=0x0076, unsigned int aVirtualCharCode=0x00000000, long aKeyData=0x00000000, unsigned int aFlags=0x00000000) Line 3448 + 0x11	C++
 	nsWindow::OnChar(unsigned int charCode=0x00000000, unsigned int aFlags=0x00000000) Line 3693 + 0x21	C++
 	nsWindow::OnKeyDown(unsigned int aVirtualKeyCode=0x00000056, unsigned int aScanCode=0x0000002f, long aKeyData=0x002f0001) Line 3540 + 0x10	C++
 	nsWindow::ProcessMessage(unsigned int msg=0x00000100, unsigned int wParam=0x00000056, long lParam=0x002f0001, long * aRetValue=0x0012fa34) Line 4487 + 0x1a	C++
 	nsWindow::WindowProc(HWND__ * hWnd=0x00190534, unsigned int msg=0x00000100, unsigned int wParam=0x00000056, long lParam=0x002f0001) Line 1434 + 0x1d	C++
 	77d48744	
 	77d48826	
 	77d489dd	
 	77d48a20	
 	nsAppShell::Run() Line 133 + 0xc	C++
 	nsAppStartup::Run() Line 150 + 0x1c	C++
 	XRE_main(int argc=0x00000003, char * * argv=0x00487988, const nsXREAppData * aAppData=0x0043008c) Line 2313 + 0x25	C++
 	main(int argc=0x00000003, char * * argv=0x00487988) Line 61 + 0x12	C++
 	mainCRTStartup() Line 398 + 0x11	C
 	7c816d4f	
 	7c8399f3
Assignee: nobody → mozeditor
Group: security
Status: UNCONFIRMED → NEW
Component: General → Editor
Ever confirmed: true
Product: Firefox → Core
QA Contact: general
Version: unspecified → Trunk

Updated

13 years ago
Keywords: crash
Summary: Firefox crashes when pasting RichText into Gmail (Google) body form with RichText enabled. → Firefox crashes when pasting RichText into Gmail (Google) body form with RichText enabled [@ nsVoidArray::FastElementAt]

Comment 2

13 years ago
*** Bug 322530 has been marked as a duplicate of this bug. ***

Comment 3

13 years ago
*** Bug 330945 has been marked as a duplicate of this bug. ***
Created attachment 229795 [details]
Form width a textarea, strange characters into textarea crash browser
It is not necessary for the text to be copied from other program, having strange characters is enough for Firefox to crash (WinXP), for example when replying a message that includes any of them or if you copy and paste the text "Espa?a" from this page: http://www.striptm.com/ejemplos/badcharset.html).
Linux version of Bon Echo seems not to be affected.
I'm testing it again with the new nightly and it works correctly.

Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1b1) Gecko/20060806 BonEcho/2.0b1

So I think that the bug can be closed now.

Comment 7

12 years ago
Fernando, were you seeing the same stack as in comment 1?
(In reply to comment #7)

This bug seems to be solved, what do you mean?

Comment 9

12 years ago
I want to verify that the crash you were seeing in comment 4 and comment 5 is the one that this bug deals with. One way to do this is for me to see a stack for the crash; e.g. a talkback ID.

I'm sure there are many bugs dealing with weird characters in textareas; the bug you were seeing may not be the same as this one.
I've been searching in different builds (1.5, 1.5.0.4...) and I can't find the one  that crashed :-( but I remember that when it crashed, the strange characters appeared as a square instead of a "?". And I also sent with talkback the crash used in this mail.

I hope this information will be useful to you.

Comment 11

12 years ago
Fernando, I looked at the Talkback reports you submitted and the crash you were seeing was bug 343741 (which was indeed fixed).

Comment 12

12 years ago
so, gone in FF 2.0?
QA Contact: editor
Assignee: mozeditor → nobody
(Reporter)

Updated

11 years ago
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED

Comment 13

11 years ago
Kc, thanks for updating the bug. However, FIXED is not an appropriate resolution for this bug as I mentioned in my e-mail:
   WORKSFORME  - gone, or solved but bug does not have a patch.
   FIXED       - you know what mozilla patch/bug that fixed the problem.
Resolution: FIXED → WORKSFORME
(Assignee)

Updated

7 years ago
Crash Signature: [@ nsVoidArray::FastElementAt]
You need to log in before you can comment on or make changes to this bug.