Closed Bug 326834 Opened 18 years ago Closed 18 years ago

CVE-2006-1531 [FIX]Crash with evil xul testcase, using listbox/listitem and display: table-cell

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: martijn.martijn, Assigned: bzbarsky)

References

Details

(5 keywords, Whiteboard: [sg:critical?][rft-dl] not in moz1.7/ff1.0)

Attachments

(4 files, 1 obsolete file)

testcase
760 bytes, application/vnd.mozilla.xul+xml
Details
Updated to comments
3.81 KB, patch
Details | Diff | Splinter Review
1.8.0.x branch patch
3.80 KB, patch
dveditz
: approval1.8.0.2+
Details | Diff | Splinter Review
1.8 version of patch
3.72 KB, patch
roc
: approval-branch-1.8.1+
Details | Diff | Splinter Review 
See upcoming testcase, which crashes current trunk Mozilla's build when visiting the page.
Doesn't crash in 2006-01-30 build, crashes in 2006-01-31 build, so a regression from bug 282105, I think.
Attached file testcase 

    
  
Blocks: 282105

    
    

    
  
Yeah.  I bet prior to bug 282105 we just totally failed to call into the listbox here.  Now we do, and it screws up the OnContentRemoved notification, sorta.  I bet we could produce similar effects even before the patch for bug 282105.

The problem is that the table cell is not actually a child of the listboxbody -- the anon table frame is.  So when we call into nsListBoxBodyFrame::RemoveChildFrame we don't actually remove any frames from anywhere... but we DO call Destroy() on aFrame. So after that we have a deleted frame in the frametree, and we're dead.

Now I could easily fix things to not call Destroy() if we fail to destroy aFrame.  But then we'd end up with the frame not getting removed, and ContentInserted creating a new frame and bad stuff would happen.

I guess what we should do is only notify the listbox body if the parent of our frame is a listbox body frame.  But that means that the pseudo work will need to deal with this later (that is, when we get pseudo removal working).
Flags: blocking1.8.0.2?
Flags: blocking1.7.13?
Flags: blocking-aviary1.0.8?

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Proposed patch (obsolete)
        — Splinter Review
      

    


  
I'll merge this to branches once I know it's ok in general.
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED

        Attachment #211519 -
        Flags: superreview?(roc)

        Attachment #211519 -
        Flags: review?(neil)

    
  
Group: security
Flags: blocking1.8.1?
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Summary: Crash with evil xul testcase, using listbox/listitem and display: table-cell → [FIX]Crash with evil xul testcase, using listbox/listitem and display: table-cell
Target Milestone: --- → mozilla1.9alpha

    
    

    
  
Comment on attachment 211519 [details] [diff] [review]
Proposed patch

I don't have time to give this a proper review as I need to get up early tomorrow morning to go on holiday (US: vacation) for the rest of the week. But it occurs to me that you could tack your extra condition onto the one just missed by your -u8 diff since aChildFrame is always null when notifying for insertions.

    
    

    
  
Comment on attachment 211519 [details] [diff] [review]
Proposed patch

I can't, since my extra condition needs to compare to |listBoxBodyFrame|, which I don't have up there.

I think we want this in sooner than a week.  Roc, are you ok with doing r+sr on this?

        Attachment #211519 -
        Flags: review?(neil) → review?(roc)

    
    

    
  
(In reply to comment #5)
>(From update of attachment 211519 [details] [diff] [review])
>I can't, since my extra condition needs to compare to |listBoxBodyFrame|, which
>I don't have up there.
I do need the sleep, don't I ;-) How about putting the condition on the call to RemoveChildFrame in nsListBoxBodyFrame::OnContentRemoved i.e.
if (aChildFrame && aChildFrame->GetParent() == this) {
  RemoveChildFrame(state, aChildFrame);
}

    
    

    
  
> How about putting the condition on the call to RemoveChildFrame in
> nsListBoxBodyFrame::OnContentRemoved 

I need to return different booleans in the frame constructor depending on this condition; if we're not removing via OnContentRemoved we need to remove through the normal codepath.  See comment 2 paragraph 3.  And nsListBoxBodyFrame::OnContentRemoved returns void.  I could change this, I guess, and just return what I'm checking up front right now...

        Attachment #211519 -
        Flags: superreview?(roc)

        Attachment #211519 -
        Flags: superreview+

        Attachment #211519 -
        Flags: review?(roc)

        Attachment #211519 -
        Flags: review+

    
    

    
  
I think we should take this patch and add an assertion to OnContentRemoved that aChildFrame's parent == this if it's non-null.

    
    

    
  


  

        Attachment #211519 -
        Attachment is obsolete: true

    
    

    
  


  

        Attachment #211637 -
        Flags: approval1.8.0.2?

    
    

    
  


  

        Attachment #211639 -
        Flags: approval-branch-1.8.1?(roc)

    
    

    
  
This is not an issue on the 1.7 branch since we didn't do table pseudos for XUL there.
Flags: blocking1.7.13?
Flags: blocking-aviary1.0.8?

    
    

    
  
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED

        Attachment #211639 -
        Flags: approval-branch-1.8.1?(roc) → approval-branch-1.8.1+

    
    

    
  
Fixed on 1.8.1 branch.
Keywords: fixed1.8.1

    
    

    
  
Verified FIXED using build 2006-02-13-09 with testcase: https://bugzilla.mozilla.org/attachment.cgi?id=211511&action=view on Windows XP SeaMonkey trunk.
Status: RESOLVED → VERIFIED
Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.2?
Flags: blocking1.8.0.2+

    
    

    
  
Comment on attachment 211637 [details] [diff] [review]
1.8.0.x branch patch

approved for 1.8.0 branch, a=dveditz for drivers

        Attachment #211637 -
        Flags: approval1.8.0.2? → approval1.8.0.2+

    
    

    
  
Fixed on 1.8.0.2 branch.
Keywords: fixed1.8.0.2
Whiteboard: [rft-dl]

    
    

    
  
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060224 Firefox/1.5.0.1, no crash with testcase.
Keywords: fixed1.8.0.2verified1.8.0.2
Whiteboard: [rft-dl] → [rft-dl] not in moz1.7
Whiteboard: [rft-dl] not in moz1.7 → [sg:critical?][rft-dl] not in moz1.7/ff1.0

    
  
Summary: [FIX]Crash with evil xul testcase, using listbox/listitem and display: table-cell → CVE-2006-1531 [FIX]Crash with evil xul testcase, using listbox/listitem and display: table-cell
Group: security

    
    

    
  
Verified on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b1) Gecko/20060815 BonEcho/2.0b1, as well as MacOS X version.

Firefox did not crash with the testcase.
Keywords: fixed1.8.1verified1.8.1

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: