626 bytes, application/vnd.mozilla.xul+xml
6.16 KB, text/plain
865 bytes, patch
Neil Deakin: review+
|Details | Diff | Splinter Review|
Loading the testcase crashes Firefox. Filing as security-sensitive because I don't know what would happen if I set it to something other than null, but controlled by content.
Completely different stack trace from windows on 188.8.131.52pre debug, cx->fp->pc is 0xCCCCCCCC (uninitialized memory). On an opt build this could potentially grab values from recently freed memory filled by an attacker. Memory would have to be filled with values that were addresses that pointed to something that made sense as JS opcodes, exploitation might be difficult. > js_GetProperty() Line 3418 C nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject() Line 243 C++ nsXPCWrappedJSClass::DelegatedQueryInterface() Line 595 C++ nsXPCWrappedJS::QueryInterface() Line 106 C++ DispatchToInterface() Line 141 C++ nsEventListenerManager::HandleEvent() Line 1752 C++ nsXULDocument::HandleDOMEvent() Line 1234 C++ nsXULElement::HandleDOMEvent() Line 2254 C++ PresShell::HandleEventInternal() Line 6425 C++ PresShell::HandleEvent() Line 6261 C++ PresShell::RetargetEventToParent() Line 6037 C++ PresShell::HandleEvent() Line 6168 C++ nsViewManager::HandleEvent() Line 2512 C++ nsViewManager::DispatchEvent() Line 2246 C++ HandleEvent() Line 171 C++ nsWindow::DispatchEvent() Line 1389 C++ nsWindow::DispatchWindowEvent() Line 1409 C++ nsWindow::DispatchKeyEvent() Line 3707 C++ nsWindow::OnKeyDown() Line 3727 C++ nsWindow::ProcessMessage() Line 4883 C++ nsWindow::WindowProc() Line 1577 C++ 77d48744 77d48826 77d489dd 77d48a20 nsAppShell::Run() Line 133 C++ nsAppStartup::Run() Line 151 C++ XRE_main() Line 2444 C++ main() Line 61 C++ mainCRTStartup() Line 398 C Hit a JS assert in 184.108.40.206, but still looking like JS frame corruption of some kind. Assertion failure: JS_UPTRDIFF(fp->sp, fp->spbase) <= depthdiff, at c:/dev/ff15/mozilla/js/src/jsinterp.c:386 On trunk this WFM on windows. Mac only crash? Fixed along the way?
WFM Mac trunk debug. Should the Windows issue become a separate bug report?
I still see this on Linux, but branches only, not trunk. I've got a trivial fix for the crash I'm seeing (same stack as the mac stack trace in this bug).
Created attachment 251241 [details] [diff] [review] Add null check. In the case I'm seeing the crash, the target is a document, not something that successfully QIs to nsIContent.
Comment on attachment 251241 [details] [diff] [review] Add null check. Is this a branch crash only? The event listener should always be a XUL element, so why is the target of the event a document?
Comment on attachment 251241 [details] [diff] [review] Add null check. Since this is branch-only it's less important that the fix is the RightThing(tm). But it'd be good to know that things work as they should on trunk.
Comment on attachment 251241 [details] [diff] [review] Add null check. Approved for both branches, a=jay for drivers.
Fix landed on the branches, marking bug FIXED (as this is not an issue on the trunk).
verified on the 1.8 branch using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:220.127.116.11pre) Gecko/20070125 BonEcho/18.104.22.168pre. No crash using Testcase. adding keyword.
verified on the 1.8.0. branch using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:22.214.171.124pre) Gecko/20070125 Firefox/126.96.36.199pre. No crash with testcase, adding keyword.
Crashtest checked in.