Steps to reproduce (WARNING! This will crash your browser): 1. Click on above URL 2. Crash and burn TB IDs from a recent 1.8 nightly: TB15134809G, TB15134839Y, TB15134942E Also happens with FF 126.96.36.199.
This is a null pointer dereference in the event code, it's not exploitable, so clearing the security group flag. This is a regression from bug 238773. I have a fix.
Assignee: nobody → events
Component: General → DOM: Events
Keywords: regression, testcase
OS: Windows 2000 → All
Priority: -- → P1
Product: Firefox → Core
QA Contact: general → ian
Hardware: PC → All
Target Milestone: --- → mozilla1.9alpha
Version: 1.5 Branch → Trunk
Created attachment 211787 [details] [diff] [review] Fix This is a diff -w (to account for some whitespace inconsistancies below the patch). Presumably, the old code set aEvent early, whereas this moved code doesn't bother (and insteads sets mEvent). This patch simply uses mEvent, which is set to aEvent if that isn't null, and a new event otherwise.
Comment on attachment 211787 [details] [diff] [review] Fix r+sr=jst
Created attachment 211790 [details] [diff] [review] Non-diff -w For the record, this is what I just checked in.
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
Comment on attachment 211787 [details] [diff] [review] Fix This is a pretty trivial null-defense fix...
Attachment #211787 - Flags: approval-branch-1.8.1?(jst) → approval-branch-1.8.1+
Comment on attachment 211787 [details] [diff] [review] Fix approved for 1.8.0 branch, a=dveditz
Attachment #211787 - Flags: approval188.8.131.52? → approval184.108.40.206+
Fix checked into the 1.8 branches, though I neglected to mention my a= in the checkin comment.
Keywords: fixed220.127.116.11, fixed1.8.1
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:18.104.22.168) Gecko/20060302 Firefox/22.214.171.124, no crash with js event in URL bar.
Keywords: fixed126.96.36.199 → verified188.8.131.52
You need to log in before you can comment on or make changes to this bug.