Last Comment Bug 327066 - document.createEvent('TextEvent') crashes
: document.createEvent('TextEvent') crashes
Status: RESOLVED FIXED
[sg:nse][rft-dl]
: fixed1.8.1, regression, testcase, verified1.8.0.2
Product: Core
Classification: Components
Component: DOM: Events (show other bugs)
: Trunk
: All All
P1 critical (vote)
: mozilla1.9alpha1
Assigned To: Blake Kaplan (:mrbkap)
: Hixie (not reading bugmail)
: Andrew Overholt [:overholt]
Mentors:
javascript:document.createEvent('Text...
Depends on:
Blocks: nsdomevent_separate
  Show dependency treegraph
 
Reported: 2006-02-13 15:01 PST by Christian Schmidt
Modified: 2006-03-02 15:02 PST (History)
3 users (show)
dveditz: blocking1.8.0.2+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Fix (1.65 KB, patch)
2006-02-13 15:23 PST, Blake Kaplan (:mrbkap)
jst: review+
jst: superreview+
jst: approval‑branch‑1.8.1+
dveditz: approval1.8.0.2+
Details | Diff | Splinter Review
Non-diff -w (2.93 KB, patch)
2006-02-13 15:34 PST, Blake Kaplan (:mrbkap)
no flags Details | Diff | Splinter Review

Description User image Christian Schmidt 2006-02-13 15:01:59 PST
Steps to reproduce (WARNING! This will crash your browser):
1. Click on above URL
2. Crash and burn

TB IDs from a recent 1.8 nightly: TB15134809G, TB15134839Y, TB15134942E

Also happens with FF 1.5.0.1.
Comment 1 User image Blake Kaplan (:mrbkap) 2006-02-13 15:22:08 PST
This is a null pointer dereference in the event code, it's not exploitable, so clearing the security group flag. This is a regression from bug 238773. I have a fix.
Comment 2 User image Blake Kaplan (:mrbkap) 2006-02-13 15:23:58 PST
Created attachment 211787 [details] [diff] [review]
Fix

This is a diff -w (to account for some whitespace inconsistancies below the patch). Presumably, the old code set aEvent early, whereas this moved code doesn't bother (and insteads sets mEvent). This patch simply uses mEvent, which is set to aEvent if that isn't null, and a new event otherwise.
Comment 3 User image Johnny Stenback (:jst, jst@mozilla.com) 2006-02-13 15:25:40 PST
Comment on attachment 211787 [details] [diff] [review]
Fix

r+sr=jst
Comment 4 User image Blake Kaplan (:mrbkap) 2006-02-13 15:34:11 PST
Created attachment 211790 [details] [diff] [review]
Non-diff -w

For the record, this is what I just checked in.
Comment 5 User image Blake Kaplan (:mrbkap) 2006-02-13 15:35:06 PST
Fix checked into trunk.
Comment 6 User image Blake Kaplan (:mrbkap) 2006-02-13 15:36:32 PST
Comment on attachment 211787 [details] [diff] [review]
Fix

This is a pretty trivial null-defense fix...
Comment 7 User image Daniel Veditz [:dveditz] 2006-02-22 00:52:25 PST
Comment on attachment 211787 [details] [diff] [review]
Fix

approved for 1.8.0 branch, a=dveditz
Comment 8 User image Blake Kaplan (:mrbkap) 2006-02-22 15:40:58 PST
Fix checked into the 1.8 branches, though I neglected to mention my a= in the checkin comment.
Comment 9 User image Jay Patel [:jay] 2006-03-02 15:02:53 PST
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060302 Firefox/1.5.0.1, no crash with js event in URL bar.

Note You need to log in before you can comment on or make changes to this bug.