The default bug view has changed. See this FAQ.

document.createEvent('TextEvent') crashes

RESOLVED FIXED in mozilla1.9alpha1

Status

()

Core
DOM: Events
P1
critical
RESOLVED FIXED
11 years ago
11 years ago

People

(Reporter: Christian Schmidt, Assigned: mrbkap)

Tracking

(4 keywords)

Trunk
mozilla1.9alpha1
fixed1.8.1, regression, testcase, verified1.8.0.2
Points:
---
Bug Flags:
blocking1.8.0.2 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:nse][rft-dl], URL)

Attachments

(2 attachments)

(Reporter)

Description

11 years ago
Steps to reproduce (WARNING! This will crash your browser):
1. Click on above URL
2. Crash and burn

TB IDs from a recent 1.8 nightly: TB15134809G, TB15134839Y, TB15134942E

Also happens with FF 1.5.0.1.
(Assignee)

Comment 1

11 years ago
This is a null pointer dereference in the event code, it's not exploitable, so clearing the security group flag. This is a regression from bug 238773. I have a fix.
Assignee: nobody → events
Group: security
Component: General → DOM: Events
Keywords: regression, testcase
OS: Windows 2000 → All
Priority: -- → P1
Product: Firefox → Core
QA Contact: general → ian
Hardware: PC → All
Whiteboard: [sg:nse]
Target Milestone: --- → mozilla1.9alpha
Version: 1.5 Branch → Trunk
(Assignee)

Comment 2

11 years ago
Created attachment 211787 [details] [diff] [review]
Fix

This is a diff -w (to account for some whitespace inconsistancies below the patch). Presumably, the old code set aEvent early, whereas this moved code doesn't bother (and insteads sets mEvent). This patch simply uses mEvent, which is set to aEvent if that isn't null, and a new event otherwise.
Assignee: events → mrbkap
Status: NEW → ASSIGNED
Attachment #211787 - Flags: superreview?(jst)
Attachment #211787 - Flags: review?(jst)
Comment on attachment 211787 [details] [diff] [review]
Fix

r+sr=jst
Attachment #211787 - Flags: superreview?(jst)
Attachment #211787 - Flags: superreview+
Attachment #211787 - Flags: review?(jst)
Attachment #211787 - Flags: review+
(Assignee)

Comment 4

11 years ago
Created attachment 211790 [details] [diff] [review]
Non-diff -w

For the record, this is what I just checked in.
(Assignee)

Comment 5

11 years ago
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
(Assignee)

Comment 6

11 years ago
Comment on attachment 211787 [details] [diff] [review]
Fix

This is a pretty trivial null-defense fix...
Attachment #211787 - Flags: approval1.8.0.2?
Attachment #211787 - Flags: approval-branch-1.8.1?(jst)
(Assignee)

Updated

11 years ago
Blocks: 238773

Updated

11 years ago
Attachment #211787 - Flags: approval-branch-1.8.1?(jst) → approval-branch-1.8.1+
Flags: blocking1.8.0.2+
Comment on attachment 211787 [details] [diff] [review]
Fix

approved for 1.8.0 branch, a=dveditz
Attachment #211787 - Flags: approval1.8.0.2? → approval1.8.0.2+
(Assignee)

Comment 8

11 years ago
Fix checked into the 1.8 branches, though I neglected to mention my a= in the checkin comment.
Keywords: fixed1.8.0.2, fixed1.8.1

Updated

11 years ago
Whiteboard: [sg:nse] → [sg:nse][rft-dl]

Comment 9

11 years ago
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060302 Firefox/1.5.0.1, no crash with js event in URL bar.
Keywords: fixed1.8.0.2 → verified1.8.0.2
You need to log in before you can comment on or make changes to this bug.