The default bug view has changed. See this FAQ.

Crash with evil testcase, using table-column-group, table-column, table-cell

VERIFIED FIXED

Status

()

Core
Layout: Tables
--
critical
VERIFIED FIXED
11 years ago
8 years ago

People

(Reporter: Martijn Wargers (dead), Assigned: Bernd)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Windows XP
crash, testcase, verified1.8.0.5, verified1.8.1
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.7.14 ?
blocking-aviary1.0.9 ?
blocking1.9a1 +
blocking1.8.1 +
blocking1.8.0.5 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?] mem corruption)

Attachments

(3 attachments, 2 obsolete attachments)

(Reporter)

Description

11 years ago
See upcoming testcase, which crashes Mozilla on load.

Talkback ID: TB16137409Q
HaveAutoWidth

(Talbkack has become really short, lately)

The testcase also crashes Mozilla1.7.12, so no (recent) regression.
(Reporter)

Comment 1

11 years ago
Created attachment 214548 [details]
testcase
(Assignee)

Updated

11 years ago
Group: security
(Assignee)

Comment 2

11 years ago
Arrgh, the stack is bogus even in a debug build. This is certainly exploitable, at least writing to 0x0000002 seems like exploitable to me. We  have a major error in the colgroup pseudo handling which yields a strange frame hierarchy cell - inner cell - cell. I need some time to come up with a fix. More than this I would like to move this bug after the OrderRowGroup removal which leads to the deleted object derefs.

Martijn

congratulations to your CVS privilege :-)
, so its fair to assume that you have a build. If you find these bugs so quick you need to learn to classify them. The bogus talkback should have warned you.
(Reporter)

Comment 3

11 years ago
(In reply to comment #2)
> congratulations to your CVS privilege :-)
Thanks :)

> , so its fair to assume that you have a build. If you find these bugs so quick
> you need to learn to classify them. The bogus talkback should have warned you.
Well, I asked Boris some time ago, and he explicitly said not to file bugs as security sensitive (something with way too much security bugs already).
I don't really know when a crash is exploitable. (normally, I don't fire up my debug build, maybe I should do that from now on with new crashes)

Flags: blocking1.9a1+
(Assignee)

Comment 4

11 years ago
No, I am not asking to file every bug as security sensitive. But this bug causes already random function calls, it's not the typical already  deleted stuff that I am used to. Launching a crash testcase in a debug build sounds like a good idea anyway, the stacktrace is more reliable than the talkback.
(Assignee)

Comment 5

11 years ago
Created attachment 214778 [details] [diff] [review]
patch

The only question that this patch causes is why did I not close the door in bug 239294. Fear Uncertainty Doubt? Or did I not know Martijn at this time? Or did I try a minimal invasive patch?
(Assignee)

Comment 6

11 years ago
Created attachment 215044 [details] [diff] [review]
next rev.

this is the next rev. still not *the* fix but closer to the issue.
Attachment #214778 - Attachment is obsolete: true
Blocks: 330015
(Assignee)

Comment 7

11 years ago
Created attachment 215297 [details] [diff] [review]
next rev
Assignee: nobody → bernd_mozilla
Attachment #215044 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #215297 - Flags: superreview?(bzbarsky)
Attachment #215297 - Flags: review?(bzbarsky)
Comment on attachment 215297 [details] [diff] [review]
next rev

I _think_ I follow this.  :(  My eyes bleed, though.  :(
Attachment #215297 - Flags: superreview?(bzbarsky)
Attachment #215297 - Flags: superreview+
Attachment #215297 - Flags: review?(bzbarsky)
Attachment #215297 - Flags: review+
(Assignee)

Comment 9

11 years ago
fixed on trunk
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
(Reporter)

Comment 10

11 years ago
Verified fixed using 2006-03-28 trunk build.
Status: RESOLVED → VERIFIED
(Reporter)

Comment 11

11 years ago
*** Bug 330015 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 12

11 years ago
this regressed the testcase in bug 325984
(Assignee)

Comment 13

11 years ago
I will try to fix the issue in the open bug 325984
Depends on: 325984
Is this exploitable? On a 1.5.0.4 windows debug build I crash in the nsMargin constructor reading from (0+offset) because mReflowState is null when nsBlockReflowState::BorderPadding() is called (the offset is the location of mComputedBorderPadding). Maybe some of these are uninitialized objects whose values would be non-null in a non-debug build, but in a debug Firefox 1.5.0.4 build this is pretty consistent.

If you think it's exploitable we need a patch for the 1.8 and 1.8.0 branches. If it's not exploitable we can live with this low frequency crash (and should un-hide the bug).
Flags: blocking1.8.1?
Flags: blocking1.8.0.5?
Whiteboard: [sg:critical? nse?] null-deref? mem corruption?
Never mind: this fixes bug 330015 which is definitely operating on a deleted frame, so we do need it on the old branches.
Whiteboard: [sg:critical? nse?] null-deref? mem corruption? → [sg:critical?] mem corruption

Updated

11 years ago
Flags: blocking1.8.0.5? → blocking1.8.0.5+

Comment 16

11 years ago
Comment on attachment 215297 [details] [diff] [review]
next rev

a=jay for 1.8.0 checkin
Attachment #215297 - Flags: approval1.8.0.5+

Updated

11 years ago
Flags: blocking1.8.1? → blocking1.8.1+

Comment 17

11 years ago
Comment on attachment 215297 [details] [diff] [review]
next rev

1.8.1 branch approval, a=jay for drivers
Attachment #215297 - Flags: approval-branch-1.8.1+
Comment on attachment 215297 [details] [diff] [review]
next rev

removing branch approvals from this patch in favor of the regression-fix cummulative patch in bug 333493
Attachment #215297 - Flags: approval1.8.0.5-
Attachment #215297 - Flags: approval1.8.0.5+
Attachment #215297 - Flags: approval-branch-1.8.1-
Attachment #215297 - Flags: approval-branch-1.8.1+
(Assignee)

Comment 19

11 years ago
fixed on 1.8 branhc by the cumulative patch in bug 333493
Keywords: fixed1.8.1
(Assignee)

Comment 20

11 years ago
fixed on 1.8.0.5
Keywords: fixed1.8.0.5

Comment 21

11 years ago
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.5) Gecko/20060626 Firefox/1.5.0.5, no crash with testcase.
Keywords: fixed1.8.0.5 → verified1.8.0.5
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?

Comment 22

11 years ago
Created attachment 232737 [details] [diff] [review]
1.0.x patch

Comment 23

11 years ago
https://bugzilla.mozilla.org/attachment.cgi?id=214548&action=view
ff2b2 winxp, linux no crash
verified fixed 1.8
Keywords: fixed1.8.1 → verified1.8.1
Group: security

Comment 24

8 years ago
crash test landed
http://hg.mozilla.org/mozilla-central/rev/fcb4bf8da2b8
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.