Closed
Bug 330998
Opened 18 years ago
Closed 18 years ago
Crash [@ nsLayoutUtils::GetFloatFromPlaceholder] involving tables, forms, and float
Categories
(Core :: Layout: Tables, defect)
Core
Layout: Tables
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: bernd_mozilla)
References
Details
(4 keywords, Whiteboard: [sg:nse null-deref])
Crash Data
Attachments
(2 files)
Bob Clary found this bug; I reduced it (with help from Lithium). Filing as security-sensitive because the variation in behavior (see below) and partial stacks in Win2003 Talkback make me worry this is a memory corruption bug. * Windows 2003: TB16554961Z (partial stack) * Windows XP: Instead of crashing, it goes into a screwed-up state (where toolbar buttons don't respond visually to clicks unless the mouse moves during the click, and firefox.exe doesn't exit when I close the last window). * Mac: TB16555048M (full stack)
Reporter | ||
Comment 1•18 years ago
|
||
Reporter | ||
Comment 2•18 years ago
|
||
Summary: Crash [@ nsLayoutUtils::GetFloatFromPlaceholder] invloving tables, forms, and float → Crash [@ nsLayoutUtils::GetFloatFromPlaceholder] involving tables, forms, and float
we hit ###!!! ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow', file d:\moz_src\mozilla\layout\generic\nsPlaceholderFrame.h, line 121
sounds like bug 285727
Reporter | ||
Comment 6•18 years ago
|
||
Still crashes in Mac trunk 2006-04-10. So not fixed by BuildFloatList removal.
Comment 7•18 years ago
|
||
Yeah... this is basically bug 285727.... At least it's just a null-dereference (well, virtual function call on NULL, which isn't quite the same thing).
Comment 8•18 years ago
|
||
I take that back. GetStyleData is non-virtual when called inside layout. So this is not really a big security issue, imo.
Reporter | ||
Comment 9•18 years ago
|
||
I think even a virtual function call on NULL would not be a security hole, as long as the OS denies access to the entire first page of memory and the object isn't too complicated.
Assignee | ||
Comment 10•18 years ago
|
||
fixed by the patch for bug 285727
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Comment 11•18 years ago
|
||
Sounds like this isn't a security problem after all. We should be able to remove the confidential flag, right?
No longer depends on: 282173
Whiteboard: [sg:nse null-deref]
Comment 12•18 years ago
|
||
(In reply to comment #11) > Sounds like this isn't a security problem after all. We should be able to > remove the confidential flag, right? > NO! this and all fuzz testing bugs should be confidential until we have a better handle on things.
Reporter | ||
Comment 13•18 years ago
|
||
There wasn't much mention of fuzz-testing in this bug until comment 12 ;) I try to file these bugs with reduced testcases and without mentioning how I found them.
Comment 14•18 years ago
|
||
I was going on the blocking bug 306663
Comment 15•18 years ago
|
||
Clearing the security flag. It's no secret that we test Firefox, we just don't want to hand over juicy testcases.
Group: security
Comment 16•18 years ago
|
||
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060829 Firefox/1.5.0.7 Firefox1.5.0.6 still crashes. Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b2) Gecko/20060830 BonEcho/2.0b2
Status: RESOLVED → VERIFIED
Keywords: verified1.8.0.7,
verified1.8.1
Updated•13 years ago
|
Crash Signature: [@ nsLayoutUtils::GetFloatFromPlaceholder]
You need to log in
before you can comment on or make changes to this bug.
Description
•