Closed
Bug 342085
Opened 18 years ago
Closed 18 years ago
Crash with a fuzzed iframe [@ nsAttributeChildList::GetLength]
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: bzbarsky, Assigned: bzbarsky)
References
()
Details
(Keywords: verified1.8.0.5, verified1.8.1)
Attachments
(1 file)
|
990 bytes,
patch
|
sicking
:
review+
sicking
:
superreview+
sicking
:
approval-branch-1.8.1+
sicking
:
approval1.8.0.5+
|
Details | Diff | Splinter Review |
STEPS TO REPRODUCE: 1) Get a 1.8.x build or a 1.8.0.x build with any of the patches from bug 326645 applied. 2) Load the URL in the URL field. EXPECTED RESULTS: no crash ACTUAL RESULTS: (gdb) where #0 0x8904408b in ?? () #1 0xb664f3b9 in nsAttributeChildList::GetLength (this=0x83d0098, aLength=0xbfffdb80) at ../../../../mozilla/content/base/src/nsDOMAttribute.cpp:760 #2 0xb7fc4f19 in XPTC_InvokeByIndex () at ../../../../../../../mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_gcc_x86_unix.cpp:69 (gdb) frame 1 #1 0xb664f3b9 in nsAttributeChildList::GetLength (this=0x83d0098, aLength=0xbfffdb80) at ../../../../mozilla/content/base/src/nsDOMAttribute.cpp:760 760 mAttribute->GetValue(value); (gdb) p *mAttribute warning: can't find linker symbol for virtual table for `nsDOMAttribute' value $1 = {<nsIDOMAttr> = {<nsIDOMNode> = {<nsISupports> = { _vptr.nsISupports = 0x200061}, <No data fields>}, <No data fields>}, <nsIDOM3Node> = {<nsISupports> = { _vptr.nsISupports = 0x720070}, <No data fields>}, <nsIAttribute> = {<nsISupports> = {_vptr.nsISupports = 0x70006f}, mAttrMap = 0x720065, mNodeInfo = {mRawPtr = 0x790074}}, mRefCnt = {mValue = 7602208}, _mOwningThread = {mThread = 0x610068}, static sInitialized = 1, mValue = {<nsSubstring> = {<nsAString_internal> = { mVTable = 0x200074, mData = 0x610068, mLength = 2097267, mFlags = 7209071}, <No data fields>}, <No data fields>}, mChild = 0x79006c, mChildList = 0x610020} The mNodeInfo and mChildList pointers are pretty clearly bogus. So's the mAttrMap pointer: (gdb) p *mAttribute.mAttrMap Cannot access memory at address 0x720065 So it seems to me that mAttribute is dead. I wonder why...
|
Assignee | |
Comment 1•18 years ago
|
||
Ah, it looks like on trunk the DropReference() call in ~nsDOMAttribute was added in bug 324572. We should probably port that part over to branch.
|
|
Assignee | |
Comment 2•18 years ago
|
||
This is dead simple, actually..
Assignee: general → bzbarsky
Status: NEW → ASSIGNED
Attachment #226246 -
Flags: superreview?(bugmail)
Attachment #226246 -
Flags: review?(bugmail)
Attachment #226246 -
Flags: approval1.8.0.5?
Attachment #226246 -
Flags: approval-branch-1.8.1?(bugmail)
Comment on attachment 226246 [details] [diff] [review] Fix looks good r/sr/a=sicking
Attachment #226246 -
Flags: superreview?(bugmail)
Attachment #226246 -
Flags: superreview+
Attachment #226246 -
Flags: review?(bugmail)
Attachment #226246 -
Flags: review+
Attachment #226246 -
Flags: approval1.8.0.5?
Attachment #226246 -
Flags: approval1.8.0.5+
Attachment #226246 -
Flags: approval-branch-1.8.1?(bugmail)
Attachment #226246 -
Flags: approval-branch-1.8.1+
|
|
Assignee | |
Comment 4•18 years ago
|
||
Fixed on both branches.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.0.5,
fixed1.8.1
Resolution: --- → FIXED
|
||
Comment 5•18 years ago
|
||
Verified fixed on mac 1.5.0 branch build 2006062008 and on the 2.0 branch.
Status: RESOLVED → VERIFIED
|
|
||
Updated•18 years ago
|
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•