Closed Bug 342085 Opened 18 years ago Closed 18 years ago

Crash with a fuzzed iframe [@ nsAttributeChildList::GetLength]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
1.8 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: bzbarsky, Assigned: bzbarsky)

References

(
URL
)

Details

(Keywords: verified1.8.0.5, verified1.8.1)

Attachments

(1 file)

Fix
990 bytes, patch
sicking
: review+
sicking
: superreview+
sicking
: approval-branch-1.8.1+
sicking
: approval1.8.0.5+
Details | Diff | Splinter Review
STEPS TO REPRODUCE: 1) Get a 1.8.x build or a 1.8.0.x build with any of the patches from bug 326645 applied. 2) Load the URL in the URL field. EXPECTED RESULTS: no crash ACTUAL RESULTS: (gdb) where #0 0x8904408b in ?? () #1 0xb664f3b9 in nsAttributeChildList::GetLength (this=0x83d0098, aLength=0xbfffdb80) at ../../../../mozilla/content/base/src/nsDOMAttribute.cpp:760 #2 0xb7fc4f19 in XPTC_InvokeByIndex () at ../../../../../../../mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_gcc_x86_unix.cpp:69 (gdb) frame 1 #1 0xb664f3b9 in nsAttributeChildList::GetLength (this=0x83d0098, aLength=0xbfffdb80) at ../../../../mozilla/content/base/src/nsDOMAttribute.cpp:760 760 mAttribute->GetValue(value); (gdb) p *mAttribute warning: can't find linker symbol for virtual table for `nsDOMAttribute' value $1 = {<nsIDOMAttr> = {<nsIDOMNode> = {<nsISupports> = { _vptr.nsISupports = 0x200061}, <No data fields>}, <No data fields>}, <nsIDOM3Node> = {<nsISupports> = { _vptr.nsISupports = 0x720070}, <No data fields>}, <nsIAttribute> = {<nsISupports> = {_vptr.nsISupports = 0x70006f}, mAttrMap = 0x720065, mNodeInfo = {mRawPtr = 0x790074}}, mRefCnt = {mValue = 7602208}, _mOwningThread = {mThread = 0x610068}, static sInitialized = 1, mValue = {<nsSubstring> = {<nsAString_internal> = { mVTable = 0x200074, mData = 0x610068, mLength = 2097267, mFlags = 7209071}, <No data fields>}, <No data fields>}, mChild = 0x79006c, mChildList = 0x610020} The mNodeInfo and mChildList pointers are pretty clearly bogus. So's the mAttrMap pointer: (gdb) p *mAttribute.mAttrMap Cannot access memory at address 0x720065 So it seems to me that mAttribute is dead. I wonder why...
Ah, it looks like on trunk the DropReference() call in ~nsDOMAttribute was added in bug 324572. We should probably port that part over to branch.
Depends on: 326645
Attached patch FixSplinter Review
This is dead simple, actually..
Assignee: general → bzbarsky
Status: NEW → ASSIGNED
Attachment #226246 - Flags: superreview?(bugmail)
Attachment #226246 - Flags: review?(bugmail)
Attachment #226246 - Flags: approval1.8.0.5?
Attachment #226246 - Flags: approval-branch-1.8.1?(bugmail)
Comment on attachment 226246 [details] [diff] [review] Fix looks good r/sr/a=sicking
Attachment #226246 - Flags: superreview?(bugmail)
Attachment #226246 - Flags: superreview+
Attachment #226246 - Flags: review?(bugmail)
Attachment #226246 - Flags: review+
Attachment #226246 - Flags: approval1.8.0.5?
Attachment #226246 - Flags: approval1.8.0.5+
Attachment #226246 - Flags: approval-branch-1.8.1?(bugmail)
Attachment #226246 - Flags: approval-branch-1.8.1+
Fixed on both branches.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.0.5, fixed1.8.1
Resolution: --- → FIXED
Verified fixed on mac 1.5.0 branch build 2006062008 and on the 2.0 branch.
Status: RESOLVED → VERIFIED
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: