Closed Bug 344000 Opened 18 years ago Closed 18 years ago

dom cellmap crash

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8.1

People

(Reporter: bernd_mozilla, Assigned: bernd_mozilla)

References

Details

(4 keywords, Whiteboard: [sg:critical] heap buffer underflow. fix rolled into 346980)

Attachments

(3 files, 1 obsolete file)

testcase
961 bytes, text/html
Details
patch
6.15 KB, patch
Details | Diff | Splinter Review
revised patch
8.75 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review 
the testcase tries to access foo[-1] or foo[0xffffffff] marking sensitive.
Attached file testcase 
Assignee: nobody → bernd_mozilla
Status: NEW → ASSIGNED

    
  
Blocks: stirtable

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch (obsolete)
        — Splinter Review
      

    


  

    
    

    
  
Affects the 1.8 branches also, nominating.

Why do these routines use signed indexes? Could they be changed to use unsigned ints instead?
Flags: blocking1.9a1+
Flags: blocking1.8.1?
Flags: blocking1.8.0.6?
Whiteboard: [sg:critical] heap buffer underflow

    
    

    
  
Comment on attachment 228602 [details] [diff] [review]
patch

>-
>+  NS_ASSERTION(aFirstRowIndex >= 0, "nsCellMap::InsertRows called with negative rowIndex");

If you don't change the API's to use unsigned should we do more than assert? Add the assertion to other routines as well?

>   PRInt32 numRows = mRows.Count();
>   PRInt32 numCols = aMap.GetColCount();
> 
>   if (aFirstRowIndex >= numRows) {
>+    mRowCount -= aNumRowsToRemove;
>     return;

seems dodgy here, can mRowCount be made negative this way? Or has something else already incremented mRowCount by exactly the amount aFirstRowIndex is larger than numRows.

What if aFirstRowIndex is ever negative here? We didn't expect it could happen in the other place either.

>     if (aEndRowIndex < mRowCount - 1) {
>       cellData = GetDataAt(aMap, aEndRowIndex + 1, colX, PR_TRUE);
>       if ((cellData) && (cellData->IsRowSpan())) {
>         return PR_TRUE; // there is a row span out of the region
>       }
>     }
>+    else {
>+      // this cell might be the cause of a dead row which should be removed
>+      return PR_TRUE;
>+    }

"might be"? what happens if it isn't?

    
    

    
  
>Why do these routines use signed indexes?
Because Chris wrote them. -1 is very common as a hidden boolean parameter to toggle function behaviour.

I haven't really analyzed the code what would happen with unsigned indices. I am currently more in panic mode trying to get the whole thing survive bug 339128. The upcoming patch does exactly this at least on my machine.

>seems dodgy here, can mRowCount be made negative this way? Or has something
>else already incremented mRowCount by exactly the amount aFirstRowIndex is
>larger than numRows.
Every row that we have increases mRowCount. Every row that we remove has to reduce it. We have a scenario where the latter does not happen without the patch.

>What if aFirstRowIndex is ever negative here? We didn't expect it could happen
>in the other place either.

If the routine returns PR_TRUE we will call a more expensive routine thats not a issue. 


    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  

        Attachment #228602 -
        Attachment is obsolete: true

        Attachment #229215 -
        Flags: superreview?(bzbarsky)

        Attachment #229215 -
        Flags: review?(bzbarsky)

    
  
Flags: blocking1.8.1? → blocking1.8.1+

    
    

    
  
I'd really like an explanation of what the various parts of the patch do to be able to review this...  For example, if aEndRowIndex >= mRowCount - 1, why is it ok to call GetDataAt(aMap, aEndRowIndex, colX, PR_TRUE)?  Why is the numOrigRows check needed?   That sort of thing.
Flags: blocking1.8.0.6? → blocking1.8.0.6+
Whiteboard: [sg:critical] heap buffer underflow → [sg:critical] [needs review bzbarsky] heap buffer underflow

    
    

    
  

      
      
      
      

        Attached patch
          
          
        revised patchSplinter Review
      

    


  

        Attachment #231583 -
        Flags: superreview?(bzbarsky)

        Attachment #231583 -
        Flags: review?(bzbarsky)

    
  

        Attachment #229215 -
        Flags: superreview?(bzbarsky)

        Attachment #229215 -
        Flags: review?(bzbarsky)

    
    

    
  
Comment on attachment 231583 [details] [diff] [review]
revised patch

>--- nsCellMap.cpp	2006-08-01 16:26:40.296875000 +0200
>+++ nsCellMap.local	2006-08-01 16:33:42.140625000 +0200
>@@ -1498,30 +1502,51 @@ PRBool nsCellMap::CellsSpanOut(nsVoidArr
>+                                   // current cellmap extension.

s/extension/extent/ ?

>@@ -2023,18 +2048,23 @@ nsCellMap::RebuildConsideringRows(nsTabl

>+  PRInt32 copyEndRowIndex = PR_MIN(numOrigRows, aStartRowIndex);
>+
>   // put back the rows before the affected ones just as before
>-  for (rowX = 0; rowX < aStartRowIndex; rowX++) {
>+  // aStartRowIndex might be after all existing rows so we should limit the
>+  // copy to the amount of exisiting rows

Wouldn't this comment make more sense before you declare copyEndRowIndex and do the PR_MIN thing?

With that, looks ok.  Thanks for the comments!

        Attachment #231583 -
        Flags: superreview?(bzbarsky)

        Attachment #231583 -
        Flags: superreview+

        Attachment #231583 -
        Flags: review?(bzbarsky)

        Attachment #231583 -
        Flags: review+

    
    

    
  
fixed on trunk
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED

    
  
Blocks: 346980

    
    

    
  
Is this patch suitable for 1.8 branch?

    
  
Target Milestone: --- → mozilla1.8.1

    
    

    
  
fixed on branch by the patch in bug 346980
Keywords: fixed1.8.1

    
    

    
  
the only bug that should block 1.8.0.7 is bug 346980 which is blocked by the
regression 347725

asking for 1.8.0.7- on this

    
    

    
  
https://bugzilla.mozilla.org/attachment.cgi?id=228578&action=view
ff2b2 debug windows/linux no crash, no assert, nightly windows/linux no crash
verified fixed 1.8

Keywords: fixed1.8.1verified1.8.1
Whiteboard: [sg:critical] [needs review bzbarsky] heap buffer underflow → [sg:critical] heap buffer underflow. fix rolled into 346980

    
    

    
  
Moving to 1.8.0.8 at Bernd's request (regression worries)
Flags: blocking1.8.0.8+
Flags: blocking1.8.0.7-
Flags: blocking1.8.0.7+

    
    

    
  
fixed on branches by the cellmap branch patch
Keywords: fixed1.8.0.7

    
    

    
  
Can I get some clarification on this bug's status?  It seems to have been minus-ed for 1807, but it is marked 'fixed1807'.  Has the patch been checked in?  Has this issue been fixed by another patch?  Or are we planning on checking in this patch to the 1.8.0 branch later, even though this particular crash has been fixed?



    
    

    
  
This did land in 1.8.0.7 after all. It wasn't "blocking", but was still approved.
Flags: blocking1.8.0.8+
Flags: blocking1.8.0.7-
Flags: blocking1.8.0.7+

    
    

    
  
https://bugzilla.mozilla.org/attachment.cgi?id=228578&action=view should not crash

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7) Gecko/20060906 Firefox/1.5.0.7

verified 1.8.0.7
Keywords: fixed1.8.0.7verified1.8.0.7
Group: security

    
  
Flags: in-testsuite?

    
    

    
  
crash test landed
http://hg.mozilla.org/mozilla-central/rev/5561696a146d
Flags: in-testsuite? → in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: