Closed Bug 344960 Opened 18 years ago Closed 18 years ago

Crash [@ kernel32.dll CommonConstructor] with testcase using GeckoActiveXObject

Categories

(Core :: DOM: Core & HTML, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: martijn.martijn, Unassigned)

References

Details

(4 keywords, Whiteboard: [sg:low dos])

Crash Data

Attachments

(2 files, 1 obsolete file)

See upcoming testcase, this crashes Firefox1.5.0.5RC3 and current trunk builds. Current trunk builds probably crash already earlier because of bug 344957. Talkback ID: TB21052037Q kernel32.dll + 0x1eb33 (0x7c81eb33) _CxxThrowException _com_error::_com_error _com_issue_error CommonConstructor [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/XPCIDispatchExtension.cpp, line 90] ActiveXConstructor [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/XPCIDispatchExtension.cpp, line 131] js_Invoke [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1188] js_Interpret [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3584] js_Invoke [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1208] js_InternalInvoke [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1285] JS_CallFunctionValue [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4177] nsJSContext::CallEventHandler [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1411] nsJSEventListener::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/dom/src/events/nsJSEventListener.cpp, line 195] nsEventListenerManager::HandleEventSubType [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1687] nsEventListenerManager::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1788] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2185] nsHTMLButtonElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLButtonElement.cpp, line 336] PresShell::HandleEventInternal [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6379] PresShell::HandleEventWithTarget [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6277] nsEventStateManager::CheckForAndDispatchClick [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 3048] nsEventStateManager::PostHandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 2026] PresShell::HandleEventInternal [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6451] PresShell::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6215] nsViewManager::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2559] nsViewManager::DispatchEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2246] HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 174] nsWindow::DispatchEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1258] nsWindow::DispatchMouseEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 6028] ChildWindow::DispatchMouseEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 6279] nsWindow::WindowProc [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1440] USER32.dll + 0x8734 (0x77d18734) USER32.dll + 0x8816 (0x77d18816) USER32.dll + 0x89cd (0x77d189cd) USER32.dll + 0x8a10 (0x77d18a10) nsAppShell::Run [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsAppShell.cpp, line 159] nsAppStartup::Run [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151] main [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x16d4f (0x7c816d4f)
Blocks: 344950
Attached file testcase (obsolete) —
The testcase triggers some kind of oom situation, after GeckoActiveXObject crashes.
Severity: normal → critical
Attached file testcase
Correct testcase, that actually crashes this time.
Attachment #229524 - Attachment is obsolete: true
Cap the constructor argument length at 2k to keep windows string code from crashing (due to OOM). This also fixes a bug where we were incorrectly protecting against an empty string argument (null checked the wrong variable).
Attachment #229565 - Flags: superreview?(bugmail)
Attachment #229565 - Flags: review?(mrbkap)
Attachment #229565 - Flags: review?(mrbkap) → review+
Attachment #229565 - Flags: superreview?(bugmail) → superreview+
Potentially exploitable security bug (Win32 only), nominating for branches. Fixed on trunk.
Status: NEW → RESOLVED
Closed: 18 years ago
Flags: blocking1.8.1?
Flags: blocking1.8.0.6?
Flags: blocking1.8.0.5?
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Resolution: --- → FIXED
Since we're respinning, and this is based on a semi-public fuzz tester, seems better to take a safe fix now than wait.
Flags: blocking1.8.0.6?
Flags: blocking1.8.0.5?
Flags: blocking1.8.0.5+
Comment on attachment 229565 [details] [diff] [review] Fix (by capping the argument length). approved for 1.8.0 branch, a=dveditz for drivers. Please land today.
Attachment #229565 - Flags: approval1.8.0.5+
Keywords: fixed1.8.0.5
*** Bug 344957 has been marked as a duplicate of this bug. ***
Flags: blocking1.8.1? → blocking1.8.1+
Whiteboard: [sg:low dos]
Keywords: fixed1.8.1
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5, no crash with rc4 build (did crash with rc3).
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060721 Minefield/3.0a1
Status: RESOLVED → VERIFIED
https://bugzilla.mozilla.org/attachment.cgi?id=229526 ff2b2 debug/nightly windows/linux no crash verified fixed 1.8
Group: security
Flags: in-testsuite?
Flags: blocking-aviary1.0.9?
Flags: blocking1.7.14?
GeckoActiveXObject is no longer built by default on 1.9.0 and later right?
I don't know if it _works_, but GeckoActiveXObject still exists on windows builds of 1.9.0 and 1.9.1 and XPC_IDISPATCH_SUPPORT is enabled in the build.
Crash Signature: [@ kernel32.dll CommonConstructor]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: