Closed
Bug 344960
Opened 18 years ago
Closed 18 years ago
Crash [@ kernel32.dll CommonConstructor] with testcase using GeckoActiveXObject
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Unassigned)
References
Details
(4 keywords, Whiteboard: [sg:low dos])
Crash Data
Attachments
(2 files, 1 obsolete file)
380 bytes,
text/html
|
Details | |
2.41 KB,
patch
|
mrbkap
:
review+
sicking
:
superreview+
dveditz
:
approval1.8.0.5+
dbaron
:
approval1.8.1+
|
Details | Diff | Splinter Review |
See upcoming testcase, this crashes Firefox1.5.0.5RC3 and current trunk builds.
Current trunk builds probably crash already earlier because of bug 344957.
Talkback ID: TB21052037Q
kernel32.dll + 0x1eb33 (0x7c81eb33)
_CxxThrowException
_com_error::_com_error
_com_issue_error
CommonConstructor [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/XPCIDispatchExtension.cpp, line 90]
ActiveXConstructor [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/XPCIDispatchExtension.cpp, line 131]
js_Invoke [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1188]
js_Interpret [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3584]
js_Invoke [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1208]
js_InternalInvoke [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1285]
JS_CallFunctionValue [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4177]
nsJSContext::CallEventHandler [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1411]
nsJSEventListener::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/dom/src/events/nsJSEventListener.cpp, line 195]
nsEventListenerManager::HandleEventSubType [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1687]
nsEventListenerManager::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1788]
nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2185]
nsHTMLButtonElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLButtonElement.cpp, line 336]
PresShell::HandleEventInternal [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6379]
PresShell::HandleEventWithTarget [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6277]
nsEventStateManager::CheckForAndDispatchClick [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 3048]
nsEventStateManager::PostHandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 2026]
PresShell::HandleEventInternal [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6451]
PresShell::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6215]
nsViewManager::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2559]
nsViewManager::DispatchEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2246]
HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 174]
nsWindow::DispatchEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1258]
nsWindow::DispatchMouseEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 6028]
ChildWindow::DispatchMouseEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 6279]
nsWindow::WindowProc [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1440]
USER32.dll + 0x8734 (0x77d18734)
USER32.dll + 0x8816 (0x77d18816)
USER32.dll + 0x89cd (0x77d189cd)
USER32.dll + 0x8a10 (0x77d18a10)
nsAppShell::Run [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsAppShell.cpp, line 159]
nsAppStartup::Run [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151]
main [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x16d4f (0x7c816d4f)
Reporter | ||
Comment 1•18 years ago
|
||
The testcase triggers some kind of oom situation, after GeckoActiveXObject crashes.
Reporter | ||
Updated•18 years ago
|
Severity: normal → critical
Reporter | ||
Comment 2•18 years ago
|
||
Correct testcase, that actually crashes this time.
Attachment #229524 -
Attachment is obsolete: true
Comment 3•18 years ago
|
||
Cap the constructor argument length at 2k to keep windows string code from crashing (due to OOM). This also fixes a bug where we were incorrectly protecting against an empty string argument (null checked the wrong variable).
Attachment #229565 -
Flags: superreview?(bugmail)
Attachment #229565 -
Flags: review?(mrbkap)
Updated•18 years ago
|
Attachment #229565 -
Flags: review?(mrbkap) → review+
Attachment #229565 -
Flags: superreview?(bugmail) → superreview+
Comment 4•18 years ago
|
||
Potentially exploitable security bug (Win32 only), nominating for branches. Fixed on trunk.
Status: NEW → RESOLVED
Closed: 18 years ago
Flags: blocking1.8.1?
Flags: blocking1.8.0.6?
Flags: blocking1.8.0.5?
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Resolution: --- → FIXED
Comment 5•18 years ago
|
||
Since we're respinning, and this is based on a semi-public fuzz tester, seems better to take a safe fix now than wait.
Flags: blocking1.8.0.6?
Flags: blocking1.8.0.5?
Flags: blocking1.8.0.5+
Comment 6•18 years ago
|
||
Comment on attachment 229565 [details] [diff] [review]
Fix (by capping the argument length).
approved for 1.8.0 branch, a=dveditz for drivers.
Please land today.
Attachment #229565 -
Flags: approval1.8.0.5+
Updated•18 years ago
|
Keywords: fixed1.8.0.5
Comment 7•18 years ago
|
||
*** Bug 344957 has been marked as a duplicate of this bug. ***
Updated•18 years ago
|
Flags: blocking1.8.1? → blocking1.8.1+
Updated•18 years ago
|
Whiteboard: [sg:low dos]
Attachment #229565 -
Flags: approval1.8.1+
Updated•18 years ago
|
Keywords: fixed1.8.1
Comment 8•18 years ago
|
||
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5, no crash with rc4 build (did crash with rc3).
Keywords: fixed1.8.0.5 → verified1.8.0.5
Reporter | ||
Comment 9•18 years ago
|
||
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060721 Minefield/3.0a1
Status: RESOLVED → VERIFIED
Comment 10•18 years ago
|
||
https://bugzilla.mozilla.org/attachment.cgi?id=229526
ff2b2 debug/nightly windows/linux no crash
verified fixed 1.8
Keywords: fixed1.8.1 → verified1.8.1
Updated•17 years ago
|
Group: security
Flags: in-testsuite?
Updated•17 years ago
|
Flags: blocking-aviary1.0.9?
Updated•17 years ago
|
Flags: blocking1.7.14?
Comment 11•16 years ago
|
||
GeckoActiveXObject is no longer built by default on 1.9.0 and later right?
Comment 12•16 years ago
|
||
I don't know if it _works_, but GeckoActiveXObject still exists on windows builds of 1.9.0 and 1.9.1 and XPC_IDISPATCH_SUPPORT is enabled in the build.
Updated•13 years ago
|
Crash Signature: [@ kernel32.dll CommonConstructor]
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•