The default bug view has changed. See this FAQ.

Crash [@ kernel32.dll CommonConstructor] with testcase using GeckoActiveXObject

VERIFIED FIXED

Status

()

Core
DOM
--
critical
VERIFIED FIXED
11 years ago
8 years ago

People

(Reporter: Martijn Wargers (dead), Unassigned)

Tracking

(4 keywords)

Trunk
x86
Windows XP
crash, testcase, verified1.8.0.5, verified1.8.1
Points:
---
Bug Flags:
blocking1.8.1 +
blocking1.8.0.5 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:low dos], crash signature)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

11 years ago
See upcoming testcase, this crashes Firefox1.5.0.5RC3 and current trunk builds.
Current trunk builds probably crash already earlier because of bug 344957.

Talkback ID: TB21052037Q
kernel32.dll + 0x1eb33 (0x7c81eb33)
_CxxThrowException
_com_error::_com_error
_com_issue_error
CommonConstructor  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/XPCIDispatchExtension.cpp, line 90]
ActiveXConstructor  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/XPCIDispatchExtension.cpp, line 131]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1188]
js_Interpret  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3584]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1208]
js_InternalInvoke  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1285]
JS_CallFunctionValue  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4177]
nsJSContext::CallEventHandler  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1411]
nsJSEventListener::HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/dom/src/events/nsJSEventListener.cpp, line 195]
nsEventListenerManager::HandleEventSubType  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1687]
nsEventListenerManager::HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1788]
nsGenericElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2185]
nsHTMLButtonElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLButtonElement.cpp, line 336]
PresShell::HandleEventInternal  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6379]
PresShell::HandleEventWithTarget  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6277]
nsEventStateManager::CheckForAndDispatchClick  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 3048]
nsEventStateManager::PostHandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 2026]
PresShell::HandleEventInternal  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6451]
PresShell::HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6215]
nsViewManager::HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2559]
nsViewManager::DispatchEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2246]
HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 174]
nsWindow::DispatchEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1258]
nsWindow::DispatchMouseEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 6028]
ChildWindow::DispatchMouseEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 6279]
nsWindow::WindowProc  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1440]
USER32.dll + 0x8734 (0x77d18734)
USER32.dll + 0x8816 (0x77d18816)
USER32.dll + 0x89cd (0x77d189cd)
USER32.dll + 0x8a10 (0x77d18a10)
nsAppShell::Run  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsAppShell.cpp, line 159]
nsAppStartup::Run  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151]
main  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x16d4f (0x7c816d4f)

Updated

11 years ago
Blocks: 344950
(Reporter)

Comment 1

11 years ago
Created attachment 229524 [details]
testcase

The testcase triggers some kind of oom situation, after GeckoActiveXObject crashes.
(Reporter)

Updated

11 years ago
Severity: normal → critical
(Reporter)

Comment 2

11 years ago
Created attachment 229526 [details]
testcase

Correct testcase, that actually crashes this time.
Attachment #229524 - Attachment is obsolete: true
Created attachment 229565 [details] [diff] [review]
Fix (by capping the argument length).

Cap the constructor argument length at 2k to keep windows string code from crashing (due to OOM). This also fixes a bug where we were incorrectly protecting against an empty string argument (null checked the wrong variable).
Attachment #229565 - Flags: superreview?(bugmail)
Attachment #229565 - Flags: review?(mrbkap)

Updated

11 years ago
Attachment #229565 - Flags: review?(mrbkap) → review+
Attachment #229565 - Flags: superreview?(bugmail) → superreview+
Potentially exploitable security bug (Win32 only), nominating for branches. Fixed on trunk.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Flags: blocking1.8.1?
Flags: blocking1.8.0.6?
Flags: blocking1.8.0.5?
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Resolution: --- → FIXED
Since we're respinning, and this is based on a semi-public fuzz tester, seems better to take a safe fix now than wait.
Flags: blocking1.8.0.6?
Flags: blocking1.8.0.5?
Flags: blocking1.8.0.5+
Comment on attachment 229565 [details] [diff] [review]
Fix (by capping the argument length).

approved for 1.8.0 branch, a=dveditz for drivers.

Please land today.
Attachment #229565 - Flags: approval1.8.0.5+

Updated

11 years ago
Keywords: fixed1.8.0.5
*** Bug 344957 has been marked as a duplicate of this bug. ***

Updated

11 years ago
Flags: blocking1.8.1? → blocking1.8.1+
Whiteboard: [sg:low dos]
Attachment #229565 - Flags: approval1.8.1+

Updated

11 years ago
Keywords: fixed1.8.1

Comment 8

11 years ago
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5, no crash with rc4 build (did crash with rc3).
Keywords: fixed1.8.0.5 → verified1.8.0.5
(Reporter)

Comment 9

11 years ago
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060721 Minefield/3.0a1
Status: RESOLVED → VERIFIED

Comment 10

11 years ago
https://bugzilla.mozilla.org/attachment.cgi?id=229526
ff2b2 debug/nightly windows/linux no crash
verified fixed 1.8
Keywords: fixed1.8.1 → verified1.8.1
Group: security
Flags: in-testsuite?

Updated

9 years ago
Flags: blocking-aviary1.0.9?

Updated

9 years ago
Flags: blocking1.7.14?

Comment 11

8 years ago
GeckoActiveXObject is no longer built by default on 1.9.0 and later right?
I don't know if it _works_, but GeckoActiveXObject still exists on windows builds of 1.9.0 and 1.9.1 and XPC_IDISPATCH_SUPPORT is enabled in the build.
Crash Signature: [@ kernel32.dll CommonConstructor]
You need to log in before you can comment on or make changes to this bug.