Closed Bug 344960 Opened 18 years ago Closed 18 years ago

Crash [@ kernel32.dll CommonConstructor] with testcase using GeckoActiveXObject

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Unassigned)

References

Details

(4 keywords, Whiteboard: [sg:low dos])

Crash Data

Attachments

(2 files, 1 obsolete file)

testcase
380 bytes, text/html
Details
Fix (by capping the argument length).
2.41 KB, patch
mrbkap
: review+
sicking
: superreview+
dveditz
: approval1.8.0.5+
dbaron
: approval1.8.1+
Details | Diff | Splinter Review 
See upcoming testcase, this crashes Firefox1.5.0.5RC3 and current trunk builds.
Current trunk builds probably crash already earlier because of bug 344957.

Talkback ID: TB21052037Q
kernel32.dll + 0x1eb33 (0x7c81eb33)
_CxxThrowException
_com_error::_com_error
_com_issue_error
CommonConstructor  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/XPCIDispatchExtension.cpp, line 90]
ActiveXConstructor  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/XPCIDispatchExtension.cpp, line 131]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1188]
js_Interpret  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3584]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1208]
js_InternalInvoke  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1285]
JS_CallFunctionValue  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4177]
nsJSContext::CallEventHandler  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1411]
nsJSEventListener::HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/dom/src/events/nsJSEventListener.cpp, line 195]
nsEventListenerManager::HandleEventSubType  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1687]
nsEventListenerManager::HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1788]
nsGenericElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2185]
nsHTMLButtonElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLButtonElement.cpp, line 336]
PresShell::HandleEventInternal  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6379]
PresShell::HandleEventWithTarget  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6277]
nsEventStateManager::CheckForAndDispatchClick  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 3048]
nsEventStateManager::PostHandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 2026]
PresShell::HandleEventInternal  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6451]
PresShell::HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6215]
nsViewManager::HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2559]
nsViewManager::DispatchEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2246]
HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 174]
nsWindow::DispatchEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1258]
nsWindow::DispatchMouseEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 6028]
ChildWindow::DispatchMouseEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 6279]
nsWindow::WindowProc  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1440]
USER32.dll + 0x8734 (0x77d18734)
USER32.dll + 0x8816 (0x77d18816)
USER32.dll + 0x89cd (0x77d189cd)
USER32.dll + 0x8a10 (0x77d18a10)
nsAppShell::Run  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/widget/src/windows/nsAppShell.cpp, line 159]
nsAppStartup::Run  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151]
main  [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x16d4f (0x7c816d4f)
Blocks: 344950
Attached file testcase (obsolete) — 
The testcase triggers some kind of oom situation, after GeckoActiveXObject crashes.
Severity: normal → critical
Attached file testcase 
Correct testcase, that actually crashes this time.
Attachment #229524 - Attachment is obsolete: true
Cap the constructor argument length at 2k to keep windows string code from crashing (due to OOM). This also fixes a bug where we were incorrectly protecting against an empty string argument (null checked the wrong variable).
Attachment #229565 - Flags: superreview?(bugmail)
Attachment #229565 - Flags: review?(mrbkap)
Attachment #229565 - Flags: review?(mrbkap) → review+
Attachment #229565 - Flags: superreview?(bugmail) → superreview+
Potentially exploitable security bug (Win32 only), nominating for branches. Fixed on trunk.
Status: NEW → RESOLVED
Closed: 18 years ago
Flags: blocking1.8.1?
Flags: blocking1.8.0.6?
Flags: blocking1.8.0.5?
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Resolution: --- → FIXED
Since we're respinning, and this is based on a semi-public fuzz tester, seems better to take a safe fix now than wait.
Flags: blocking1.8.0.6?
Flags: blocking1.8.0.5?
Flags: blocking1.8.0.5+
Comment on attachment 229565 [details] [diff] [review]
Fix (by capping the argument length).

approved for 1.8.0 branch, a=dveditz for drivers.

Please land today.
Attachment #229565 - Flags: approval1.8.0.5+
Keywords: fixed1.8.0.5
*** Bug 344957 has been marked as a duplicate of this bug. ***
Flags: blocking1.8.1? → blocking1.8.1+
Whiteboard: [sg:low dos]
Keywords: fixed1.8.1
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5, no crash with rc4 build (did crash with rc3).
Keywords: fixed1.8.0.5verified1.8.0.5
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060721 Minefield/3.0a1
Status: RESOLVED → VERIFIED
https://bugzilla.mozilla.org/attachment.cgi?id=229526
ff2b2 debug/nightly windows/linux no crash
verified fixed 1.8
Keywords: fixed1.8.1verified1.8.1
Group: security
Flags: in-testsuite?
Flags: blocking-aviary1.0.9?
Flags: blocking1.7.14?
GeckoActiveXObject is no longer built by default on 1.9.0 and later right?
I don't know if it _works_, but GeckoActiveXObject still exists on windows builds of 1.9.0 and 1.9.1 and XPC_IDISPATCH_SUPPORT is enabled in the build.
Crash Signature: [@ kernel32.dll CommonConstructor]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: