Closed
Bug 347804
Opened 18 years ago
Closed 18 years ago
Crash [@ FindNextNode] with evil testcase in spell checker code
Categories
(Core :: Spelling checker, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla1.8.1beta2
People
(Reporter: martijn.martijn, Assigned: brettw)
References
Details
(Keywords: crash, testcase, verified1.8.1, Whiteboard: [sg:nse] post ff1.5)
Crash Data
Attachments
(1 file)
793 bytes,
patch
|
bryner
:
review+
dbaron
:
approval1.8.1+
|
Details | Diff | Splinter Review |
See upcoming testcase, which crashes Mozilla when clicking on the button. You have to download the testcase locally to get the crash, because of the use of enhanced privileges. The testcase doesn't crash on branch, but the arrow key move code in the testcase works only on trunk, so that doesn't say everything. The testcase uses a lot of evil code, that's why I want to keep it security sensitive. Talkback ID: TB21879144E FindNextNode FindNextTextNode mozInlineSpellWordUtil::SetEnd
Reporter | ||
Comment 1•18 years ago
|
||
I can simplify the testcase further if desired.
Assignee | ||
Comment 2•18 years ago
|
||
I looked for other DOM navigation in this file that did not NULL check the result, and did not find any.
Attachment #232757 -
Flags: review?(bryner)
Assignee | ||
Comment 3•18 years ago
|
||
Comment on attachment 232757 [details] [diff] [review] Patch This should have no risk and significant benefit.
Attachment #232757 -
Flags: approval1.8.1?
Assignee | ||
Updated•18 years ago
|
Assignee: mscott → brettw
Updated•18 years ago
|
Attachment #232757 -
Flags: review?(bryner) → review+
Assignee | ||
Comment 4•18 years ago
|
||
Fixed on trunk.
Assignee | ||
Updated•18 years ago
|
Priority: -- → P1
Target Milestone: --- → mozilla1.8.1beta2
Assignee | ||
Updated•18 years ago
|
Blocks: SpellCheckTracking
Comment on attachment 232757 [details] [diff] [review] Patch a=dbaron on behalf of drivers. Please land on MOZILLA_1_8_BRANCH and add the fixed1.8.1 keyword once you have done so.
Attachment #232757 -
Flags: approval1.8.1? → approval1.8.1+
Assignee | ||
Comment 6•18 years ago
|
||
Fixed on branch.
Comment 7•18 years ago
|
||
https://bugzilla.mozilla.org/attachment.cgi?id=232610 ff2b2 debug/nightly windows/linux no crash verified 1.8
Keywords: fixed1.8.1 → verified1.8.1
Updated•18 years ago
|
Whiteboard: [sg:nse] post ff1.5
Updated•17 years ago
|
Group: security
Comment 8•15 years ago
|
||
dveditz: should this test remain private?
Updated•13 years ago
|
Crash Signature: [@ FindNextNode]
You need to log in
before you can comment on or make changes to this bug.
Description
•