Closed Bug 358415 Opened 18 years ago Closed 18 years ago

Crash [@ nsHTMLCSSUtils::GetCSSInlinePropertyBase] when inputing title of new blog entry on blogger.com before page is entirely loaded up

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: tony.bruguier, Assigned: smaug)

References

(
URL
)

Details

(4 keywords)

Crash Data

Attachments

(2 files)

testcase
812 bytes, text/html
Details
proposed patch for branch
2.90 KB, patch
jst
: review+
jst
: superreview+
jay
: approval1.8.1.2+
jay
: approval1.8.0.10+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0

I think it is related to bug #353704, except I think I have much more detail. This bug occurred with versions 1.5.x and is still present on version 2.x for Windows XP Home.

If you have an account on blogger.com, you can add new entries to your posts my clicking on the + icon. When you do so, a new page that contains input fields for the title and main text of the entry loads up. If you wait for the loading to be done, everything is fine, but if you are impatient and click on the title field and start typing while the page is loading, Firefox crashes.

I can reproduce it sometimes, it all depends on how fast you are. My hunch is that it's a JavaScript issue, and I hope it's not a security risk.

Reproducible: Sometimes

Steps to Reproduce:
1. Create an account with blogger.com and choose to stay signed on and create one blog
2. go to: http://www.blogger.com/home, you should see a page titled "Dashboard" with the list of blogs you have. To the right of each blog name, there should be a "+" icon
3. click on the icon
4. while the page is loading, click on the field for the title and start typing. Timing is *essential*, if you are too slow, it will not crash

Actual Results:  
The Firefox program crashes, Windows asks if I want to send a report (I said yes), and the reporting program asks to send an information (I submitted it too).

Expected Results:  
I expect Firefox not to crash and my title to be inputted.

I hope I was clear, please contact me if you need additional information:
http://www.bruguier.com/contact.html

I checked the 'security problem' box just in case. I am *not* a security expert, but I have heard that JavaScript is a way to infect machines with crashed or buffer overflows... Once again, I am not knowledgeable enough to tell for sure, so I ticked it. Better safe than sorry.

Finally, I rated it as "critical" because it crashes. This problem is limited to blogger.com, to my knowledge.
Ok, I get this talkback ID: TB25363976Z
nsHTMLCSSUtils::GetCSSInlinePropertyBase  [mozilla\editor\libeditor\html\nshtmlcssutils.cpp, line 576]
0x034592a8
0xc2800040
0x64303041

I'll attach a testcase that gives the same kind of crash.

I can see this crash even in Mozilla1.7, so it doesn't seem like a regression.

Not sure if this bug should be security sensitive.
Status: UNCONFIRMED → NEW
Component: General → Editor
Ever confirmed: true
Keywords: crash, testcase
Product: Firefox → Core
QA Contact: general
Version: unspecified → Trunk
Attached file testcase 
Summary: Crash when inputing title of new blog entry on blogger.com before page is entirely loaded up → Crash [@ nsHTMLCSSUtils::GetCSSInlinePropertyBase] when inputing title of new blog entry on blogger.com before page is entirely loaded up

    
    

    
  
Simple null check should be enough in this case.
Just changing the following line http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/editor/libeditor/html/nsHTMLCSSUtils.cpp&mark=574&rev=#574
to 
if (NS_FAILED(res) || !cssDecl) return res;

That is because nsGlobalWindow::GetComputedStyle may return NS_OK and null 
cssDecl if mDocShell or presshell is null.

Other option would be to return some sort of empty cssDecl if mDocShell or presshell is null.

Will test and make a patch tomorrow.

    
    

    
  
This is #87 crasher in FF2

    
    

    
  


  
Assignee: nobody → Olli.Pettay
Status: NEW → ASSIGNED

    
    

    
  
I propose adding null checks to branch, but for trunk
the initialization of nsIComputedDOMStyle could be changed a bit so that
GlobalWindow wouldn't have to have mDocShell and ::GetComputedStyle
wouldn't ever return NS_OK if the returned object is null.

DOM spec sucks, it doesn't handle any error cases, so there aren't
any exceptions defined for getComputedStyle.

And btw, as far as I see, this is just a null pointer crash.

    
    

    
  
If there's no docshell, there's no presshell either, so we should just throw, imho....

And yes, I'm cool with getComputedStyle throwing something like NS_ERROR_NOT_AVAILABLE if there's nothing in the window.
Blocks: 364681

    
    

    
  
Olli, you want the proposed patch for branch get reviewed.
Should this bug stay security sensitive?
Flags: blocking1.8.1.2?

    
    

    
  
(In reply to comment #8)
> And yes, I'm cool with getComputedStyle throwing something like
> NS_ERROR_NOT_AVAILABLE if there's nothing in the window.
> 
But that would change the API a bit. I wonder if some sites would break 
because of that.

And this is null pointer crash, so shouldn't be security sensitive, I think.


    
    

    
  
Comment on attachment 244458 [details] [diff] [review]
proposed patch for branch

r+sr=jst, and requesting approval for the branches.

        Attachment #244458 -
        Flags: superreview+

        Attachment #244458 -
        Flags: review+

        Attachment #244458 -
        Flags: approval1.8.1.2?

        Attachment #244458 -
        Flags: approval1.8.0.10?

    
    

    
  
Comment on attachment 244458 [details] [diff] [review]
proposed patch for branch

Approved for both branches, a=jay for drivers.

        Attachment #244458 -
        Flags: approval1.8.1.2?

        Attachment #244458 -
        Flags: approval1.8.1.2+

        Attachment #244458 -
        Flags: approval1.8.0.10?

        Attachment #244458 -
        Flags: approval1.8.0.10+

    
  
Flags: blocking1.8.1.2? → blocking1.8.1.2-

    
    

    
  
Yeah, this is not really an exploitable crash.  At least not without relying on OS bugs...
Group: security

    
    

    
  
Checked in to trunk. Will check in to branches ASAP.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED

    
    

    
  
Verify fixed for 1.8.0.10 and 1.8.1.2 with Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.2pre) Gecko/2007011903 BonEcho/2.0.0.2pre and Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.10pre) Gecko/20070120 Firefox/1.5.0.10pre ID:2007012008 
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.10, 
          
            fixed1.8.1.2verified1.8.0.10, 
          
            verified1.8.1.2
Crash Signature: [@ nsHTMLCSSUtils::GetCSSInlinePropertyBase]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: