Closed Bug 375093 Opened 17 years ago Closed 17 years ago

Crash [@ nsTypedSelection::ScrollIntoView] when right-clicking paste in input which then gets destroyed oninput

Categories

(Core :: DOM: UI Events & Focus Handling, defect)

Product:
Core
Component:
DOM: UI Events & Focus Handling
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: martijn.martijn, Assigned: smaug)

References

Details

(4 keywords)

Crash Data

Attachments

(3 files)

testcase
594 bytes, text/html
Details
proposed patch
1.04 KB, patch
dbaron
: review+
dbaron
: superreview+
dveditz
: approval1.8.1.5+
dveditz
: approval1.8.0.13+
Details | Diff | Splinter Review
possible fix for the 2nd crash
1.15 KB, patch
Details | Diff | Splinter Review
Attached file testcase 
See testcase, when pasting something in the text input with the context menu, the surrounding iframe gets destroyed.
This crashes Mozilla, it also crashes current branch builds, so I'm marking this security sensitive for now.

Talkback ID: TB30519454E
nsTypedSelection::ScrollIntoView  [mozilla/layout/generic/nsselection.cpp, line 7293]
nsFrameSelection::ScrollSelectionIntoView  [mozilla/layout/generic/nsselection.cpp, line 2535]
nsEditor::ScrollSelectionIntoView  [mozilla/editor/libeditor/base/nseditor.cpp, line 2492]
nsPlaintextEditor::InsertTextFromTransferable  [mozilla/editor/libeditor/text/nsplaintextdatatransfer.cpp, line 142]

I also got this talkback 2 times, talkback ID: TB30519322Z
MSVCR80.dll + 0x1520a (0x7814520a)
nsVoidArray::RemoveElementsAt  [mozilla/xpcom/build/nsvoidarray.cpp, line 591]
nsTextControlFrame::FireOnInput  [mozilla/layout/forms/nstextcontrolframe.cpp, line 2472]
nsTextInputListener::EditAction  [mozilla/layout/forms/nstextcontrolframe.cpp, line 517]
nsEditor::NotifyEditorObservers  [mozilla/editor/libeditor/base/nseditor.cpp, line 1795]
nsAutoPlaceHolderBatch::~nsAutoPlaceHolderBatch  [mozilla/editor/libeditor/base/nseditorutils.h, line 66]
Assignee: events → Olli.Pettay
This is just a null pointer crash.
Group: security
Attached patch proposed patchSplinter Review 
This is what the code does elsewhere in nsSelection.cpp; 
checking both return value and presshell.
Attachment #259419 - Flags: superreview?(dbaron)
Attachment #259419 - Flags: review?(dbaron)
Comment on attachment 259419 [details] [diff] [review]
proposed patch

r+sr=dbaron, although it would be nice to deCOMtaminate these getters at some point.
Attachment #259419 - Flags: superreview?(dbaron)
Attachment #259419 - Flags: superreview+
Attachment #259419 - Flags: review?(dbaron)
Attachment #259419 - Flags: review+
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
I'm still crashing sometimes (let's say in 20% of the times) with the testcase, talkback ID: TB30548433Z
MSVCR80.dll + 0x1520a (0x7814520a)
nsVoidArray::RemoveElementsAt  [mozilla/xpcom/build/nsvoidarray.cpp, line 591]
nsTextControlFrame::FireOnInput  [mozilla/layout/forms/nstextcontrolframe.cpp, line 2472]
nsTextInputListener::EditAction  [mozilla/layout/forms/nstextcontrolframe.cpp, line 517]
nsEditor::NotifyEditorObservers  [mozilla/editor/libeditor/base/nseditor.cpp, line 1795]
nsAutoPlaceHolderBatch::~nsAutoPlaceHolderBatch  [mozilla/editor/libeditor/base/nseditorutils.h, line 66]
(this is the same as the second backtrace in comment 0)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
I tested with a 2007-03-24 04 build.
hmm, I never got that stack trace. Is that somehow windows only :/
Martijn, could you test this?
(In reply to comment #7)
> Martijn, could you test this?

Sorry, I haven't been able to reproduce this crash at all in my debug build (tried 20 times or so).
I tried this with non-debug-linux-build, but couldn't get it to crash.
Could there be a new bug to handle the other crash. The stack trace is
anyway quite different.
Blocks: 375196
I opened bug 375196. Closing this one.
Status: REOPENED → RESOLVED
Closed: 17 years ago17 years ago
Resolution: --- → FIXED
Is this useful for branch? The patch seems safe.
Olli, is the patch useful for branches?
Attachment #259419 - Flags: approval1.8.1.5?
Attachment #259419 - Flags: approval1.8.0.13?
Comment on attachment 259419 [details] [diff] [review]
proposed patch

approved for 1.8.1.5 and 1.8.0.13, a=dveditz for release-drivers
Attachment #259419 - Flags: approval1.8.1.5?
Attachment #259419 - Flags: approval1.8.1.5+
Attachment #259419 - Flags: approval1.8.0.13?
Attachment #259419 - Flags: approval1.8.0.13+
verified fixed 1.8.1.5 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.5pre) Gecko/20070704 BonEcho/2.0.0.5pre ID:2007070403 and the testcase from this bug - no crash -> adding verified keyword
Keywords: fixed1.8.1.5verified1.8.1.5
verified fixed 1.8.0.13 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.13pre) Gecko/20070822 Firefox/1.5.0.13pre - no crash on testcase

Adding verified keyword
Keywords: fixed1.8.0.13verified1.8.0.13
Crash Signature: [@ nsTypedSelection::ScrollIntoView]
Flags: in-testsuite?
Component: Event Handling → User events and focus handling
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: