Closed Bug 375135 Opened 17 years ago Closed 11 years ago

Uncaught exception from operator new in nsGenericDOMDataNode::SetTextInternal

Categories

(Core :: DOM: Core & HTML, defect)

x86
Windows Vista
defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: msg, Unassigned)

Details

(Keywords: meta, sec-other, Whiteboard: [sg:nse] attached testcase points at other bugs)

Attachments

(2 files)

User-Agent:       Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; .NET CLR 1.1.4322; InfoPath.2)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a3pre) Gecko/20070322 Minefield/3.0a3pre

Found during fuzzing using gflags.  Triggers on call to document.activeElement.attributes.1.lastChild.insertData, but does not occur if called directly.  Using a release build with debugging symbols.

(c10.1f7c): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=0012d20c ebx=00000000 ecx=00000003 edx=00000000 esi=74e1451c edi=0012f540
eip=7715b09e esp=0012d20c ebp=0012d25c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
kernel32!RaiseException+0x58:
7715b09e c9              leave
0:000> kb
ChildEBP RetAddr  Args to Child              
0012d25c 74da8e69 e06d7363 00000001 00000003 kernel32!RaiseException+0x58
0012d294 74db0e5d 0012d2a4 74e05764 74de70e8 MSVCR80!_CxxThrowException+0x46
0012d2b0 00943b44 000821b8 00000000 7a8c7fd0 MSVCR80!operator new+0x69
0012d3ec 0094397a 00000000 00000000 03bf9d80 firefox!nsGenericDOMDataNode::SetTextInternal+0x154 [c:\audits\firefox\src021007-nightlysettings\mozilla\content\base\src\nsgenericdomdatanode.cpp @ 437]
0012d40c 007da636 00000000 7ad75c00 0012d438 firefox!nsGenericDOMDataNode::InsertData+0x2a [c:\audits\firefox\src021007-nightlysettings\mozilla\content\base\src\nsgenericdomdatanode.cpp @ 376]
*** WARNING: Unable to verify checksum for C:\audits\firefox\src021007-nightlysettings\mozilla\obj-i686-pc-cygwin\dist\bin\xpcom_core.dll
0012d41c 02b489e7 7a8c7fec 00000000 7ad75c00 firefox!nsTextNode::InsertData+0x16 [c:\audits\firefox\src021007-nightlysettings\mozilla\content\base\src\nstextnode.cpp @ 69]
0012d438 0052cff8 7a8c7fec 00000021 00000002 xpcom_core!NS_InvokeByIndex+0x27 [c:\audits\firefox\src021007-nightlysettings\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp @ 102]


Reproducible: Always

Steps to Reproduce:

NOTE: gflags will cause firefox to consume largs amounts of ram.  On my system about 1gb.

0. Unzip repro-insertData.zip somplace
1. gflags /p /full /enable firefox.exe
2. Start firefox, attach windbg
3. Load repro-insertData/chrome/content/mab.xul
4. Should see alert that peachdom.js loaded
5. Click on "Go to Amazon" button at bottom of page.
6. Should see alert that fuzzer is starting
7. In short time (less then 2 min) should break into windbg



about:buildconfig

$(CYGWIN_WRAPPER) cl  	14.00.50727  	-TC -nologo -W3 -Gy -Fd$(PDBFILE)
$(CYGWIN_WRAPPER) cl 	14.00.50727 	-GR- -TP -nologo -Zc:wchar_t- -W3 -Gy -Fd$(PDBFILE)

--enable-application=browser --enable-update-channel=nightly --enable-optimize=/Zi --disable-debug --disable-tests --enable-static --disable-shared --enable-svg --enable-canvas --enable-default-toolkit=cairo-windows --disable-installer
This contains the reproduction test case.  Had to split it due to file size limitations
** SECURITY NOTE ***

Please leave this locked security-sensitive at the attached repro steps contain
a fuzzer that finds other security related bugs in firefox!
could be mistaken, but this looks more like it could be DOM.  switching components
Assignee: nobody → general
Component: XP Toolkit/Widgets: XUL → DOM
QA Contact: xptoolkit.xul → ian
jst or peterv, does that sound right?
Based on the information available here, that does sound right.
Whiteboard: sg:nse
Whiteboard: sg:nse → [sg:nse]
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: meta
Whiteboard: [sg:nse] → [sg:nse] attached testcase points at other bugs
This WFM now, operator new now aborts on oom.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
Group: core-security → core-security-release
Group: core-security-release
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: