The default bug view has changed. See this FAQ.
Bug 375928 (CVE-2010-0175)

[@ nsTreeRange::Contains]

RESOLVED FIXED

Status

()

Core
XUL
--
critical
RESOLVED FIXED
10 years ago
6 years ago

People

(Reporter: timeless, Assigned: smaug)

Tracking

({crash, verified1.9.0.19, verified1.9.1})

Trunk
x86
Mac OS X
crash, verified1.9.0.19, verified1.9.1
Points:
---
Bug Flags:
blocking1.9.0.19 +
wanted1.9.0.x +

Firefox Tracking Flags

(blocking1.9.1 .9+, status1.9.1 .9-fixed)

Details

(Whiteboard: [sg:critical?], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

10 years ago
Date/Time:      2007-03-29 17:54:05.050 +0300
OS Version:     10.4.9 (Build 8P2137)
Report Version: 4

Command: firefox-bin
Path:    /Users/ui/Desktop/Minefield.app/Contents/MacOS/firefox-bin
Parent:  launchd [1]

Version: 3.0a4pre (3.0a4pre)

PID:    485
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x42b4000c

Thread 0 Crashed:
0   org.mozilla.firefox 	0x00823d8b nsTreeRange::Contains(int) + 9
1   org.mozilla.firefox 	0x0070603d nsTreeSelection::SelectCallback(nsITimer*, void*) + 235
2   org.mozilla.firefox 	0x005d488b nsTreeBodyFrame::PrefillPropertyArray(int, nsTreeColumn*) + 221
3   org.mozilla.firefox 	0x005d8a0e nsTreeBodyFrame::PaintRow(int, nsRect const&, nsPresContext*, nsIRenderingContext&, nsRect const&, nsPoint) + 64
4   org.mozilla.firefox 	0x005d94a7 nsTreeBodyFrame::PaintTreeBody(nsIRenderingContext&, nsRect const&, nsPoint) + 1165
5   org.mozilla.firefox 	0x005d94ec nsTreeBodyFrame::PaintTreeBody(nsIRenderingContext&, nsRect const&, nsPoint) + 1234
6   org.mozilla.firefox 	0x007ec62f nsDisplayGeneric::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) + 71
7   org.mozilla.firefox 	0x003ae429 nsDisplayList::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) const + 47
8   org.mozilla.firefox 	0x003ae4c1 nsDisplayClip::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) + 119
9   org.mozilla.firefox 	0x003ae429 nsDisplayList::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) const + 47
10  org.mozilla.firefox 	0x00385b7f nsLayoutUtils::PaintFrame(nsIRenderingContext*, nsIFrame*, nsRegion const&, unsigned) + 425
11  org.mozilla.firefox 	0x001242f6 nsIPresShell::RemoveWeakFrame(nsWeakFrame*) + 504
12  org.mozilla.firefox 	0x001b7ad8 nsViewManager::RenderViews(nsView*, nsIRenderingContext&, nsRegion const&, nsIDrawingSurface*) + 232
13  org.mozilla.firefox 	0x001b7daf nsViewManager::Refresh(nsView*, nsIRenderingContext*, nsIRegion*, unsigned) + 695
14  org.mozilla.firefox 	0x001b90f5 nsViewManager::FlushPendingInvalidates() + 3035
15  org.mozilla.firefox 	0x003669b2 nsView::LoadWidget(nsID const&) + 188
16  org.mozilla.firefox 	0x00268a84 nsChildView::~nsChildView [in-charge deleting]() + 2518
17  org.mozilla.firefox 	0x00267788 nsChildView::DispatchWindowEvent(nsGUIEvent&) + 34
18  org.mozilla.firefox 	0x0026c756 nsChildView::ReportMoveEvent() + 1594
19  com.apple.AppKit    	0x932e33b1 -[NSView _drawRect:clip:] + 3228
20  com.apple.AppKit    	0x932e1893 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1273
21  com.apple.AppKit    	0x932e2041 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3239
22  com.apple.AppKit    	0x932e0362 -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] + 523
23  com.apple.AppKit    	0x932dfc8e -[NSView displayIfNeeded] + 439
24  org.mozilla.firefox 	0x0026524b nsChildView::OnPaint(nsPaintEvent&) + 39
25  org.mozilla.firefox 	0x001b5959 nsViewManager::UpdateWidgetsForView(nsView*) + 35
26  org.mozilla.firefox 	0x001b59a8 nsViewManager::UpdateWidgetsForView(nsView*) + 114
27  org.mozilla.firefox 	0x001b55db nsViewManager::GetAbsoluteRect(nsView*, nsRect const&, nsRect&) + 213
28  org.mozilla.firefox 	0x001b7932 nsViewManager::UpdateWidgetArea(nsView*, nsRegion const&, nsView*) + 1506
29  org.mozilla.firefox 	0x00369e30 nsIFrame::InvalidateRoot(nsRect const&, int, int, int) + 104
30  org.mozilla.firefox 	0x005d9e7e ViewportFrame::InvalidateInternal(nsRect const&, int, int, nsIFrame*, int) + 144
31  org.mozilla.firefox 	0x0036a31b nsIFrame::Invalidate(nsRect const&, int) + 121
32  org.mozilla.firefox 	0x005d0d88 nsTreeBodyFrame::GetImageSourceRect(nsStyleContext*, int, imgIContainer*) + 302
33  org.mozilla.firefox 	0x0070613e nsTreeSelection::SelectCallback(nsITimer*, void*) + 492
34  org.mozilla.firefox 	0x00706c15 nsTreeSelection::~nsTreeSelection [in-charge]() + 2383
35  libxpcom_core.dylib 	0x00df3ed1 NS_InvokeByIndex + 81
36  org.mozilla.firefox 	0x0034523e XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) + 738
37  org.mozilla.firefox 	0x00335553 XPC_WN_CallMethod(JSContext*, JSObject*, unsigned, long*, long*) + 261
38  libmozjs.dylib      	0x00d41805 js_Invoke + 790
39  libmozjs.dylib      	0x00d35f2c js_Interpret + 3773
40  libmozjs.dylib      	0x00d41d96 js_Invoke + 2215
41  libmozjs.dylib      	0x00d4225c js_InternalInvoke + 146
42  libmozjs.dylib      	0x00d09e27 JS_CallFunctionValue + 62
43  org.mozilla.firefox 	0x0042338a nsJSContext::CallEventHandler(nsISupports*, void*, void*, nsIArray*, nsIVariant**) + 624
44  org.mozilla.firefox 	0x0045d512 nsJSEventListener::~nsJSEventListener [in-charge deleting]() + 570
45  org.mozilla.firefox 	0x00622b99 nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver*, nsIDOMEvent*) + 1539
46  org.mozilla.firefox 	0x00624eae nsXBLMouseEventHandler::EventMatched(nsIDOMEvent*) + 382
47  org.mozilla.firefox 	0x0019288f nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsISupports*, unsigned) + 75
48  org.mozilla.firefox 	0x0019384e nsEventListenerManager::FixContextMenuEvent(nsPresContext*, nsISupports*, nsEvent*, nsIDOMEvent**) + 1462
49  org.mozilla.firefox 	0x003bdf45 nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned) + 129
50  org.mozilla.firefox 	0x003be14b nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned, nsDispatchingCallback*) + 487
51  org.mozilla.firefox 	0x003be9a1 nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*) + 747
52  org.mozilla.firefox 	0x001273eb PresShell::HandleEventInternal(nsEvent*, nsIView*, nsEventStatus*) + 289
53  org.mozilla.firefox 	0x00128dea PresShell::RetargetEventToParent(nsGUIEvent*, nsEventStatus*) + 1024
54  org.mozilla.firefox 	0x001b62ef nsViewManager::HandleEvent(nsView*, nsPoint, nsGUIEvent*, int) + 71
55  org.mozilla.firefox 	0x001b8979 nsViewManager::FlushPendingInvalidates() + 1119
56  org.mozilla.firefox 	0x003669b2 nsView::LoadWidget(nsID const&) + 188
57  org.mozilla.firefox 	0x00268a84 nsChildView::~nsChildView [in-charge deleting]() + 2518
58  org.mozilla.firefox 	0x00267788 nsChildView::DispatchWindowEvent(nsGUIEvent&) + 34
59  org.mozilla.firefox 	0x0026a53b nsChildView::~nsChildView [in-charge]() + 5623
60  com.apple.AppKit    	0x93341be1 -[NSWindow sendEvent:] + 7377
61  com.apple.AppKit    	0x93333350 -[NSApplication sendEvent:] + 5023
62  com.apple.AppKit    	0x9325ddfe -[NSApplication run] + 547
63  org.mozilla.firefox 	0x002612e1 nsAppShell::ProcessNextNativeEvent(int) + 519
64  org.mozilla.firefox 	0x002cb70d nsAppStartup::AttemptingQuit(int) + 279
65  org.mozilla.firefox 	0x00006e36 XRE_main + 8100
66  org.mozilla.firefox 	0x00003298 main + 32
67  org.mozilla.firefox 	0x0000321e start + 270
68  org.mozilla.firefox 	0x00003139 start + 41
(Reporter)

Updated

10 years ago
OS: Windows XP → Mac OS X
(Reporter)

Updated

9 years ago
Component: XP Toolkit/Widgets: Trees → XUL
QA Contact: xptoolkit.trees → xptoolkit.widgets

Comment 1

8 years ago
smaug, is this stack trace useful?  If it's not, please resolve as WFM or INCO.
Whiteboard: [needs stack evaluated for usefulness - xul trees]
(Assignee)

Updated

8 years ago
Assignee: Jan.Varga → Olli.Pettay
Group: core-security
(Assignee)

Comment 2

8 years ago
Created attachment 389876 [details] [diff] [review]
patch

Better to keep everything alive when dispatching an event.
Without the patch self->mSelectTimer = nsnull; may use deleted 'self', I think.

The patch is the safest possible. Better one would be to set mSelectTimer to null
before firing the event, but that'd change the behavior.
Attachment #389876 - Flags: superreview?(roc)
Attachment #389876 - Flags: review?(roc)

Updated

8 years ago
Whiteboard: [needs stack evaluated for usefulness - xul trees]
Attachment #389876 - Flags: superreview?(roc)
Attachment #389876 - Flags: superreview+
Attachment #389876 - Flags: review?(roc)
Attachment #389876 - Flags: review+

Comment 3

8 years ago
The super-review policy changed recently, so this patch needs another review or super-review.
(Assignee)

Updated

8 years ago
Attachment #389876 - Flags: superreview+ → superreview?(neil)

Updated

8 years ago
Attachment #389876 - Flags: superreview?(neil) → superreview+
(Assignee)

Comment 4

8 years ago
http://hg.mozilla.org/mozilla-central/rev/3b90acb2c845
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
(Assignee)

Comment 5

7 years ago
Comment on attachment 389876 [details] [diff] [review]
patch

Applies to 1.9.1.x and
based on mxr the same code is on 1.9.0.x too.
Attachment #389876 - Flags: approval1.9.1.9?
Attachment #389876 - Flags: approval1.9.0.19?
Whiteboard: [sg:critical?]
Comment on attachment 389876 [details] [diff] [review]
patch

a=beltzner for 1.9.1.9 and 1.9.0.19
Attachment #389876 - Flags: approval1.9.1.9?
Attachment #389876 - Flags: approval1.9.1.9+
Attachment #389876 - Flags: approval1.9.0.19?
Attachment #389876 - Flags: approval1.9.0.19+
blocking1.9.1: --- → .9+
status1.9.1: --- → wanted
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.19+
Blocks: 540100
Anything holding back landings here?
Whiteboard: [sg:critical?] → [sg:critical?][needs landing 1.9.0.19][needs landing 1.9.1.9]
(Assignee)

Updated

7 years ago
Keywords: fixed1.9.0.19
Whiteboard: [sg:critical?][needs landing 1.9.0.19][needs landing 1.9.1.9] → [sg:critical?][needs landing 1.9.1.9]
(Assignee)

Comment 8

7 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/a69868caca4e
status1.9.1: wanted → .9-fixed
Whiteboard: [sg:critical?][needs landing 1.9.1.9] → [sg:critical?]
Is there any way to trigger this issue for verification purposes?
(Assignee)

Comment 10

7 years ago
Bug 540100 has the testcase for this.
Using that testcase on OS X here (verified it for Windows with 540100).

Verified fixed in 1.9.0 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.0.19pre) Gecko/2010031204 GranParadiso/3.0.19pre. 

Verified fixed in 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9pre) Gecko/20100312 Shiretoko/3.5.9pre.
Keywords: fixed1.9.0.19 → verified1.9.0.19, verified1.9.1
Alias: CVE-2010-0175
Group: core-security
Crash Signature: [@ nsTreeRange::Contains]
You need to log in before you can comment on or make changes to this bug.