Closed Bug 375928 (CVE-2010-0175) Opened 18 years ago Closed 15 years ago

[@ nsTreeRange::Contains]

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking1.9.1 --- .9+
status1.9.1 --- .9-fixed

People

(Reporter: timeless, Assigned: smaug)

References

Details

(Keywords: crash, verified1.9.0.19, verified1.9.1, Whiteboard: [sg:critical?])

Crash Data

Attachments

(1 file)

patch
829 bytes, patch
roc
: review+
neil
: superreview+
beltzner
: approval1.9.1.9+
beltzner
: approval1.9.0.19+
Details | Diff | Splinter Review
Date/Time: 2007-03-29 17:54:05.050 +0300 OS Version: 10.4.9 (Build 8P2137) Report Version: 4 Command: firefox-bin Path: /Users/ui/Desktop/Minefield.app/Contents/MacOS/firefox-bin Parent: launchd [1] Version: 3.0a4pre (3.0a4pre) PID: 485 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x42b4000c Thread 0 Crashed: 0 org.mozilla.firefox 0x00823d8b nsTreeRange::Contains(int) + 9 1 org.mozilla.firefox 0x0070603d nsTreeSelection::SelectCallback(nsITimer*, void*) + 235 2 org.mozilla.firefox 0x005d488b nsTreeBodyFrame::PrefillPropertyArray(int, nsTreeColumn*) + 221 3 org.mozilla.firefox 0x005d8a0e nsTreeBodyFrame::PaintRow(int, nsRect const&, nsPresContext*, nsIRenderingContext&, nsRect const&, nsPoint) + 64 4 org.mozilla.firefox 0x005d94a7 nsTreeBodyFrame::PaintTreeBody(nsIRenderingContext&, nsRect const&, nsPoint) + 1165 5 org.mozilla.firefox 0x005d94ec nsTreeBodyFrame::PaintTreeBody(nsIRenderingContext&, nsRect const&, nsPoint) + 1234 6 org.mozilla.firefox 0x007ec62f nsDisplayGeneric::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) + 71 7 org.mozilla.firefox 0x003ae429 nsDisplayList::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) const + 47 8 org.mozilla.firefox 0x003ae4c1 nsDisplayClip::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) + 119 9 org.mozilla.firefox 0x003ae429 nsDisplayList::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) const + 47 10 org.mozilla.firefox 0x00385b7f nsLayoutUtils::PaintFrame(nsIRenderingContext*, nsIFrame*, nsRegion const&, unsigned) + 425 11 org.mozilla.firefox 0x001242f6 nsIPresShell::RemoveWeakFrame(nsWeakFrame*) + 504 12 org.mozilla.firefox 0x001b7ad8 nsViewManager::RenderViews(nsView*, nsIRenderingContext&, nsRegion const&, nsIDrawingSurface*) + 232 13 org.mozilla.firefox 0x001b7daf nsViewManager::Refresh(nsView*, nsIRenderingContext*, nsIRegion*, unsigned) + 695 14 org.mozilla.firefox 0x001b90f5 nsViewManager::FlushPendingInvalidates() + 3035 15 org.mozilla.firefox 0x003669b2 nsView::LoadWidget(nsID const&) + 188 16 org.mozilla.firefox 0x00268a84 nsChildView::~nsChildView [in-charge deleting]() + 2518 17 org.mozilla.firefox 0x00267788 nsChildView::DispatchWindowEvent(nsGUIEvent&) + 34 18 org.mozilla.firefox 0x0026c756 nsChildView::ReportMoveEvent() + 1594 19 com.apple.AppKit 0x932e33b1 -[NSView _drawRect:clip:] + 3228 20 com.apple.AppKit 0x932e1893 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1273 21 com.apple.AppKit 0x932e2041 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3239 22 com.apple.AppKit 0x932e0362 -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] + 523 23 com.apple.AppKit 0x932dfc8e -[NSView displayIfNeeded] + 439 24 org.mozilla.firefox 0x0026524b nsChildView::OnPaint(nsPaintEvent&) + 39 25 org.mozilla.firefox 0x001b5959 nsViewManager::UpdateWidgetsForView(nsView*) + 35 26 org.mozilla.firefox 0x001b59a8 nsViewManager::UpdateWidgetsForView(nsView*) + 114 27 org.mozilla.firefox 0x001b55db nsViewManager::GetAbsoluteRect(nsView*, nsRect const&, nsRect&) + 213 28 org.mozilla.firefox 0x001b7932 nsViewManager::UpdateWidgetArea(nsView*, nsRegion const&, nsView*) + 1506 29 org.mozilla.firefox 0x00369e30 nsIFrame::InvalidateRoot(nsRect const&, int, int, int) + 104 30 org.mozilla.firefox 0x005d9e7e ViewportFrame::InvalidateInternal(nsRect const&, int, int, nsIFrame*, int) + 144 31 org.mozilla.firefox 0x0036a31b nsIFrame::Invalidate(nsRect const&, int) + 121 32 org.mozilla.firefox 0x005d0d88 nsTreeBodyFrame::GetImageSourceRect(nsStyleContext*, int, imgIContainer*) + 302 33 org.mozilla.firefox 0x0070613e nsTreeSelection::SelectCallback(nsITimer*, void*) + 492 34 org.mozilla.firefox 0x00706c15 nsTreeSelection::~nsTreeSelection [in-charge]() + 2383 35 libxpcom_core.dylib 0x00df3ed1 NS_InvokeByIndex + 81 36 org.mozilla.firefox 0x0034523e XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) + 738 37 org.mozilla.firefox 0x00335553 XPC_WN_CallMethod(JSContext*, JSObject*, unsigned, long*, long*) + 261 38 libmozjs.dylib 0x00d41805 js_Invoke + 790 39 libmozjs.dylib 0x00d35f2c js_Interpret + 3773 40 libmozjs.dylib 0x00d41d96 js_Invoke + 2215 41 libmozjs.dylib 0x00d4225c js_InternalInvoke + 146 42 libmozjs.dylib 0x00d09e27 JS_CallFunctionValue + 62 43 org.mozilla.firefox 0x0042338a nsJSContext::CallEventHandler(nsISupports*, void*, void*, nsIArray*, nsIVariant**) + 624 44 org.mozilla.firefox 0x0045d512 nsJSEventListener::~nsJSEventListener [in-charge deleting]() + 570 45 org.mozilla.firefox 0x00622b99 nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver*, nsIDOMEvent*) + 1539 46 org.mozilla.firefox 0x00624eae nsXBLMouseEventHandler::EventMatched(nsIDOMEvent*) + 382 47 org.mozilla.firefox 0x0019288f nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsISupports*, unsigned) + 75 48 org.mozilla.firefox 0x0019384e nsEventListenerManager::FixContextMenuEvent(nsPresContext*, nsISupports*, nsEvent*, nsIDOMEvent**) + 1462 49 org.mozilla.firefox 0x003bdf45 nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned) + 129 50 org.mozilla.firefox 0x003be14b nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned, nsDispatchingCallback*) + 487 51 org.mozilla.firefox 0x003be9a1 nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*) + 747 52 org.mozilla.firefox 0x001273eb PresShell::HandleEventInternal(nsEvent*, nsIView*, nsEventStatus*) + 289 53 org.mozilla.firefox 0x00128dea PresShell::RetargetEventToParent(nsGUIEvent*, nsEventStatus*) + 1024 54 org.mozilla.firefox 0x001b62ef nsViewManager::HandleEvent(nsView*, nsPoint, nsGUIEvent*, int) + 71 55 org.mozilla.firefox 0x001b8979 nsViewManager::FlushPendingInvalidates() + 1119 56 org.mozilla.firefox 0x003669b2 nsView::LoadWidget(nsID const&) + 188 57 org.mozilla.firefox 0x00268a84 nsChildView::~nsChildView [in-charge deleting]() + 2518 58 org.mozilla.firefox 0x00267788 nsChildView::DispatchWindowEvent(nsGUIEvent&) + 34 59 org.mozilla.firefox 0x0026a53b nsChildView::~nsChildView [in-charge]() + 5623 60 com.apple.AppKit 0x93341be1 -[NSWindow sendEvent:] + 7377 61 com.apple.AppKit 0x93333350 -[NSApplication sendEvent:] + 5023 62 com.apple.AppKit 0x9325ddfe -[NSApplication run] + 547 63 org.mozilla.firefox 0x002612e1 nsAppShell::ProcessNextNativeEvent(int) + 519 64 org.mozilla.firefox 0x002cb70d nsAppStartup::AttemptingQuit(int) + 279 65 org.mozilla.firefox 0x00006e36 XRE_main + 8100 66 org.mozilla.firefox 0x00003298 main + 32 67 org.mozilla.firefox 0x0000321e start + 270 68 org.mozilla.firefox 0x00003139 start + 41
OS: Windows XP → Mac OS X
Component: XP Toolkit/Widgets: Trees → XUL
QA Contact: xptoolkit.trees → xptoolkit.widgets
smaug, is this stack trace useful? If it's not, please resolve as WFM or INCO.
Whiteboard: [needs stack evaluated for usefulness - xul trees]
Assignee: Jan.Varga → Olli.Pettay
Group: core-security
Attached patch patchSplinter Review
Better to keep everything alive when dispatching an event. Without the patch self->mSelectTimer = nsnull; may use deleted 'self', I think. The patch is the safest possible. Better one would be to set mSelectTimer to null before firing the event, but that'd change the behavior.
Attachment #389876 - Flags: superreview?(roc)
Attachment #389876 - Flags: review?(roc)
Whiteboard: [needs stack evaluated for usefulness - xul trees]
Attachment #389876 - Flags: superreview?(roc)
Attachment #389876 - Flags: superreview+
Attachment #389876 - Flags: review?(roc)
Attachment #389876 - Flags: review+
The super-review policy changed recently, so this patch needs another review or super-review.
Attachment #389876 - Flags: superreview+ → superreview?(neil)
Attachment #389876 - Flags: superreview?(neil) → superreview+
http://hg.mozilla.org/mozilla-central/rev/3b90acb2c845
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Comment on attachment 389876 [details] [diff] [review] patch Applies to 1.9.1.x and based on mxr the same code is on 1.9.0.x too.
Attachment #389876 - Flags: approval1.9.1.9?
Attachment #389876 - Flags: approval1.9.0.19?
Whiteboard: [sg:critical?]
Comment on attachment 389876 [details] [diff] [review] patch a=beltzner for 1.9.1.9 and 1.9.0.19
Attachment #389876 - Flags: approval1.9.1.9?
Attachment #389876 - Flags: approval1.9.1.9+
Attachment #389876 - Flags: approval1.9.0.19?
Attachment #389876 - Flags: approval1.9.0.19+
blocking1.9.1: --- → .9+
status1.9.1: --- → wanted
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.19+
Blocks: 540100
Anything holding back landings here?
Whiteboard: [sg:critical?] → [sg:critical?][needs landing 1.9.0.19][needs landing 1.9.1.9]
Keywords: fixed1.9.0.19
Whiteboard: [sg:critical?][needs landing 1.9.0.19][needs landing 1.9.1.9] → [sg:critical?][needs landing 1.9.1.9]
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/a69868caca4e
status1.9.1: wanted.9-fixed
Whiteboard: [sg:critical?][needs landing 1.9.1.9] → [sg:critical?]
Is there any way to trigger this issue for verification purposes?
Bug 540100 has the testcase for this.
Using that testcase on OS X here (verified it for Windows with 540100). Verified fixed in 1.9.0 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.0.19pre) Gecko/2010031204 GranParadiso/3.0.19pre. Verified fixed in 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9pre) Gecko/20100312 Shiretoko/3.5.9pre.
Keywords: fixed1.9.0.19verified1.9.0.19, verified1.9.1
Alias: CVE-2010-0175
Group: core-security
Crash Signature: [@ nsTreeRange::Contains]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: