375928 - (CVE-2010-0175) [@ nsTreeRange::Contains]

Reporter

Description

•

17 years ago

Date/Time:      2007-03-29 17:54:05.050 +0300
OS Version:     10.4.9 (Build 8P2137)
Report Version: 4

Command: firefox-bin
Path:    /Users/ui/Desktop/Minefield.app/Contents/MacOS/firefox-bin
Parent:  launchd [1]

Version: 3.0a4pre (3.0a4pre)

PID:    485
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x42b4000c

Thread 0 Crashed:
0   org.mozilla.firefox 	0x00823d8b nsTreeRange::Contains(int) + 9
1   org.mozilla.firefox 	0x0070603d nsTreeSelection::SelectCallback(nsITimer*, void*) + 235
2   org.mozilla.firefox 	0x005d488b nsTreeBodyFrame::PrefillPropertyArray(int, nsTreeColumn*) + 221
3   org.mozilla.firefox 	0x005d8a0e nsTreeBodyFrame::PaintRow(int, nsRect const&, nsPresContext*, nsIRenderingContext&, nsRect const&, nsPoint) + 64
4   org.mozilla.firefox 	0x005d94a7 nsTreeBodyFrame::PaintTreeBody(nsIRenderingContext&, nsRect const&, nsPoint) + 1165
5   org.mozilla.firefox 	0x005d94ec nsTreeBodyFrame::PaintTreeBody(nsIRenderingContext&, nsRect const&, nsPoint) + 1234
6   org.mozilla.firefox 	0x007ec62f nsDisplayGeneric::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) + 71
7   org.mozilla.firefox 	0x003ae429 nsDisplayList::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) const + 47
8   org.mozilla.firefox 	0x003ae4c1 nsDisplayClip::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) + 119
9   org.mozilla.firefox 	0x003ae429 nsDisplayList::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) const + 47
10  org.mozilla.firefox 	0x00385b7f nsLayoutUtils::PaintFrame(nsIRenderingContext*, nsIFrame*, nsRegion const&, unsigned) + 425
11  org.mozilla.firefox 	0x001242f6 nsIPresShell::RemoveWeakFrame(nsWeakFrame*) + 504
12  org.mozilla.firefox 	0x001b7ad8 nsViewManager::RenderViews(nsView*, nsIRenderingContext&, nsRegion const&, nsIDrawingSurface*) + 232
13  org.mozilla.firefox 	0x001b7daf nsViewManager::Refresh(nsView*, nsIRenderingContext*, nsIRegion*, unsigned) + 695
14  org.mozilla.firefox 	0x001b90f5 nsViewManager::FlushPendingInvalidates() + 3035
15  org.mozilla.firefox 	0x003669b2 nsView::LoadWidget(nsID const&) + 188
16  org.mozilla.firefox 	0x00268a84 nsChildView::~nsChildView [in-charge deleting]() + 2518
17  org.mozilla.firefox 	0x00267788 nsChildView::DispatchWindowEvent(nsGUIEvent&) + 34
18  org.mozilla.firefox 	0x0026c756 nsChildView::ReportMoveEvent() + 1594
19  com.apple.AppKit    	0x932e33b1 -[NSView _drawRect:clip:] + 3228
20  com.apple.AppKit    	0x932e1893 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1273
21  com.apple.AppKit    	0x932e2041 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3239
22  com.apple.AppKit    	0x932e0362 -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] + 523
23  com.apple.AppKit    	0x932dfc8e -[NSView displayIfNeeded] + 439
24  org.mozilla.firefox 	0x0026524b nsChildView::OnPaint(nsPaintEvent&) + 39
25  org.mozilla.firefox 	0x001b5959 nsViewManager::UpdateWidgetsForView(nsView*) + 35
26  org.mozilla.firefox 	0x001b59a8 nsViewManager::UpdateWidgetsForView(nsView*) + 114
27  org.mozilla.firefox 	0x001b55db nsViewManager::GetAbsoluteRect(nsView*, nsRect const&, nsRect&) + 213
28  org.mozilla.firefox 	0x001b7932 nsViewManager::UpdateWidgetArea(nsView*, nsRegion const&, nsView*) + 1506
29  org.mozilla.firefox 	0x00369e30 nsIFrame::InvalidateRoot(nsRect const&, int, int, int) + 104
30  org.mozilla.firefox 	0x005d9e7e ViewportFrame::InvalidateInternal(nsRect const&, int, int, nsIFrame*, int) + 144
31  org.mozilla.firefox 	0x0036a31b nsIFrame::Invalidate(nsRect const&, int) + 121
32  org.mozilla.firefox 	0x005d0d88 nsTreeBodyFrame::GetImageSourceRect(nsStyleContext*, int, imgIContainer*) + 302
33  org.mozilla.firefox 	0x0070613e nsTreeSelection::SelectCallback(nsITimer*, void*) + 492
34  org.mozilla.firefox 	0x00706c15 nsTreeSelection::~nsTreeSelection [in-charge]() + 2383
35  libxpcom_core.dylib 	0x00df3ed1 NS_InvokeByIndex + 81
36  org.mozilla.firefox 	0x0034523e XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) + 738
37  org.mozilla.firefox 	0x00335553 XPC_WN_CallMethod(JSContext*, JSObject*, unsigned, long*, long*) + 261
38  libmozjs.dylib      	0x00d41805 js_Invoke + 790
39  libmozjs.dylib      	0x00d35f2c js_Interpret + 3773
40  libmozjs.dylib      	0x00d41d96 js_Invoke + 2215
41  libmozjs.dylib      	0x00d4225c js_InternalInvoke + 146
42  libmozjs.dylib      	0x00d09e27 JS_CallFunctionValue + 62
43  org.mozilla.firefox 	0x0042338a nsJSContext::CallEventHandler(nsISupports*, void*, void*, nsIArray*, nsIVariant**) + 624
44  org.mozilla.firefox 	0x0045d512 nsJSEventListener::~nsJSEventListener [in-charge deleting]() + 570
45  org.mozilla.firefox 	0x00622b99 nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver*, nsIDOMEvent*) + 1539
46  org.mozilla.firefox 	0x00624eae nsXBLMouseEventHandler::EventMatched(nsIDOMEvent*) + 382
47  org.mozilla.firefox 	0x0019288f nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsISupports*, unsigned) + 75
48  org.mozilla.firefox 	0x0019384e nsEventListenerManager::FixContextMenuEvent(nsPresContext*, nsISupports*, nsEvent*, nsIDOMEvent**) + 1462
49  org.mozilla.firefox 	0x003bdf45 nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned) + 129
50  org.mozilla.firefox 	0x003be14b nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned, nsDispatchingCallback*) + 487
51  org.mozilla.firefox 	0x003be9a1 nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*) + 747
52  org.mozilla.firefox 	0x001273eb PresShell::HandleEventInternal(nsEvent*, nsIView*, nsEventStatus*) + 289
53  org.mozilla.firefox 	0x00128dea PresShell::RetargetEventToParent(nsGUIEvent*, nsEventStatus*) + 1024
54  org.mozilla.firefox 	0x001b62ef nsViewManager::HandleEvent(nsView*, nsPoint, nsGUIEvent*, int) + 71
55  org.mozilla.firefox 	0x001b8979 nsViewManager::FlushPendingInvalidates() + 1119
56  org.mozilla.firefox 	0x003669b2 nsView::LoadWidget(nsID const&) + 188
57  org.mozilla.firefox 	0x00268a84 nsChildView::~nsChildView [in-charge deleting]() + 2518
58  org.mozilla.firefox 	0x00267788 nsChildView::DispatchWindowEvent(nsGUIEvent&) + 34
59  org.mozilla.firefox 	0x0026a53b nsChildView::~nsChildView [in-charge]() + 5623
60  com.apple.AppKit    	0x93341be1 -[NSWindow sendEvent:] + 7377
61  com.apple.AppKit    	0x93333350 -[NSApplication sendEvent:] + 5023
62  com.apple.AppKit    	0x9325ddfe -[NSApplication run] + 547
63  org.mozilla.firefox 	0x002612e1 nsAppShell::ProcessNextNativeEvent(int) + 519
64  org.mozilla.firefox 	0x002cb70d nsAppStartup::AttemptingQuit(int) + 279
65  org.mozilla.firefox 	0x00006e36 XRE_main + 8100
66  org.mozilla.firefox 	0x00003298 main + 32
67  org.mozilla.firefox 	0x0000321e start + 270
68  org.mozilla.firefox 	0x00003139 start + 41

timeless

Reporter

Updated

•

17 years ago

OS: Windows XP → Mac OS X

timeless

Reporter

Updated

•

16 years ago

Component: XP Toolkit/Widgets: Trees → XUL

QA Contact: xptoolkit.trees → xptoolkit.widgets

Jesse Ruderman

Comment 1

•

15 years ago

smaug, is this stack trace useful?  If it's not, please resolve as WFM or INCO.

Whiteboard: [needs stack evaluated for usefulness - xul trees]

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Updated

•

15 years ago

Assignee: Jan.Varga → Olli.Pettay

Group: core-security

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Comment 2

•

15 years ago

Attached patch patch — Details — Splinter Review

Better to keep everything alive when dispatching an event.
Without the patch self->mSelectTimer = nsnull; may use deleted 'self', I think.

The patch is the safest possible. Better one would be to set mSelectTimer to null
before firing the event, but that'd change the behavior.

Attachment #389876 - Flags: superreview?(roc)

Attachment #389876 - Flags: review?(roc)

Jesse Ruderman

Updated

•

15 years ago

Whiteboard: [needs stack evaluated for usefulness - xul trees]

Robert O'Callahan (:roc) (email my personal email if necessary)

Updated

•

15 years ago

Attachment #389876 - Flags: superreview?(roc)

Attachment #389876 - Flags: superreview+

Attachment #389876 - Flags: review?(roc)

Attachment #389876 - Flags: review+

Jesse Ruderman

Comment 3

•

15 years ago

The super-review policy changed recently, so this patch needs another review or super-review.

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Updated

•

15 years ago

Attachment #389876 - Flags: superreview+ → superreview?(neil)

neil@parkwaycc.co.uk

Updated

•

15 years ago

Attachment #389876 - Flags: superreview?(neil) → superreview+

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Comment 4

•

15 years ago

http://hg.mozilla.org/mozilla-central/rev/3b90acb2c845

Status: NEW → RESOLVED

Closed: 15 years ago

Resolution: --- → FIXED

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Comment 5

•

14 years ago

Comment on attachment 389876 [details] [diff] [review]
patch

Applies to 1.9.1.x and
based on mxr the same code is on 1.9.0.x too.

Attachment #389876 - Flags: approval1.9.1.9?

Attachment #389876 - Flags: approval1.9.0.19?

Daniel Veditz [:dveditz]

Updated

•

14 years ago

Whiteboard: [sg:critical?]

Mike Beltzner [:beltzner, not reading bugmail]

Comment 6

•

14 years ago

Comment on attachment 389876 [details] [diff] [review]
patch

a=beltzner for 1.9.1.9 and 1.9.0.19

Attachment #389876 - Flags: approval1.9.1.9?

Attachment #389876 - Flags: approval1.9.1.9+

Attachment #389876 - Flags: approval1.9.0.19?

Attachment #389876 - Flags: approval1.9.0.19+

Daniel Veditz [:dveditz]

Updated

•

14 years ago

blocking1.9.1: --- → .9+

status1.9.1: --- → wanted

Flags: wanted1.9.0.x+

Flags: blocking1.9.0.19+

Daniel Veditz [:dveditz]

Updated

•

14 years ago

Blocks: 540100

Mike Beltzner [:beltzner, not reading bugmail]

Comment 7

•

14 years ago

Anything holding back landings here?

Whiteboard: [sg:critical?] → [sg:critical?][needs landing 1.9.0.19][needs landing 1.9.1.9]

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Updated

•

14 years ago

Keywords: fixed1.9.0.19

Whiteboard: [sg:critical?][needs landing 1.9.0.19][needs landing 1.9.1.9] → [sg:critical?][needs landing 1.9.1.9]

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Comment 8

•

14 years ago

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/a69868caca4e

status1.9.1: wanted → .9-fixed

Whiteboard: [sg:critical?][needs landing 1.9.1.9] → [sg:critical?]

Al Billings [:abillings - ex-MoCo]

Comment 9

•

14 years ago

Is there any way to trigger this issue for verification purposes?

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Comment 10

•

14 years ago

Bug 540100 has the testcase for this.

Al Billings [:abillings - ex-MoCo]

Comment 11

•

14 years ago

Using that testcase on OS X here (verified it for Windows with 540100).

Verified fixed in 1.9.0 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.0.19pre) Gecko/2010031204 GranParadiso/3.0.19pre. 

Verified fixed in 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9pre) Gecko/20100312 Shiretoko/3.5.9pre.

Keywords: fixed1.9.0.19 → verified1.9.0.19, verified1.9.1

Reed Loden [:reed]

Updated

•

14 years ago

Alias: CVE-2010-0175

Daniel Veditz [:dveditz]

Updated

•

14 years ago

Group: core-security

Nobody; OK to take it and work on it

Updated

•

13 years ago

Crash Signature: [@ nsTreeRange::Contains]