Closed
Bug 377741
Opened 17 years ago
Closed 12 years ago
Null pointer dereference in xpcom_core!AtomTableEntry::getAtomString
Categories
(Core :: XPCOM, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: msg, Unassigned)
Details
(Whiteboard: [sg:nse?] keep testcase private)
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; .NET CLR 1.1.4322; InfoPath.2) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a3pre) Gecko/20070322 Minefield/3.0a3pre While fuzzing SVG a null pointer dereference is triggered in the first 2 min of fuzzing. Stack trace follows: 0012d148 001ff71a xpcom_core!AtomTableEntry::getAtomString+0xd [c:\audits\firefox\src021007-nightlysettings\mozilla\xpcom\ds\nsatomtable.cpp @ 205] 0012d180 001d4a3f xpcom_core!AtomTableMatchKey+0x1a [c:\audits\firefox\src021007-nightlysettings\mozilla\xpcom\ds\nsatomtable.cpp @ 273] 0012d1c0 001d4807 xpcom_core!SearchTable+0x6f [c:\audits\firefox\src021007-nightlysettings\mozilla\obj-i686-pc-cygwin\xpcom\build\pldhash.c @ 421] 0012d1ec 002005f7 xpcom_core!PL_DHashTableOperate+0x127 [c:\audits\firefox\src021007-nightlysettings\mozilla\obj-i686-pc-cygwin\xpcom\build\pldhash.c @ 593] 0012d200 002004a9 xpcom_core!GetAtomHashEntry+0x57 [c:\audits\firefox\src021007-nightlysettings\mozilla\xpcom\ds\nsatomtable.cpp @ 619] 0012d284 00200653 xpcom_core!NS_NewAtom+0x19 [c:\audits\firefox\src021007-nightlysettings\mozilla\xpcom\ds\nsatomtable.cpp @ 701] 0012d2a4 0044461d xpcom_core!NS_NewAtom+0x23 [c:\audits\firefox\src021007-nightlysettings\mozilla\xpcom\ds\nsatomtable.cpp @ 723] 0012d2b0 00bd833e firefox!do_GetAtom+0xd [c:\audits\firefox\src021007-nightlysettings\mozilla\obj-i686-pc-cygwin\dist\include\xpcom\nsiatom.h @ 212] 0012d304 00c4249c firefox!nsEditor::CreateHTMLContent+0xbe [c:\audits\firefox\src021007-nightlysettings\mozilla\editor\libeditor\base\nseditor.cpp @ 5160] 0012d39c 00c3f42b firefox!nsTextEditRules::CreateBogusNodeIfNeeded+0x1cc [c:\audits\firefox\src021007-nightlysettings\mozilla\editor\libeditor\text\nstexteditrules.cpp @ 1312] 0012d3e4 00bc8d0d firefox!nsTextEditRules::AfterEdit+0x11b [c:\audits\firefox\src021007-nightlysettings\mozilla\editor\libeditor\text\nstexteditrules.cpp @ 255] 0012d400 00bb2a9d firefox!nsPlaintextEditor::EndOperation+0x4d [c:\audits\firefox\src021007-nightlysettings\mozilla\editor\libeditor\text\nsplaintexteditor.cpp @ 1729] 0012d410 00bc5d12 firefox!nsAutoRules::~nsAutoRules+0x2d [c:\audits\firefox\src021007-nightlysettings\mozilla\editor\libeditor\base\nseditorutils.h @ 125] 0012d4c8 0080baad firefox!nsPlaintextEditor::DeleteSelection+0x4e2 [c:\audits\firefox\src021007-nightlysettings\mozilla\editor\libeditor\text\nsplaintexteditor.cpp @ 727] 0012d60c 00809639 firefox!nsTextControlFrame::SetValue+0x48d [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\forms\nstextcontrolframe.cpp @ 2700] 0012d61c 00aa154a firefox!nsTextControlFrame::SetFormProperty+0x59 [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\forms\nstextcontrolframe.cpp @ 1919] 0012d63c 00aa138d firefox!nsHTMLInputElement::SetValueInternal+0x9a [c:\audits\firefox\src021007-nightlysettings\mozilla\content\html\content\src\nshtmlinputelement.cpp @ 822] 0012d658 002489e7 firefox!nsHTMLInputElement::SetValue+0x8d [c:\audits\firefox\src021007-nightlysettings\mozilla\content\html\content\src\nshtmlinputelement.cpp @ 757] 0012d66c 0052cff8 xpcom_core!NS_InvokeByIndex+0x27 [c:\audits\firefox\src021007-nightlysettings\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp @ 102] 0012d66c 0052cff8 firefox!XPCWrappedNative::CallMethod+0xda8 [c:\audits\firefox\src021007-nightlysettings\mozilla\js\src\xpconnect\src\xpcwrappednative.cpp @ 2215] Build options: # Options for client.mk. mk_add_options MOZ_CO_PROJECT=browser mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/obj-@CONFIG_GUESS@ mk_add_options MOZ_MAKE_FLAGS=-j4 ac_add_options --enable-application=browser ac_add_options --enable-update-channel=nightly ac_add_options --enable-optimize="/Zi" ac_add_options --disable-debug ac_add_options --disable-tests ac_add_options --enable-static ac_add_options --disable-shared ac_add_options --enable-svg ac_add_options --enable-canvas ac_add_options --enable-default-toolkit=cairo-windows ac_add_options --disable-installer #ac_add_options --enable-update-packaging Reproducible: Always Steps to Reproduce: 1. 2. 3. Attaching fuzzer to bug for reproduction. Please keep locked with Security flag.
Comment 3•17 years ago
|
||
Any chance you can make a reduced testcase for us?
It appears to be a series of actions that causes this to trigger. When performing the last three or so actions the fuzzer does the A/V does not trigger. It does trigger reliably when the fuzzer runs. The fuzzer is HTML based and should not require much effort to run (un-rar, load html, click start, wait upto 5 min). Best I could do.
Updated•17 years ago
|
Whiteboard: [sg:nse?] keep testcase private
Comment 5•17 years ago
|
||
I didn't crash on a windows debug trunk build (20070402), but the memory use really hammered my machine so maybe I didn't wait long enough for my machine.
Comment 6•12 years ago
|
||
This hasn't been touched in five years and was never confirmed. I am going to resolve this as incomplete. If we can get something actionable and it still reproduces in the current code, then please reopen it.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INCOMPLETE
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•