Null pointer dereference in xpcom_core!AtomTableEntry::getAtomString

RESOLVED INCOMPLETE

Status

()

Core
XPCOM
RESOLVED INCOMPLETE
11 years ago
6 years ago

People

(Reporter: lsg-mtso, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:nse?] keep testcase private)

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; .NET CLR 1.1.4322; InfoPath.2)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a3pre) Gecko/20070322 Minefield/3.0a3pre

While fuzzing SVG a null pointer dereference is triggered in the first 2 min of fuzzing.  Stack trace follows:

0012d148 001ff71a xpcom_core!AtomTableEntry::getAtomString+0xd [c:\audits\firefox\src021007-nightlysettings\mozilla\xpcom\ds\nsatomtable.cpp @ 205]
0012d180 001d4a3f xpcom_core!AtomTableMatchKey+0x1a [c:\audits\firefox\src021007-nightlysettings\mozilla\xpcom\ds\nsatomtable.cpp @ 273]
0012d1c0 001d4807 xpcom_core!SearchTable+0x6f [c:\audits\firefox\src021007-nightlysettings\mozilla\obj-i686-pc-cygwin\xpcom\build\pldhash.c @ 421]
0012d1ec 002005f7 xpcom_core!PL_DHashTableOperate+0x127 [c:\audits\firefox\src021007-nightlysettings\mozilla\obj-i686-pc-cygwin\xpcom\build\pldhash.c @ 593]
0012d200 002004a9 xpcom_core!GetAtomHashEntry+0x57 [c:\audits\firefox\src021007-nightlysettings\mozilla\xpcom\ds\nsatomtable.cpp @ 619]
0012d284 00200653 xpcom_core!NS_NewAtom+0x19 [c:\audits\firefox\src021007-nightlysettings\mozilla\xpcom\ds\nsatomtable.cpp @ 701]
0012d2a4 0044461d xpcom_core!NS_NewAtom+0x23 [c:\audits\firefox\src021007-nightlysettings\mozilla\xpcom\ds\nsatomtable.cpp @ 723]
0012d2b0 00bd833e firefox!do_GetAtom+0xd [c:\audits\firefox\src021007-nightlysettings\mozilla\obj-i686-pc-cygwin\dist\include\xpcom\nsiatom.h @ 212]
0012d304 00c4249c firefox!nsEditor::CreateHTMLContent+0xbe [c:\audits\firefox\src021007-nightlysettings\mozilla\editor\libeditor\base\nseditor.cpp @ 5160]
0012d39c 00c3f42b firefox!nsTextEditRules::CreateBogusNodeIfNeeded+0x1cc [c:\audits\firefox\src021007-nightlysettings\mozilla\editor\libeditor\text\nstexteditrules.cpp @ 1312]
0012d3e4 00bc8d0d firefox!nsTextEditRules::AfterEdit+0x11b [c:\audits\firefox\src021007-nightlysettings\mozilla\editor\libeditor\text\nstexteditrules.cpp @ 255]
0012d400 00bb2a9d firefox!nsPlaintextEditor::EndOperation+0x4d [c:\audits\firefox\src021007-nightlysettings\mozilla\editor\libeditor\text\nsplaintexteditor.cpp @ 1729]
0012d410 00bc5d12 firefox!nsAutoRules::~nsAutoRules+0x2d [c:\audits\firefox\src021007-nightlysettings\mozilla\editor\libeditor\base\nseditorutils.h @ 125]
0012d4c8 0080baad firefox!nsPlaintextEditor::DeleteSelection+0x4e2 [c:\audits\firefox\src021007-nightlysettings\mozilla\editor\libeditor\text\nsplaintexteditor.cpp @ 727]
0012d60c 00809639 firefox!nsTextControlFrame::SetValue+0x48d [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\forms\nstextcontrolframe.cpp @ 2700]
0012d61c 00aa154a firefox!nsTextControlFrame::SetFormProperty+0x59 [c:\audits\firefox\src021007-nightlysettings\mozilla\layout\forms\nstextcontrolframe.cpp @ 1919]
0012d63c 00aa138d firefox!nsHTMLInputElement::SetValueInternal+0x9a [c:\audits\firefox\src021007-nightlysettings\mozilla\content\html\content\src\nshtmlinputelement.cpp @ 822]
0012d658 002489e7 firefox!nsHTMLInputElement::SetValue+0x8d [c:\audits\firefox\src021007-nightlysettings\mozilla\content\html\content\src\nshtmlinputelement.cpp @ 757]
0012d66c 0052cff8 xpcom_core!NS_InvokeByIndex+0x27 [c:\audits\firefox\src021007-nightlysettings\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp @ 102]
0012d66c 0052cff8 firefox!XPCWrappedNative::CallMethod+0xda8 [c:\audits\firefox\src021007-nightlysettings\mozilla\js\src\xpconnect\src\xpcwrappednative.cpp @ 2215]

Build options:

# Options for client.mk.
mk_add_options MOZ_CO_PROJECT=browser
mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/obj-@CONFIG_GUESS@
mk_add_options MOZ_MAKE_FLAGS=-j4

ac_add_options --enable-application=browser
ac_add_options --enable-update-channel=nightly
ac_add_options --enable-optimize="/Zi"
ac_add_options --disable-debug
ac_add_options --disable-tests
ac_add_options --enable-static
ac_add_options --disable-shared
ac_add_options --enable-svg
ac_add_options --enable-canvas
ac_add_options --enable-default-toolkit=cairo-windows
ac_add_options --disable-installer
#ac_add_options --enable-update-packaging



Reproducible: Always

Steps to Reproduce:
1.
2.
3.



Attaching fuzzer to bug for reproduction.  Please keep locked with Security flag.

Comment 3

11 years ago
Any chance you can make a reduced testcase for us?
(Reporter)

Comment 4

11 years ago
It appears to be a series of actions that causes this to trigger.  When performing the last three or so actions the fuzzer does the A/V does not trigger.  It does trigger reliably when the fuzzer runs.  The fuzzer is HTML based and should not require much effort to run (un-rar, load html, click start, wait upto 5 min).  Best I could do.
Whiteboard: [sg:nse?] keep testcase private
I didn't crash on a windows debug trunk build (20070402), but the memory use really hammered my machine so maybe I didn't wait long enough for my machine.
This hasn't been touched in five years and was never confirmed. I am going to resolve this as incomplete. 

If we can get something actionable and it still reproduces in the current code, then please reopen it.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INCOMPLETE
Group: core-security
You need to log in before you can comment on or make changes to this bug.