crashes when loading chrome urls

RESOLVED FIXED

Status

()

RESOLVED FIXED
12 years ago
12 years ago

People

(Reporter: bernd_mozilla, Assigned: kaie)

Tracking

(4 keywords)

unspecified
x86
Windows XP
crash, fixed1.8.0.13, testcase, verified1.8.1.5
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
(probably a dupe..)
see url

not all of them crash but chrome://pippki/content/editcacert.xul does with a recent debug build

the stack looks like 

 	
 	nspr4.dll!PR_Assert(const char * s=0x059fa5fc, const char * file=0x059fa5c8, int ln=565)  Zeile 546	C
 	nss3.dll!PL_Base64DecodeBuffer(const char * src=0x0401a368, unsigned int srclen=0, unsigned char * dest=0x00000000, unsigned int maxdestlen=0, unsigned int * output_destlen=0x0012e180)  Zeile 565 + 0x1d Bytes	C
>	nss3.dll!NSSBase64_DecodeBuffer(PLArenaPool * arenaOpt=0x00000000, SECItemStr * outItemOpt=0x0012e1c4, const char * inStr=0x0401a368, unsigned int inLen=0)  Zeile 769 + 0x1c Bytes	C
 	pipnss.dll!nsNSSCertificateDB::FindCertByDBKey(const char * aDBkey=0x0401a368, nsISupports * aToken=0x00000000, nsIX509Cert * * _cert=0x0012e388)  Zeile 147 + 0x1c Bytes	C++
 	xpcom_core.dll!NS_InvokeByIndex_P(nsISupports * that=0x0012e30c, unsigned int methodIndex=1238256, unsigned int paramCount=20803777, nsXPTCVariant * params=0x04a5e638)  Zeile 102	C++
 	xpc3250.dll!AutoJSSuspendRequest::SuspendRequest()  Zeile 3235 + 0xd Bytes	C++
 	xpc3250.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx={...}, XPCWrappedNative::CallMode mode=CALL_METHOD)  Zeile 2247 + 0x1e Bytes	C++
 	xpc3250.dll!XPC_WN_CallMethod(JSContext * cx=0x03e6c9f8, JSObject * obj=0x049a75c0, unsigned int argc=2, long * argv=0x04ab5084, long * vp=0x0012e610)  Zeile 1464 + 0xe Bytes	C++
 	js3250.dll!js_Invoke(JSContext * cx=0x03e6c9f8, unsigned int argc=2, unsigned int flags=0)  Zeile 1332 + 0x20 Bytes	C
 	js3250.dll!js_Interpret(JSContext * cx=0x03e6c9f8, unsigned char * pc=0x04037e99, long * result=0x0012ecbc)  Zeile 4011 + 0xf Bytes	C
 	js3250.dll!js_Invoke(JSContext * cx=0x03e6c9f8, unsigned int argc=1, unsigned int flags=2)  Zeile 1351 + 0x13 Bytes	C
 	js3250.dll!js_InternalInvoke(JSContext * cx=0x03e6c9f8, JSObject * obj=0x04007dc0, long fval=75997056, unsigned int flags=0, unsigned int argc=1, long * argv=0x04ab4fb8, long * rval=0x0012ee38)  Zeile 1426 + 0x14 Bytes	C
 	js3250.dll!JS_CallFunctionValue(JSContext * cx=0x03e6c9f8, JSObject * obj=0x04007dc0, long fval=75997056, unsigned int argc=1, long * argv=0x04ab4fb8, long * rval=0x0012ee38)  Zeile 4404 + 0x1f Bytes	C
 	gklayout.dll!nsJSContext::CallEventHandler(nsISupports * aTarget=0x048b9d5c, void * aScope=0x04007dc0, void * aHandler=0x04879f80, nsIArray * aargv=0x04a5d898, nsIVariant * * arv=0x0012efa8)  Zeile 1795 + 0x24 Bytes	C++
NSS is correctly detecting a programming error in the code that called it.
That's what's supposed to happen in debug builds.
In this case, the caller is nsNSSCertificateDB::FindCertByDBKey, which 
is calling NSSBase64_DecodeBuffer with a zero-length buffer.
Assignee: nobody → kengert
Component: Libraries → Security: PSM
Product: NSS → Core
QA Contact: libraries → psm
(Assignee)

Comment 2

12 years ago
To some extent this bug depends on bug 346583, because NSSBase64_DecodeBuffer should fail gracefully when called with a zero length buffer.

However, the PSM function should get fixed, too, because it does not check a NULL error result from NSSBase64_DecodeBuffer and tries to process the result anyway...

And while I'm adding the check for a null return value, I'm also adding the check for a zero length input, because it might take a while until PSM is able to pick up the NSS fix from bug 346583.
Status: NEW → ASSIGNED
Depends on: 346583
(Assignee)

Comment 3

12 years ago
Created attachment 264102 [details] [diff] [review]
Patch v1
Attachment #264102 - Flags: review?(rrelyea)

Comment 4

12 years ago
Comment on attachment 264102 [details] [diff] [review]
Patch v1

r+ good paranoic programming.
Attachment #264102 - Flags: review?(rrelyea) → review+
(Assignee)

Comment 5

12 years ago
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
(Assignee)

Comment 6

12 years ago
Comment on attachment 264102 [details] [diff] [review]
Patch v1

Nominating crash fix for stable branches.
Attachment #264102 - Flags: approval1.8.1.5?
Attachment #264102 - Flags: approval1.8.0.13?

Updated

12 years ago
Flags: in-testsuite?
Comment on attachment 264102 [details] [diff] [review]
Patch v1

approved for 1.8.1.5 and 1.8.0.13, a=dveditz for release-drivers
Attachment #264102 - Flags: approval1.8.1.5?
Attachment #264102 - Flags: approval1.8.1.5+
Attachment #264102 - Flags: approval1.8.0.13?
Attachment #264102 - Flags: approval1.8.0.13+
(Assignee)

Comment 8

12 years ago
Checked in to 1.8 branch for 1.8.1.5
Keywords: fixed1.8.1.5
(Assignee)

Comment 9

12 years ago
Checked in to 1.8.0 branch for 1.8.0.13
Keywords: fixed1.8.0.13
i didn`t crash when i use this url chrome://pippki/content/editcacert.xul

But when i select some checkboxes and press ok i crash on 1.8.1.5pre TB33742229Z

Is this a new bug ? 
verified fixed 1.8.1.5 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.5pre) Gecko/2007071103 BonEcho/2.0.0.5pre and the chrome url chrome://pippki/content/editcacert.xul 

No crash on this url - adding verified keyword.

For the crash on the chrome://pippki/content/editcacert.xul site (comment #10) i filed Bug 387613
Keywords: fixed1.8.1.5 → verified1.8.1.5
i crash loading the testcase url in Thunderbird 1.5.0.13 - filed Bug 392208
You need to log in before you can comment on or make changes to this bug.