Closed
Bug 384037
Opened 17 years ago
Closed 15 years ago
Crash [@ nsIFrame::IsBoxFrame] with <xul:splitter>
Categories
(Core :: XUL, defect)
Core
XUL
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: roc)
References
Details
(Keywords: crash, testcase, verified1.9.1, Whiteboard: [sg:dos] null deref)
Crash Data
Attachments
(2 files)
218 bytes,
application/xhtml+xml
|
Details | |
13.21 KB,
patch
|
dbaron
:
review+
dbaron
:
superreview+
benjamin
:
approval1.9.1+
|
Details | Diff | Splinter Review |
No description provided.
Reporter | ||
Updated•17 years ago
|
Severity: normal → critical
Comment 1•17 years ago
|
||
The cause of this problem is that nsFrameNavigator::GetChildBeforeAfter assumes that the parent is a box frame, but this assumption is not true in this case (it isn't even a XUL frame). Perhaps if mParent is null we can just return nsnull from nsFrameNavigator::GetChildBeforeAfter?
Summary: Crash [@ nsIFrame::IsBoxFrame] with <xul:splitter> → [@ nsIFrame::IsBoxFrame] with <xul:splitter>
Updated•17 years ago
|
Summary: [@ nsIFrame::IsBoxFrame] with <xul:splitter> → Crash [@ nsIFrame::IsBoxFrame] with <xul:splitter>
Assignee | ||
Comment 2•17 years ago
|
||
Seems to me that nsFrameNavigator should just use nsIFrame* everywhere. There is nothing box-specific about it.
Comment 3•17 years ago
|
||
I think we should actually just add an early return in nsSplitterFrame::UpdateState (and maybe a couple other places) if mParentBox is null. A splitter can't really work anyway without a box parent and box siblings b because of the dependencies on box layout and box attributes. (It seems kind of weird to me that the splitter code is messing around with attributes on random content nodes, though; it could have very odd effects in some cases. Probably something to consider changing for XUL2.) We should also probably get rid of nsFrameNavigator; it's only used in nsSplitterFrame, and all the functions can easily be written in one line using nsFrameList (a couple more if you care about whether the frames are boxes).
Reporter | ||
Comment 4•17 years ago
|
||
Still crashes [@ nsIFrame::IsBoxFrame] on trunk.
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Comment 5•15 years ago
|
||
(I tested this on latest-trunk mozilla-central nightly build on WinXP SP3) Turning security-sensitive and nominating blocking1.9.1? just-in-case, due to !exploitable PROBABLY_EXPLOITABLE result. 0:000> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x0 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation Faulting Instruction:1013b3d0 mov eax,dword ptr [esi] Basic Block: 1013b3d0 mov eax,dword ptr [esi] Tainted Input Operands: esi 1013b3d2 mov edx,dword ptr [eax+128h] Tainted Input Operands: eax 1013b3d8 push 100h 1013b3dd mov ecx,esi Tainted Input Operands: esi 1013b3df call edx Tainted Input Operands: ecx, edx Exception Hash (Major/Minor): 0x48565475.0x5e0f3b47 Stack Trace: xul!nsIFrame::GetChildBox+0x0 xul!nsFrameNavigator::IndexOf+0xd xul!nsFrameNavigator::GetChildBeforeAfter+0x14 xul!nsSplitterFrameInner::UpdateState+0x11cf64 xul!nsSplitterFrame::DoLayout+0x1f xul!nsBoxFrame::Reflow+0x113 xul!nsLineLayout::ReflowFrame+0x8fa xul!nsBlockFrame::ReflowInlineFrame+0x31 xul!nsBlockFrame::DoReflowInlineFrames+0x1a6 xul!nsBlockFrame::ReflowInlineFrames+0x188 xul!nsBlockFrame::ReflowLine+0x74 xul!nsBlockFrame::ReflowDirtyLines+0x171 xul!nsBlockFrame::Reflow+0x1e2 xul!nsBlockReflowContext::ReflowBlock+0xd4 xul!nsBlockFrame::ReflowBlockFrame+0x43d xul!nsBlockFrame::ReflowLine+0x15d xul!nsBlockFrame::ReflowDirtyLines+0x171 xul!nsBlockFrame::Reflow+0x1e2 xul!nsContainerFrame::ReflowChild+0x6c xul!CanvasFrame::Reflow+0x11c xul!nsContainerFrame::ReflowChild+0x6c xul!nsHTMLScrollFrame::ReflowScrolledFrame+0x19a xul!nsHTMLScrollFrame::ReflowContents+0x7b xul!nsHTMLScrollFrame::Reflow+0x1d9 xul!nsContainerFrame::ReflowChild+0x6c xul!ViewportFrame::Reflow+0x11c xul!PresShell::DoReflow+0x249 xul!PresShell::ProcessReflowCommands+0x11e xul!PresShell::DoFlushPendingNotifications+0x12f xul!PresShell::ReflowEvent::Run+0x37 xul!nsThread::ProcessNextEvent+0x213 xul!nsBaseAppShell::Run+0x4a xul!nsAppStartup::Run+0x1e xul!XRE_main+0xcb9 Unknown Instruction Address: 0x1013b3d0 Description: Data from Faulting Address controls Code Flow Short Description: TaintedDataControlsCodeFlow Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at xul!nsIFrame::GetChildBox+0x0 (Hash=0x48565475.0x5e0f3b47) The data from the faulting address is later used as the target for a branch.
Group: core-security
Flags: blocking1.9.1?
OS: Mac OS X → All
Hardware: x86 → All
Whiteboard: [sg:critical?]
Assignee | ||
Updated•15 years ago
|
Assignee: nobody → roc
Assignee | ||
Comment 6•15 years ago
|
||
This is more or less what Eli suggested. Gets rid of nsFrameNavigator. Replaces its usage with nsFrameList. Sprinkles a few IsBoxFrame checks so that we bail out if our sibling or parent is not a XUL box. FWIW this bug is a pure null deref, as far as I can tell, so the "!exploitable" tool is not giving us a good assessment here.
Attachment #370174 -
Flags: superreview?(dbaron)
Attachment #370174 -
Flags: review?(dbaron)
Assignee | ||
Updated•15 years ago
|
Whiteboard: [sg:critical?] → [needs review]
Assignee | ||
Updated•15 years ago
|
Flags: blocking1.9.1? → wanted1.9.1+
Comment on attachment 370174 [details] [diff] [review] fix r+sr=dbaron; sorry for the delay. This was simpler than I'd expected it to be.
Attachment #370174 -
Flags: superreview?(dbaron)
Attachment #370174 -
Flags: superreview+
Attachment #370174 -
Flags: review?(dbaron)
Attachment #370174 -
Flags: review+
Assignee | ||
Comment 8•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/d56efd447561
Group: core-security
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [needs review]
Assignee | ||
Updated•15 years ago
|
Attachment #370174 -
Flags: approval1.9.1?
Comment 9•15 years ago
|
||
1.9.0 and 1.9.1 !exploitable report: PROBABLY_EXPLOITABLE: Probably Exploitable - Data from Faulting Address controls Code Flow starting at gklayout!nsIFrame::IsBoxFrame
Flags: blocking1.9.0.11?
Updated•15 years ago
|
Flags: blocking1.9.0.11? → wanted1.9.0.x+
Whiteboard: [sg:dos] null deref
Updated•15 years ago
|
Attachment #370174 -
Flags: approval1.9.1? → approval1.9.1+
Assignee | ||
Updated•15 years ago
|
Whiteboard: [sg:dos] null deref → [sg:dos] null deref [needs 191 landing]
Assignee | ||
Comment 10•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/dec49167c08c
Keywords: fixed1.9.1
Whiteboard: [sg:dos] null deref [needs 191 landing] → [sg:dos] null deref
Comment 11•15 years ago
|
||
This caused a regression: see bug 491323
Comment 12•15 years ago
|
||
Verified fixed on the 1.9.1 branch using: ->Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1pre) Gecko/20090522 Shiretoko/3.5pre ->Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre) Gecko/20090522 Shiretoko/3.5pre ->Win Vista equivalent nightly
Keywords: fixed1.9.1 → verified1.9.1
Updated•13 years ago
|
Crash Signature: [@ nsIFrame::IsBoxFrame]
You need to log in
before you can comment on or make changes to this bug.
Description
•