38431 - Crash when visiting URL (bogus value for 'target')

Status: VERIFIED DUPLICATE of bug 29917

(Core :: DOM: Core & HTML, defect, P3)

Description

[Blake Ross]

Build ID: 2000050608

Click "Hot New Site...Check it out!!!"

Result:

MOZILLA caused an invalid page fault in
module JS3250.DLL at 0167:60ae171a.
Registers:
EAX=028dce10 CS=0167 EIP=60ae171a EFLGS=00010246
EBX=028dce10 SS=016f ESP=0068f4e0 EBP=0068f4ec
ECX=0068f574 DS=016f ESI=00000000 FS=10c7
EDX=00000000 ES=016f EDI=00000000 GS=0000
Bytes at CS:EIP:
f6 46 18 01 75 67 8b 46 1c 8b 04 85 dc e8 b0 60 
Stack dump:
00000000 02667200 028dce10 0068f508 60ad7203 02667200 028dce10 00000000 
00000000 00000000 0068f550 60ad71b0 02667200 028dce10 00000000 0068002a 

Talkback data sent.  Incident ID is TB10034211H

This a dup of a more general bug?

Comment 1

[John Morrison]

The link has the following HTML

   <A HREF="http://www.mozilla.org/" target=*_blank*>Click this

Notice that the value of target is *_blank* (i.e., asterisks instead of "")

Comment 2

[John Morrison]

Attachment: testcase; bogus value of 'target' in A HREF leads to crash

Comment 3

[Blake Ross]

Thanks for narrowing down the problem, John.  In that case, this appears to be 
a dup.  Looks to me like bug 35063 and bug 29917 are the same, so marking dup 
of 29917 since it's older.

*** This bug has been marked as a duplicate of 29917 ***

Comment 4

[Blake Ross]

Perhaps 29917 should be extended to include this instance?  It seems to only 
deal with crashes that result in targets containing forward slashes, and I 
didn't see any comments that suggested that other invalid targets could crash 
also (or does 35063 cover this?)

Comment 5

[John Morrison]

verified dup (but jst might want to take bug #29917 from mccabe if the fix
for the crash should be in DOM code).