393682 - data:application/x-xpinstall;... url will crash firefox in nsInstallTrigger::HandleContent(), dereferencing referringURI when it is null

Status: VERIFIED DUPLICATE of bug 393309

(Firefox :: General, defect)

Description

[(not reading, please use seth@sspitzer.org instead)]

data:application/x-xpinstall;... url will crash firefox in nsInstallTrigger::HandleContent(), dereferencing referringURI when it is null

steps to reproduce:

in firefox, click on the following url:

data:application/x-xpinstall;base64,UEsDBBQAAAAIALew2DaqRsUvVQAAAHcAAAAPAAAAY2hyb21lLm1hbmlmZXN0RcxbCoAgEEbhZ12M0x1qNzVMJpmBv0LtvqCo18PHweqCmrKt26rrG8V%2BBBxTaQrFS9w3IdyCtEY6vbxtINoEkGAlEu8hSUh%2FMUf2P%2Fzez2h2h2HgAlBLAwQUAAAACACTsNg2QJpXJ3ABAAClAgAACwAAAGluc3RhbGwucmRmbZLBT8MgGMXP21%2FRdIkHEwrSVW3tOjWLXjwtUY%2BGFdYRCzRA7dT4v9tRFqsxnPjee18ev5Av96IO3pg2XMlFeBahcFlM8%2FXqLugFaRbhztomg7DruqiLI6UreJamKUQYYgw03QLzLi3ZA2lm4XQycamMiV9BoT54XROXxgjNIROH6CwsppN8xUypeWP7AgHZqNYuwlbLzGcyLo0ldQ0EkXzLjD1kJjkTGafFpq3iBJ%2Bn82vKDK8kkIrriLIcDrp3SiJYcdtWwWAOnpV%2BJVq1kjqjk73Vkyh6EE473r1cakas0sXqZIbxxZUK7pW1HamHRUfVm3dKsIZU7HH9UBxgmJ5G33hAMUZidqp76ZWorPiS08VQ060c7%2FBrLdEVszdNU%2FOSWF%2FuF0Y3ODL6jJMEbS9QDFhyicGcogSkBF2CeRJTlG7olpbnXyNiQ1Jw%2BeTfjj2L0ejHRvYjW39OB%2BvP2JWDf9o5038P%2BePMYf8Ti29QSwMECgAAAAAAq7DYNgAAAAAAAAAAAAAAAAcAAABjaHJvbWUvUEsDBAoAAAAAAK2w2DYAAAAAAAAAAAAAAAAMAAAAY2hyb21lL3NraW4vUEsDBBQAAAAIAMSw2DZSmXC4pgAAANIAAAATAAAAY2hyb21lL3NraW4vZml4LmNzcyWPQQqDMBBF94J3SO2mLkz2duMheoHRDEkwycg4Ym3p3ZvWzefzeTz4Q0gLsaiN462ZPFPC3hgXaYRo1jlk07T3uhoyJFwXmPAkvchSuH3fdaJXiBE0sTMzHglWQTYOBGfEpVTxyKjDqinHQz%2B3%2BDfW1VU8I9gHIyopMfkQLWPu%2B644u9%2FUMe03srZV77pSaoRpdkxbtl1I4LBXmTKqy%2FkBshTv5wtQSwECFAAUAAAACAC3sNg2qkbFL1UAAAB3AAAADwAAAAAAAAABACAAAAAAAAAAY2hyb21lLm1hbmlmZXN0UEsBAhQAFAAAAAgAk7DYNkCaVydwAQAApQIAAAsAAAAAAAAAAQAgAAAAggAAAGluc3RhbGwucmRmUEsBAhQACgAAAAAAq7DYNgAAAAAAAAAAAAAAAAcAAAAAAAAAAAAQAAAAGwIAAGNocm9tZS9QSwECFAAKAAAAAACtsNg2AAAAAAAAAAAAAAAADAAAAAAAAAAAABAAAABAAgAAY2hyb21lL3NraW4vUEsBAhQAFAAAAAgAxLDYNlKZcLimAAAA0gAAABMAAAAAAAAAAQAgAAAAagIAAGNocm9tZS9za2luL2ZpeC5jc3NQSwUGAAAAAAUABQAmAQAAQQMAAAAA

Here's a stack to the crash:

>	xpinstal.dll!nsInstallTrigger::HandleContent(const char * aContentType=0x0d086f90, nsIInterfaceRequestor * aWindowContext=0x29aefe28, nsIRequest * aRequest=0x0d086f00)  Line 212 + 0x25 bytes	C++
 	docshell.dll!nsDocumentOpenInfo::DispatchContent(nsIRequest * request=0x0d086f00, nsISupports * aCtxt=0x00000000)  Line 500 + 0x47 bytes	C++
 	docshell.dll!nsDocumentOpenInfo::OnStartRequest(nsIRequest * request=0x0d086f00, nsISupports * aCtxt=0x00000000)  Line 280 + 0x10 bytes	C++
 	necko.dll!nsBaseChannel::OnStartRequest(nsIRequest * request=0x0a6ac040, nsISupports * ctxt=0x00000000)  Line 604 + 0x46 bytes	C++
 	necko.dll!nsInputStreamPump::OnStateStart()  Line 439 + 0x2c bytes	C++
 	necko.dll!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream * stream=0x09c0d0c0)  Line 395 + 0xb bytes	C++
 	xpcom_core.dll!nsInputStreamReadyEvent::Run()  Line 112	C++
 	xpcom_core.dll!nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012fa00)  Line 491	C++
 	xpcom_core.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x00bce7e8, int mayWait=1)  Line 227 + 0x16 bytes	C++
 	gkwidget.dll!nsBaseAppShell::Run()  Line 154 + 0xc bytes	C++
 	tkitcmps.dll!nsAppStartup::Run()  Line 170 + 0x1c bytes	C++
 	xul.dll!XRE_main(int argc=3, char * * argv=0x00bc9660, const nsXREAppData * aAppData=0x00bc9a50)  Line 3069 + 0x25 bytes	C++
 	firefox.exe!main(int argc=3, char * * argv=0x00bc9660)  Line 153 + 0x12 bytes	C++
 	firefox.exe!__tmainCRTStartup()  Line 586 + 0x19 bytes	C
 	firefox.exe!mainCRTStartup()  Line 403	C
 	kernel32.dll!7c816fd7() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for kernel32.dll]

Comment 1

[Steve England [:stevee]]

Dupe of/related to bug 393309?

Comment 3

[(not reading, please use seth@sspitzer.org instead)]

steve and dave:  thanks for pointing me at that dup.  verifying.