Last Comment Bug 393775 - Crash [@gklayout!nsXULElement::HideWindowChrome]
: Crash [@gklayout!nsXULElement::HideWindowChrome]
Status: RESOLVED FIXED
[sg:nse] null dereference (fixed by b...
: verified1.8.0.14, verified1.8.1.8
Product: Core
Classification: Components
Component: General (show other bugs)
: 1.8 Branch
: x86 Windows XP
: -- critical (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
Depends on: CVE-2007-5334
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-26 10:57 PDT by Paul Nickerson
Modified: 2007-12-10 17:29 PST (History)
6 users (show)
jwalden+bmo: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (381 bytes, text/html)
2007-08-26 10:57 PDT, Paul Nickerson
no flags Details

Description Paul Nickerson 2007-08-26 10:57:07 PDT
Created attachment 278313 [details]
testcase

Firefox version:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070812 BonEcho/2.0.0.6

Details:
eax=00000000 ebx=7ffd4000 ecx=00000000 edx=00000000 esi=00a07920 edi=00011970
eip=01cab6a7 esp=0012e764 ebp=0012e788 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
*** WARNING: Unable to verify checksum for C:\mozilla\mozilla\firefox-debug\dist\bin\components\gklayout.dll
gklayout!nsXULElement::HideWindowChrome+0x97:
01cab6a7 8b11            mov     edx,dword ptr [ecx]  ds:0023:00000000=????????

Disassembly:
gklayout!nsXULElement::HideWindowChrome+0x97:
01cab6a7 8b11            mov     edx,dword ptr [ecx]
01cab6a9 8b45e0          mov     eax,dword ptr [ebp-20h]
01cab6ac 50              push    eax
01cab6ad ff92a8000000    call    dword ptr [edx+0A8h]
01cab6b3 33c0            xor     eax,eax
01cab6b5 8be5            mov     esp,ebp
01cab6b7 5d              pop     ebp
01cab6b8 c20400          ret     4

Stack trace:
gklayout!nsXULElement::HideWindowChrome(
                        int aShouldHide = 1)
gklayout!nsXULElement::SetAttr(
                        int aNamespaceID = 0, 
                        class nsIAtom * aName = 0x0167d608, 
                        class nsIAtom * aPrefix = 0x00000000, 
                        class nsAString_internal * aValue = 0x03603428, 
                        int aNotify = 1)
gklayout!nsGenericElement::SetAttr(
                        int aNameSpaceID = 0, 
                        class nsIAtom * aName = 0x0167d608, 
                        class nsAString_internal * aValue = 0x03603428, 
                        int aNotify = 1)
gklayout!nsGenericElement::SetAttribute(
                        class nsAString_internal * aName = 0x03aa8888, 
                        class nsAString_internal * aValue = 0x03603428)
gklayout!nsXULElement::SetAttribute(
                        class nsAString_internal * name = 0x03aa8888, 
                        class nsAString_internal * value = 0x03603428)
xpcom_core!XPTC_InvokeByIndex(
                        class nsISupports * that = 0x034efb2c, 
                        unsigned int methodIndex = 0x1e, 
                        unsigned int paramCount = 2, 
                        struct nsXPTCVariant * params = 0x0012ea58)
xpc3250!XPCWrappedNative::CallMethod(
                        class XPCCallContext * ccx = 0x0012ebd4, 
                        XPCWrappedNative::CallMode mode = CALL_METHOD (0))
xpc3250!XPC_WN_CallMethod(
                        struct JSContext * cx = 0x032ea350, 
                        struct JSObject * obj = 0x02b27a68, 
                        unsigned int argc = 2, 
                        long * argv = 0x03ac74b8, 
                        long * vp = 0x0012ed34)
js3250!js_Invoke(
                        struct JSContext * cx = 0x032ea350, 
                        unsigned int argc = 2, 
                        unsigned int flags = 0)
js3250!js_Interpret(
                        struct JSContext * cx = 0x032ea350, 
                        unsigned char * pc = 0x0389d5b9 ":", 
                        long * result = 0x0012f880)
js3250!js_Invoke(
                        struct JSContext * cx = 0x032ea350, 
                        unsigned int argc = 1, 
                        unsigned int flags = 2)
js3250!js_InternalInvoke(
                        struct JSContext * cx = 0x032ea350, 
                        struct JSObject * obj = 0x02972b78, 
                        long fval = 43626216, 
                        unsigned int flags = 0, 
                        unsigned int argc = 1, 
                        long * argv = 0x02449b68, 
                        long * rval = 0x0012fa60)
js3250!JS_CallFunctionValue(
                        struct JSContext * cx = 0x032ea350, 
                        struct JSObject * obj = 0x02972b78, 
                        long fval = 43626216, 
                        unsigned int argc = 1, 
                        long * argv = 0x02449b68, 
                        long * rval = 0x0012fa60)
gklayout!nsJSContext::CallEventHandler(
                        struct JSObject * aTarget = 0x02972b78, 
                        struct JSObject * aHandler = 0x0299aee8, 
                        unsigned int argc = 1, 
                        long * argv = 0x02449b68, 
                        long * rval = 0x0012fa60)
gklayout!nsGlobalWindow::RunTimeout(
                        struct nsTimeout * aTimeout = 0x032eae38)
gklayout!nsGlobalWindow::TimerCallback(
                        class nsITimer * aTimer = 0x032eaf08, 
                        void * aClosure = 0x032eae38)
xpcom_core!nsTimerImpl::Fire(void)
xpcom_core!nsTimerManager::FireNextIdleTimer(void)
gkwidget!nsAppShell::Run(void)
tkitcmps!nsAppStartup::Run(void)
Comment 1 Martijn Wargers [:mwargers] (not working for Mozilla) 2007-08-26 11:06:52 PDT
I think this would be fixed by the patch in bug 391043.
However, it still might be that the testcase would crash in chrome://.
However, the testcase doesn't crash in trunk under chrome, so I think the patch for bug 391043 is enough.
Comment 2 Martijn Wargers [:mwargers] (not working for Mozilla) 2007-08-26 11:30:02 PDT
ok, the patch in bug 391043 seems to fix this.
However, on branch, this testcase still crashes when loaded as a top level window with chrome:// privileges, but that doesn't happen on trunk. That's probably not worth investigating further, though. 
Comment 3 Daniel Veditz [:dveditz] 2007-08-29 10:55:14 PDT
This appears to be a null dereference crash, am I missing something about why this is marked as a security bug?
Comment 4 Martijn Wargers [:mwargers] (not working for Mozilla) 2007-08-29 16:09:36 PDT
Bug 391043 is now fixed on branches, so this should be fixed now too.
Comment 5 Carsten Book [:Tomcat] 2007-08-30 10:33:34 PDT
verified fixed 1.8.1.7 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.7pre) Gecko/20070830 BonEcho/2.0.0.7pre ID:2007083003

no crash on testcase - adding verified keyword
Comment 6 Al Billings [:abillings] 2007-12-10 17:29:00 PST
Verified for 1.8.0.14 using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.14pre) Gecko/20071210 Firefox/1.5.0.13pre. No crash on testcase though it crashes with FF 1.5.0.12.
Comment 7 Al Billings [:abillings] 2007-12-10 17:29:31 PST
Changing resolution since this is a Branch only bug.

Note You need to log in before you can comment on or make changes to this bug.