Closed
Bug 393775
Opened 17 years ago
Closed 17 years ago
Crash [@gklayout!nsXULElement::HideWindowChrome]
Categories
(Core :: General, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: pvnick, Unassigned)
References
Details
(Keywords: verified1.8.0.14, verified1.8.1.8, Whiteboard: [sg:nse] null dereference (fixed by bug 391043))
Attachments
(1 file)
381 bytes,
text/html
|
Details |
Firefox version:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070812 BonEcho/2.0.0.6
Details:
eax=00000000 ebx=7ffd4000 ecx=00000000 edx=00000000 esi=00a07920 edi=00011970
eip=01cab6a7 esp=0012e764 ebp=0012e788 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
*** WARNING: Unable to verify checksum for C:\mozilla\mozilla\firefox-debug\dist\bin\components\gklayout.dll
gklayout!nsXULElement::HideWindowChrome+0x97:
01cab6a7 8b11 mov edx,dword ptr [ecx] ds:0023:00000000=????????
Disassembly:
gklayout!nsXULElement::HideWindowChrome+0x97:
01cab6a7 8b11 mov edx,dword ptr [ecx]
01cab6a9 8b45e0 mov eax,dword ptr [ebp-20h]
01cab6ac 50 push eax
01cab6ad ff92a8000000 call dword ptr [edx+0A8h]
01cab6b3 33c0 xor eax,eax
01cab6b5 8be5 mov esp,ebp
01cab6b7 5d pop ebp
01cab6b8 c20400 ret 4
Stack trace:
gklayout!nsXULElement::HideWindowChrome(
int aShouldHide = 1)
gklayout!nsXULElement::SetAttr(
int aNamespaceID = 0,
class nsIAtom * aName = 0x0167d608,
class nsIAtom * aPrefix = 0x00000000,
class nsAString_internal * aValue = 0x03603428,
int aNotify = 1)
gklayout!nsGenericElement::SetAttr(
int aNameSpaceID = 0,
class nsIAtom * aName = 0x0167d608,
class nsAString_internal * aValue = 0x03603428,
int aNotify = 1)
gklayout!nsGenericElement::SetAttribute(
class nsAString_internal * aName = 0x03aa8888,
class nsAString_internal * aValue = 0x03603428)
gklayout!nsXULElement::SetAttribute(
class nsAString_internal * name = 0x03aa8888,
class nsAString_internal * value = 0x03603428)
xpcom_core!XPTC_InvokeByIndex(
class nsISupports * that = 0x034efb2c,
unsigned int methodIndex = 0x1e,
unsigned int paramCount = 2,
struct nsXPTCVariant * params = 0x0012ea58)
xpc3250!XPCWrappedNative::CallMethod(
class XPCCallContext * ccx = 0x0012ebd4,
XPCWrappedNative::CallMode mode = CALL_METHOD (0))
xpc3250!XPC_WN_CallMethod(
struct JSContext * cx = 0x032ea350,
struct JSObject * obj = 0x02b27a68,
unsigned int argc = 2,
long * argv = 0x03ac74b8,
long * vp = 0x0012ed34)
js3250!js_Invoke(
struct JSContext * cx = 0x032ea350,
unsigned int argc = 2,
unsigned int flags = 0)
js3250!js_Interpret(
struct JSContext * cx = 0x032ea350,
unsigned char * pc = 0x0389d5b9 ":",
long * result = 0x0012f880)
js3250!js_Invoke(
struct JSContext * cx = 0x032ea350,
unsigned int argc = 1,
unsigned int flags = 2)
js3250!js_InternalInvoke(
struct JSContext * cx = 0x032ea350,
struct JSObject * obj = 0x02972b78,
long fval = 43626216,
unsigned int flags = 0,
unsigned int argc = 1,
long * argv = 0x02449b68,
long * rval = 0x0012fa60)
js3250!JS_CallFunctionValue(
struct JSContext * cx = 0x032ea350,
struct JSObject * obj = 0x02972b78,
long fval = 43626216,
unsigned int argc = 1,
long * argv = 0x02449b68,
long * rval = 0x0012fa60)
gklayout!nsJSContext::CallEventHandler(
struct JSObject * aTarget = 0x02972b78,
struct JSObject * aHandler = 0x0299aee8,
unsigned int argc = 1,
long * argv = 0x02449b68,
long * rval = 0x0012fa60)
gklayout!nsGlobalWindow::RunTimeout(
struct nsTimeout * aTimeout = 0x032eae38)
gklayout!nsGlobalWindow::TimerCallback(
class nsITimer * aTimer = 0x032eaf08,
void * aClosure = 0x032eae38)
xpcom_core!nsTimerImpl::Fire(void)
xpcom_core!nsTimerManager::FireNextIdleTimer(void)
gkwidget!nsAppShell::Run(void)
tkitcmps!nsAppStartup::Run(void)
Flags: blocking1.8.1.7?
Flags: blocking1.8.0.13?
Comment 1•17 years ago
|
||
I think this would be fixed by the patch in bug 391043.
However, it still might be that the testcase would crash in chrome://.
However, the testcase doesn't crash in trunk under chrome, so I think the patch for bug 391043 is enough.
Depends on: CVE-2007-5334
Comment 2•17 years ago
|
||
ok, the patch in bug 391043 seems to fix this.
However, on branch, this testcase still crashes when loaded as a top level window with chrome:// privileges, but that doesn't happen on trunk. That's probably not worth investigating further, though.
Comment 3•17 years ago
|
||
This appears to be a null dereference crash, am I missing something about why this is marked as a security bug?
Flags: blocking1.8.1.7?
Flags: blocking1.8.0.13?
Whiteboard: [sg:nse] null dereference
Comment 4•17 years ago
|
||
Bug 391043 is now fixed on branches, so this should be fixed now too.
Status: NEW → RESOLVED
Closed: 17 years ago
Keywords: fixed1.8.0.14,
fixed1.8.1.7
Resolution: --- → FIXED
Comment 5•17 years ago
|
||
verified fixed 1.8.1.7 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.7pre) Gecko/20070830 BonEcho/2.0.0.7pre ID:2007083003
no crash on testcase - adding verified keyword
Keywords: fixed1.8.1.7 → verified1.8.1.7
Updated•17 years ago
|
Whiteboard: [sg:nse] null dereference → [sg:nse] null dereference (fixed by bug 391043)
Updated•17 years ago
|
Group: security
Updated•17 years ago
|
Flags: in-testsuite?
Comment 6•17 years ago
|
||
Verified for 1.8.0.14 using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.14pre) Gecko/20071210 Firefox/1.5.0.13pre. No crash on testcase though it crashes with FF 1.5.0.12.
Keywords: fixed1.8.0.14 → verified1.8.0.14
Comment 7•17 years ago
|
||
Changing resolution since this is a Branch only bug.
You need to log in
before you can comment on or make changes to this bug.
Description
•