Crash [@ nsListBoxBodyFrame::GetAvailableHeight] with fake listboxbody

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
11 years ago
7 years ago

People

(Reporter: jruderman, Assigned: smaug)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Trunk
x86
Mac OS X
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(2 attachments)

(Reporter)

Description

11 years ago
Created attachment 282056 [details]
testcase (crashes Firefox when loaded)

Loading the testcase crashes Firefox.
(Reporter)

Comment 1

11 years ago
The frame constructor checks for a tag name "listboxbody" without checking for a XUL namespace:

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/base/nsCSSFrameConstructor.cpp&rev=1.1402#5959

Is that the only problem, or would there still be a way to crash if that were fixed?
That would still be a problem.  You could have "naked" XUL listboxbody like this and it would crash.  You could stick it in a grid with unscrollable overflow, and it would crash.  Etc, etc.

nsListBoxBodyFrame::GetAvailableHeight needs to null-check the return value of nsLayoutUtils::GetScrollableFrameFor like the other callers in that file, imo.
Flags: blocking1.9?
(Reporter)

Updated

11 years ago
Severity: normal → critical
Created attachment 282096 [details] [diff] [review]
null check scrollFrame

Like this. Handling namespaces properly in CSSFC is a different bug.
I noticed there are several cases where namespace should be checked but
it isn't.
Attachment #282096 - Flags: superreview?(bzbarsky)
Attachment #282096 - Flags: review?(bzbarsky)
Attachment #282096 - Flags: superreview?(bzbarsky)
Attachment #282096 - Flags: superreview+
Attachment #282096 - Flags: review?(bzbarsky)
Attachment #282096 - Flags: review+
Attachment #282096 - Flags: approval1.9? → approval1.9+
Assignee: nobody → Olli.Pettay
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
(Reporter)

Comment 4

11 years ago
Crashtest checked in.
Flags: in-testsuite+

Updated

10 years ago
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Crash Signature: [@ nsListBoxBodyFrame::GetAvailableHeight]
You need to log in before you can comment on or make changes to this bug.