Closed Bug 397304 Opened 16 years ago Closed 16 years ago

Crash [@ nsListBoxBodyFrame::GetAvailableHeight] with fake listboxbody

Tracking

()

Status:

RESOLVED FIXED

People

(Reporter: jruderman, Assigned: smaug)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

testcase (crashes Firefox when loaded) 16 years ago Jesse Ruderman 87 bytes, text/html		Details
null check scrollFrame 16 years ago Olli Pettay [:smaug][bugs@pettay.fi] 1.43 KB, patch	bzbarsky : review+ bzbarsky : superreview+ roc : approval1.9+	Details \| Diff \| Splinter Review

Jesse Ruderman

Reporter

Description

•

16 years ago

Attached file testcase (crashes Firefox when loaded) — Details

Loading the testcase crashes Firefox.

Jesse Ruderman

Reporter

Comment 1

•

16 years ago

The frame constructor checks for a tag name "listboxbody" without checking for a XUL namespace:

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/base/nsCSSFrameConstructor.cpp&rev=1.1402#5959

Is that the only problem, or would there still be a way to crash if that were fixed?

Boris Zbarsky [:bzbarsky]

Comment 2

•

16 years ago

That would still be a problem.  You could have "naked" XUL listboxbody like this and it would crash.  You could stick it in a grid with unscrollable overflow, and it would crash.  Etc, etc.

nsListBoxBodyFrame::GetAvailableHeight needs to null-check the return value of nsLayoutUtils::GetScrollableFrameFor like the other callers in that file, imo.

Flags: blocking1.9?

Jesse Ruderman

Reporter

Updated

•

16 years ago

Severity: normal → critical

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Comment 3

•

16 years ago

Attached patch null check scrollFrame — Details — Splinter Review

Like this. Handling namespaces properly in CSSFC is a different bug.
I noticed there are several cases where namespace should be checked but
it isn't.

Attachment #282096 - Flags: superreview?(bzbarsky)

Attachment #282096 - Flags: review?(bzbarsky)

Boris Zbarsky [:bzbarsky]

Updated

•

16 years ago

Attachment #282096 - Flags: superreview?(bzbarsky)

Attachment #282096 - Flags: superreview+

Attachment #282096 - Flags: review?(bzbarsky)

Attachment #282096 - Flags: review+

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Updated

•

16 years ago

Attachment #282096 - Flags: approval1.9?

Robert O'Callahan (:roc) (email my personal email if necessary)

Updated

•

16 years ago

Attachment #282096 - Flags: approval1.9? → approval1.9+

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Updated

•

16 years ago

Assignee: nobody → Olli.Pettay

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Updated

•

16 years ago

Status: NEW → RESOLVED

Closed: 16 years ago

Resolution: --- → FIXED

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Updated

•

16 years ago

Flags: blocking1.9?

Jesse Ruderman

Reporter

Comment 4

•

16 years ago

Crashtest checked in.

Flags: in-testsuite+

timeless

Updated

•

16 years ago

Component: XP Toolkit/Widgets: XUL → XUL

QA Contact: xptoolkit.xul → xptoolkit.widgets

Nobody; OK to take it and work on it

Updated

•

13 years ago

Crash Signature: [@ nsListBoxBodyFrame::GetAvailableHeight]

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Crash [@ nsListBoxBodyFrame::GetAvailableHeight] with fake listboxbody

Categories

(Core :: XUL, defect)

Tracking

()

People

(Reporter: jruderman, Assigned: smaug)

References

Details

(Keywords: crash, testcase)

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Comment 1

Comment 2

Updated

Comment 3

Updated

Updated

Updated

Updated

Updated

Updated

Comment 4

Updated

Updated