Closed
Bug 397304
Opened 17 years ago
Closed 17 years ago
Crash [@ nsListBoxBodyFrame::GetAvailableHeight] with fake listboxbody
Categories
(Core :: XUL, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: smaug)
References
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(2 files)
87 bytes,
text/html
|
Details | |
1.43 KB,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
roc
:
approval1.9+
|
Details | Diff | Splinter Review |
Loading the testcase crashes Firefox.
Reporter | ||
Comment 1•17 years ago
|
||
The frame constructor checks for a tag name "listboxbody" without checking for a XUL namespace:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/base/nsCSSFrameConstructor.cpp&rev=1.1402#5959
Is that the only problem, or would there still be a way to crash if that were fixed?
Comment 2•17 years ago
|
||
That would still be a problem. You could have "naked" XUL listboxbody like this and it would crash. You could stick it in a grid with unscrollable overflow, and it would crash. Etc, etc.
nsListBoxBodyFrame::GetAvailableHeight needs to null-check the return value of nsLayoutUtils::GetScrollableFrameFor like the other callers in that file, imo.
Flags: blocking1.9?
Reporter | ||
Updated•17 years ago
|
Severity: normal → critical
Assignee | ||
Comment 3•17 years ago
|
||
Like this. Handling namespaces properly in CSSFC is a different bug.
I noticed there are several cases where namespace should be checked but
it isn't.
Attachment #282096 -
Flags: superreview?(bzbarsky)
Attachment #282096 -
Flags: review?(bzbarsky)
Updated•17 years ago
|
Attachment #282096 -
Flags: superreview?(bzbarsky)
Attachment #282096 -
Flags: superreview+
Attachment #282096 -
Flags: review?(bzbarsky)
Attachment #282096 -
Flags: review+
Assignee | ||
Updated•17 years ago
|
Attachment #282096 -
Flags: approval1.9?
Attachment #282096 -
Flags: approval1.9? → approval1.9+
Assignee | ||
Updated•17 years ago
|
Assignee: nobody → Olli.Pettay
Assignee | ||
Updated•17 years ago
|
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•17 years ago
|
Flags: blocking1.9?
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Updated•13 years ago
|
Crash Signature: [@ nsListBoxBodyFrame::GetAvailableHeight]
You need to log in
before you can comment on or make changes to this bug.
Description
•