Closed Bug 397304 Opened 17 years ago Closed 17 years ago

Crash [@ nsListBoxBodyFrame::GetAvailableHeight] with fake listboxbody

Categories

(Core :: XUL, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: jruderman, Assigned: smaug)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

Loading the testcase crashes Firefox.
The frame constructor checks for a tag name "listboxbody" without checking for a XUL namespace: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/base/nsCSSFrameConstructor.cpp&rev=1.1402#5959 Is that the only problem, or would there still be a way to crash if that were fixed?
That would still be a problem. You could have "naked" XUL listboxbody like this and it would crash. You could stick it in a grid with unscrollable overflow, and it would crash. Etc, etc. nsListBoxBodyFrame::GetAvailableHeight needs to null-check the return value of nsLayoutUtils::GetScrollableFrameFor like the other callers in that file, imo.
Flags: blocking1.9?
Severity: normal → critical
Like this. Handling namespaces properly in CSSFC is a different bug. I noticed there are several cases where namespace should be checked but it isn't.
Attachment #282096 - Flags: superreview?(bzbarsky)
Attachment #282096 - Flags: review?(bzbarsky)
Attachment #282096 - Flags: superreview?(bzbarsky)
Attachment #282096 - Flags: superreview+
Attachment #282096 - Flags: review?(bzbarsky)
Attachment #282096 - Flags: review+
Attachment #282096 - Flags: approval1.9?
Assignee: nobody → Olli.Pettay
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Flags: blocking1.9?
Crashtest checked in.
Flags: in-testsuite+
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Crash Signature: [@ nsListBoxBodyFrame::GetAvailableHeight]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: