Closed Bug 399411 Opened 17 years ago Closed 17 years ago

Crash after touching a scrollbar obtained through getBoxObjectFor(elem).firstChild

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 364801

People

(Reporter: jruderman, Assigned: roc)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:dupe 364801][dbaron-1.9:Rs])

Attachments

(1 file)

testcase (asserts when reloaded)
309 bytes, text/html
Details 
Reloading the testcase triggers:

###!!! ASSERTION: Some objects allocated with AllocateFrame were not freed: 'mFrameCount == 0', file /Users/jruderman/trunk/mozilla/layout/base/nsPresShell.cpp, line 673

A slightly more complicated testcase makes Firefox crash dereferencing 0xdadadaf6, so this is probably exploitable.

Is the problem that web pages can get at the scrollbar, or that touching the scrollbar causes assertions and crashes?  If it's the former, can we prevent web pages from getting at the scrollbar with less drastic measures than fixing bug 340571?
Flags: blocking1.9?
Whiteboard: [sg:critical?]
Flags: blocking1.9? → blocking1.9+
Whiteboard: [sg:critical?] → [sg:critical?][dbaron-1.9:Rs]
There's at least one other way to get at a scrollbar: using event.originalTarget and catching a bubbling mouse event over the scrollbar.
Assignee: nobody → roc
Fixed by the patch in bug 364801. This is basically the same bug, just with another way of getting the scrollbar element.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Ok.  I filed bug 401549 on the getBoxObjectFor part of this bug.
V dup.  I no longer get an assertion here now that bug 364801 is fixed.
Status: RESOLVED → VERIFIED
Whiteboard: [sg:critical?][dbaron-1.9:Rs] → [sg:dupe 364801][dbaron-1.9:Rs]
Group: security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: