Closed
Bug 399411
Opened 17 years ago
Closed 17 years ago
Crash after touching a scrollbar obtained through getBoxObjectFor(elem).firstChild
Categories
(Core :: Layout, defect)
Tracking
()
VERIFIED
DUPLICATE
of bug 364801
People
(Reporter: jruderman, Assigned: roc)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [sg:dupe 364801][dbaron-1.9:Rs])
Attachments
(1 file)
309 bytes,
text/html
|
Details |
Reloading the testcase triggers: ###!!! ASSERTION: Some objects allocated with AllocateFrame were not freed: 'mFrameCount == 0', file /Users/jruderman/trunk/mozilla/layout/base/nsPresShell.cpp, line 673 A slightly more complicated testcase makes Firefox crash dereferencing 0xdadadaf6, so this is probably exploitable. Is the problem that web pages can get at the scrollbar, or that touching the scrollbar causes assertions and crashes? If it's the former, can we prevent web pages from getting at the scrollbar with less drastic measures than fixing bug 340571?
Flags: blocking1.9?
Reporter | ||
Updated•17 years ago
|
Whiteboard: [sg:critical?]
Assignee | ||
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
Whiteboard: [sg:critical?] → [sg:critical?][dbaron-1.9:Rs]
Assignee | ||
Comment 1•17 years ago
|
||
There's at least one other way to get at a scrollbar: using event.originalTarget and catching a bubbling mouse event over the scrollbar.
Assignee: nobody → roc
Assignee | ||
Comment 2•17 years ago
|
||
Fixed by the patch in bug 364801. This is basically the same bug, just with another way of getting the scrollbar element.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 3•17 years ago
|
||
Ok. I filed bug 401549 on the getBoxObjectFor part of this bug.
Reporter | ||
Comment 4•17 years ago
|
||
V dup. I no longer get an assertion here now that bug 364801 is fixed.
Status: RESOLVED → VERIFIED
Updated•17 years ago
|
Whiteboard: [sg:critical?][dbaron-1.9:Rs] → [sg:dupe 364801][dbaron-1.9:Rs]
Updated•16 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•