Closed Bug 400130 Opened 17 years ago Closed 17 years ago

CRASH on function days-from-date() with invalid dates (month zero)

Categories

(Core Graveyard :: XForms, defect)

defect
Not set
critical

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: ankostis, Assigned: msterlin)

References

Details

(Keywords: fixed1.8.1.12)

Attachments

(2 files, 2 obsolete files)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en; rv:1.8.1.6) Gecko/20070802 Firefox/2.0.0.6
Build Identifier: At least till: Firefox 3 GPAlpha8

Function days-from-date() crashes FF when month outside 1-12.

Not tested other possible invalid date values. 

Aaron identified problems in C++ method:
nsSchemaValidatorUtils::GetMonthShorthand

Originally reported into disussion group:
http://groups.google.com/group/mozilla.dev.tech.xforms/browse_thread/thread/764e96d65a66f6c7/2436a5fa4796d16f#2436a5fa4796d16f

Reproducible: Always

Steps to Reproduce:
An XPath expression containing the next function-call would suffice to crash FF:
date('2007-00-01')
(Test case to be attached)
Actual Results:  
CRASH

Expected Results:  
Issue a xforms-compute-event (SForms 1.0-section 4.5.4)
WARNING: Firefox with the XForms add-on will CRASH when you visit this attachment.
Version: unspecified → Trunk
error "Parsing Error: not well-formed" when I load testcase
Attached patch testcase (obsolete) — Splinter Review
Attachment #285211 - Attachment is obsolete: true
Status: UNCONFIRMED → NEW
Ever confirmed: true
stack trace:

 	xpcom_core.dll!nsACString_internal::AssignASCII(const char * data=0x00636544)  Line 370 + 0x9	C++
 	schemval.dll!nsSchemaValidatorUtils::GetMonthShorthand(unsigned char aMonth=0x00, nsACString_internal & aReturn={...})  Line 796	C++
>	schemval.dll!nsSchemaValidator::ValidateBuiltinTypeDate(const nsAString_internal & aValue={...}, __int64 * aResult=0x0012d5e0)  Line 2502 + 0x10	C++
 	xforms.dll!nsXFormsUtils::GetDaysFromDateTime(const nsAString_internal & aValue={...}, int * aDays=0x0012d6b8)  Line 2754 + 0x31	C++
 	xforms.dll!nsXFormsXPathFunctions::DaysFromDate(const nsAString_internal & aDateTime={...}, double * aResult=0x04c68920)  Line 126 + 0xd	C++
 	xpcom_core.dll!NS_InvokeByIndex_P(nsISupports * that=0x04c68aa8, unsigned int methodIndex=0x00000006, unsigned int paramCount=0x00000002, nsXPTCVariant * params=0x04c68910)  Line 102	C++
 	gklayout.dll!txXPCOMExtensionFunctionCall::evaluate(txIEvalContext * aContext=0x0012d924, txAExprResult * * aResult=0x0012d91c)  Line 522 + 0x2e	C++
 	gklayout.dll!nsXPathExpression::EvaluateWithContext(nsIDOMNode * aContextNode=0x04c8f69c, unsigned int aContextPosition=0x00000001, unsigned int aContextSize=0x00000001, unsigned short aType=0x0000, nsISupports * aInResult=0x00000000, nsISupports * * aResult=0x0012d9b0)  Line 149 + 0x41	C++
 	xforms.dll!nsXFormsUtils::EvaluateXPath(nsIXPathEvaluatorInternal * aEvaluator=0x04c90e0c, const nsAString_internal & aExpression={...}, nsIDOMNode * aContextNode=0x04c8f69c, nsIDOMXPathNSResolver * aResolver=0x04c90e98, nsIXFormsXPathState * aState=0x04c90ff0, unsigned short aResultType=0x0000, int aContextPosition=0x00000001, int aContextSize=0x00000001, nsIDOMXPathResult * aInResult=0x00000000, nsIDOMXPathResult * * aResult=0x0012db50)  Line 634 + 0x44	C++
 	xforms.dll!nsXFormsXPathAnalyzer::AnalyzeRecursively(nsIDOMNode * aContextNode=0x04c8f69c, const nsXFormsXPathNode * aNode=0x04c68a00, unsigned int aIndent=0x00000000, int aCollect=0x00000000)  Line 199 + 0x70	C++
 	xforms.dll!nsXFormsXPathAnalyzer::Analyze(nsIDOMNode * aContextNode=0x04c8f69c, const nsXFormsXPathNode * aNode=0x04c689b0, nsIDOMNSXPathExpression * aExpression=0x04c6896c, const nsAString_internal * aExprString=0x0012e3dc, nsCOMArray<nsIDOMNode> * aSet=0x0012e5ac, unsigned int aPosition=0x00000001, unsigned int aSize=0x00000001, int aIncludeRoot=0x00000000)  Line 95 + 0x18	C++
 	xforms.dll!nsXFormsModelElement::ProcessBind(nsIDOMXPathEvaluator * aEvaluator=0x04c90e08, nsIDOMNode * aContextNode=0x04c8f69c, int aContextPosition=0x00000001, int aContextSize=0x00000001, nsIDOMElement * aBindElement=0x04e0bb64, int aIsOuter=0x00000001)  Line 2514 + 0x5d	C++
 	xforms.dll!nsXFormsModelElement::ProcessBindElements()  Line 2061 + 0x57	C++
 	xforms.dll!nsXFormsModelElement::Rebuild()  Line 1070 + 0xb	C++
 	xforms.dll!nsXFormsModelElement::HandleDefault(nsIDOMEvent * aEvent=0x04e0ca00, int * aHandled=0x0012e990)  Line 948 + 0x10	C++
 	gklayout.dll!nsXTFElementWrapper::PostHandleEvent(nsEventChainPostVisitor & aVisitor={...})  Line 874 + 0x17	C++
I guess the problem is nsSchemaValidator::IsValidSchemaDate() returns true for '2007-00-01' date which seems to be invalid.
nsSchemaValidatorUtils::GetMaximumDayInMonthFor(PRUint32 aYearValue, PRUint8 aMonthValue) will return 28 as the maximum day of the month if the month is < 1 or > 12. For a date of '2007-00-01' 01 is <= than 28 so IsValidSchemaDate will return true.

Ideally we need the schema validator to be fixed because there is no good way to work around the problem without duplicating all of the date validation code. 
Attached patch patchSplinter Review
Check for invalid month and day values in ParseSchemaDate.
Attachment #291979 - Flags: review?(doronr)
Attachment #291979 - Flags: review?(doronr) → review+
Attachment #291979 - Flags: review?(Olli.Pettay)
Comment on attachment 291979 [details] [diff] [review]
patch

looks ok, even GetMaximumDayInMonthFor() assumes that month can be greater than 12 but per http://www.w3.org/TR/xmlschema-2/#isoformats it seems not valid date.
Attachment #291979 - Flags: review+
Assignee: nobody → msterlin
Attachment #291979 - Flags: review?(Olli.Pettay) → review+
Blocks: 410239
Attached file testcase2
current testcase is bad xforms.  Uses @ref on xf:bind instead of @nodeset.  Also was applying multiple calculates to the same data node.  This testcase has both of those fixed.
Attachment #285221 - Attachment is obsolete: true
checked into trunk for msterlin
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Whiteboard: xf-to-branch
checked into 1.8 branch for msterlin
Keywords: fixed1.8.1.12
Whiteboard: xf-to-branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: