Last Comment Bug 400130 - CRASH on function days-from-date() with invalid dates (month zero)
: CRASH on function days-from-date() with invalid dates (month zero)
: fixed1.8.1.12
Product: Core Graveyard
Classification: Graveyard
Component: XForms (show other bugs)
: Trunk
: All All
-- critical (vote)
: ---
Assigned To: Merle Sterling
Depends on:
Blocks: 410239
  Show dependency treegraph
Reported: 2007-10-17 02:58 PDT by Kostis Anagnostopoulos
Modified: 2016-07-15 14:46 PDT (History)
4 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---

Sample of the days-from-date() function with invalid date that CRASHES FF (1010 bytes, application/xml)
2007-10-17 03:05 PDT, Kostis Anagnostopoulos
no flags Details
testcase (1013 bytes, patch)
2007-10-17 04:33 PDT, alexander :surkov
no flags Details | Diff | Splinter Review
patch (1.74 KB, patch)
2007-12-06 17:11 PST, Merle Sterling
doronr: review+
bugs: review+
surkov.alexander: review+
Details | Diff | Splinter Review
testcase2 (1.51 KB, application/xhtml+xml)
2008-01-07 12:31 PST, aaronr
no flags Details

Description User image Kostis Anagnostopoulos 2007-10-17 02:58:20 PDT
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en; rv: Gecko/20070802 Firefox/
Build Identifier: At least till: Firefox 3 GPAlpha8

Function days-from-date() crashes FF when month outside 1-12.

Not tested other possible invalid date values. 

Aaron identified problems in C++ method:

Originally reported into disussion group:

Reproducible: Always

Steps to Reproduce:
An XPath expression containing the next function-call would suffice to crash FF:
(Test case to be attached)
Actual Results:  

Expected Results:  
Issue a xforms-compute-event (SForms 1.0-section 4.5.4)
Comment 1 User image Kostis Anagnostopoulos 2007-10-17 03:05:47 PDT
Created attachment 285211 [details]
Sample of the days-from-date() function with invalid date that CRASHES FF

WARNING: Firefox with the XForms add-on will CRASH when you visit this attachment.
Comment 2 User image alexander :surkov 2007-10-17 04:30:14 PDT
error "Parsing Error: not well-formed" when I load testcase
Comment 3 User image alexander :surkov 2007-10-17 04:33:12 PDT
Created attachment 285221 [details] [diff] [review]
Comment 4 User image alexander :surkov 2007-10-17 04:46:20 PDT
stack trace:

 	xpcom_core.dll!nsACString_internal::AssignASCII(const char * data=0x00636544)  Line 370 + 0x9	C++
 	schemval.dll!nsSchemaValidatorUtils::GetMonthShorthand(unsigned char aMonth=0x00, nsACString_internal & aReturn={...})  Line 796	C++
>	schemval.dll!nsSchemaValidator::ValidateBuiltinTypeDate(const nsAString_internal & aValue={...}, __int64 * aResult=0x0012d5e0)  Line 2502 + 0x10	C++
 	xforms.dll!nsXFormsUtils::GetDaysFromDateTime(const nsAString_internal & aValue={...}, int * aDays=0x0012d6b8)  Line 2754 + 0x31	C++
 	xforms.dll!nsXFormsXPathFunctions::DaysFromDate(const nsAString_internal & aDateTime={...}, double * aResult=0x04c68920)  Line 126 + 0xd	C++
 	xpcom_core.dll!NS_InvokeByIndex_P(nsISupports * that=0x04c68aa8, unsigned int methodIndex=0x00000006, unsigned int paramCount=0x00000002, nsXPTCVariant * params=0x04c68910)  Line 102	C++
 	gklayout.dll!txXPCOMExtensionFunctionCall::evaluate(txIEvalContext * aContext=0x0012d924, txAExprResult * * aResult=0x0012d91c)  Line 522 + 0x2e	C++
 	gklayout.dll!nsXPathExpression::EvaluateWithContext(nsIDOMNode * aContextNode=0x04c8f69c, unsigned int aContextPosition=0x00000001, unsigned int aContextSize=0x00000001, unsigned short aType=0x0000, nsISupports * aInResult=0x00000000, nsISupports * * aResult=0x0012d9b0)  Line 149 + 0x41	C++
 	xforms.dll!nsXFormsUtils::EvaluateXPath(nsIXPathEvaluatorInternal * aEvaluator=0x04c90e0c, const nsAString_internal & aExpression={...}, nsIDOMNode * aContextNode=0x04c8f69c, nsIDOMXPathNSResolver * aResolver=0x04c90e98, nsIXFormsXPathState * aState=0x04c90ff0, unsigned short aResultType=0x0000, int aContextPosition=0x00000001, int aContextSize=0x00000001, nsIDOMXPathResult * aInResult=0x00000000, nsIDOMXPathResult * * aResult=0x0012db50)  Line 634 + 0x44	C++
 	xforms.dll!nsXFormsXPathAnalyzer::AnalyzeRecursively(nsIDOMNode * aContextNode=0x04c8f69c, const nsXFormsXPathNode * aNode=0x04c68a00, unsigned int aIndent=0x00000000, int aCollect=0x00000000)  Line 199 + 0x70	C++
 	xforms.dll!nsXFormsXPathAnalyzer::Analyze(nsIDOMNode * aContextNode=0x04c8f69c, const nsXFormsXPathNode * aNode=0x04c689b0, nsIDOMNSXPathExpression * aExpression=0x04c6896c, const nsAString_internal * aExprString=0x0012e3dc, nsCOMArray<nsIDOMNode> * aSet=0x0012e5ac, unsigned int aPosition=0x00000001, unsigned int aSize=0x00000001, int aIncludeRoot=0x00000000)  Line 95 + 0x18	C++
 	xforms.dll!nsXFormsModelElement::ProcessBind(nsIDOMXPathEvaluator * aEvaluator=0x04c90e08, nsIDOMNode * aContextNode=0x04c8f69c, int aContextPosition=0x00000001, int aContextSize=0x00000001, nsIDOMElement * aBindElement=0x04e0bb64, int aIsOuter=0x00000001)  Line 2514 + 0x5d	C++
 	xforms.dll!nsXFormsModelElement::ProcessBindElements()  Line 2061 + 0x57	C++
 	xforms.dll!nsXFormsModelElement::Rebuild()  Line 1070 + 0xb	C++
 	xforms.dll!nsXFormsModelElement::HandleDefault(nsIDOMEvent * aEvent=0x04e0ca00, int * aHandled=0x0012e990)  Line 948 + 0x10	C++
 	gklayout.dll!nsXTFElementWrapper::PostHandleEvent(nsEventChainPostVisitor & aVisitor={...})  Line 874 + 0x17	C++
Comment 5 User image alexander :surkov 2007-10-17 04:47:37 PDT
I guess the problem is nsSchemaValidator::IsValidSchemaDate() returns true for '2007-00-01' date which seems to be invalid.
Comment 6 User image Merle Sterling 2007-12-04 18:58:54 PST
nsSchemaValidatorUtils::GetMaximumDayInMonthFor(PRUint32 aYearValue, PRUint8 aMonthValue) will return 28 as the maximum day of the month if the month is < 1 or > 12. For a date of '2007-00-01' 01 is <= than 28 so IsValidSchemaDate will return true.

Ideally we need the schema validator to be fixed because there is no good way to work around the problem without duplicating all of the date validation code. 
Comment 7 User image Merle Sterling 2007-12-06 17:11:17 PST
Created attachment 291979 [details] [diff] [review]

Check for invalid month and day values in ParseSchemaDate.
Comment 8 User image alexander :surkov 2007-12-09 03:09:08 PST
Comment on attachment 291979 [details] [diff] [review]

looks ok, even GetMaximumDayInMonthFor() assumes that month can be greater than 12 but per it seems not valid date.
Comment 9 User image aaronr 2008-01-07 12:31:06 PST
Created attachment 295821 [details]

current testcase is bad xforms.  Uses @ref on xf:bind instead of @nodeset.  Also was applying multiple calculates to the same data node.  This testcase has both of those fixed.
Comment 10 User image aaronr 2008-01-07 12:49:12 PST
checked into trunk for msterlin
Comment 11 User image aaronr 2008-01-08 19:04:20 PST
checked into 1.8 branch for msterlin

Note You need to log in before you can comment on or make changes to this bug.