Last Comment Bug 400130 - CRASH on function days-from-date() with invalid dates (month zero)
: CRASH on function days-from-date() with invalid dates (month zero)
Status: RESOLVED FIXED
: fixed1.8.1.12
Product: Core Graveyard
Classification: Graveyard
Component: XForms (show other bugs)
: Trunk
: All All
: -- critical (vote)
: ---
Assigned To: Merle Sterling
:
Mentors:
Depends on:
Blocks: 410239
  Show dependency treegraph
 
Reported: 2007-10-17 02:58 PDT by Kostis Anagnostopoulos
Modified: 2016-07-15 14:46 PDT (History)
4 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Sample of the days-from-date() function with invalid date that CRASHES FF (1010 bytes, application/xml)
2007-10-17 03:05 PDT, Kostis Anagnostopoulos
no flags Details
testcase (1013 bytes, patch)
2007-10-17 04:33 PDT, alexander :surkov
no flags Details | Diff | Splinter Review
patch (1.74 KB, patch)
2007-12-06 17:11 PST, Merle Sterling
doronr: review+
bugs: review+
surkov.alexander: review+
Details | Diff | Splinter Review
testcase2 (1.51 KB, application/xhtml+xml)
2008-01-07 12:31 PST, aaronr
no flags Details

Description Kostis Anagnostopoulos 2007-10-17 02:58:20 PDT
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en; rv:1.8.1.6) Gecko/20070802 Firefox/2.0.0.6
Build Identifier: At least till: Firefox 3 GPAlpha8

Function days-from-date() crashes FF when month outside 1-12.

Not tested other possible invalid date values. 

Aaron identified problems in C++ method:
nsSchemaValidatorUtils::GetMonthShorthand

Originally reported into disussion group:
http://groups.google.com/group/mozilla.dev.tech.xforms/browse_thread/thread/764e96d65a66f6c7/2436a5fa4796d16f#2436a5fa4796d16f

Reproducible: Always

Steps to Reproduce:
An XPath expression containing the next function-call would suffice to crash FF:
date('2007-00-01')
(Test case to be attached)
Actual Results:  
CRASH

Expected Results:  
Issue a xforms-compute-event (SForms 1.0-section 4.5.4)
Comment 1 Kostis Anagnostopoulos 2007-10-17 03:05:47 PDT
Created attachment 285211 [details]
Sample of the days-from-date() function with invalid date that CRASHES FF

WARNING: Firefox with the XForms add-on will CRASH when you visit this attachment.
Comment 2 alexander :surkov 2007-10-17 04:30:14 PDT
error "Parsing Error: not well-formed" when I load testcase
Comment 3 alexander :surkov 2007-10-17 04:33:12 PDT
Created attachment 285221 [details] [diff] [review]
testcase
Comment 4 alexander :surkov 2007-10-17 04:46:20 PDT
stack trace:

 	xpcom_core.dll!nsACString_internal::AssignASCII(const char * data=0x00636544)  Line 370 + 0x9	C++
 	schemval.dll!nsSchemaValidatorUtils::GetMonthShorthand(unsigned char aMonth=0x00, nsACString_internal & aReturn={...})  Line 796	C++
>	schemval.dll!nsSchemaValidator::ValidateBuiltinTypeDate(const nsAString_internal & aValue={...}, __int64 * aResult=0x0012d5e0)  Line 2502 + 0x10	C++
 	xforms.dll!nsXFormsUtils::GetDaysFromDateTime(const nsAString_internal & aValue={...}, int * aDays=0x0012d6b8)  Line 2754 + 0x31	C++
 	xforms.dll!nsXFormsXPathFunctions::DaysFromDate(const nsAString_internal & aDateTime={...}, double * aResult=0x04c68920)  Line 126 + 0xd	C++
 	xpcom_core.dll!NS_InvokeByIndex_P(nsISupports * that=0x04c68aa8, unsigned int methodIndex=0x00000006, unsigned int paramCount=0x00000002, nsXPTCVariant * params=0x04c68910)  Line 102	C++
 	gklayout.dll!txXPCOMExtensionFunctionCall::evaluate(txIEvalContext * aContext=0x0012d924, txAExprResult * * aResult=0x0012d91c)  Line 522 + 0x2e	C++
 	gklayout.dll!nsXPathExpression::EvaluateWithContext(nsIDOMNode * aContextNode=0x04c8f69c, unsigned int aContextPosition=0x00000001, unsigned int aContextSize=0x00000001, unsigned short aType=0x0000, nsISupports * aInResult=0x00000000, nsISupports * * aResult=0x0012d9b0)  Line 149 + 0x41	C++
 	xforms.dll!nsXFormsUtils::EvaluateXPath(nsIXPathEvaluatorInternal * aEvaluator=0x04c90e0c, const nsAString_internal & aExpression={...}, nsIDOMNode * aContextNode=0x04c8f69c, nsIDOMXPathNSResolver * aResolver=0x04c90e98, nsIXFormsXPathState * aState=0x04c90ff0, unsigned short aResultType=0x0000, int aContextPosition=0x00000001, int aContextSize=0x00000001, nsIDOMXPathResult * aInResult=0x00000000, nsIDOMXPathResult * * aResult=0x0012db50)  Line 634 + 0x44	C++
 	xforms.dll!nsXFormsXPathAnalyzer::AnalyzeRecursively(nsIDOMNode * aContextNode=0x04c8f69c, const nsXFormsXPathNode * aNode=0x04c68a00, unsigned int aIndent=0x00000000, int aCollect=0x00000000)  Line 199 + 0x70	C++
 	xforms.dll!nsXFormsXPathAnalyzer::Analyze(nsIDOMNode * aContextNode=0x04c8f69c, const nsXFormsXPathNode * aNode=0x04c689b0, nsIDOMNSXPathExpression * aExpression=0x04c6896c, const nsAString_internal * aExprString=0x0012e3dc, nsCOMArray<nsIDOMNode> * aSet=0x0012e5ac, unsigned int aPosition=0x00000001, unsigned int aSize=0x00000001, int aIncludeRoot=0x00000000)  Line 95 + 0x18	C++
 	xforms.dll!nsXFormsModelElement::ProcessBind(nsIDOMXPathEvaluator * aEvaluator=0x04c90e08, nsIDOMNode * aContextNode=0x04c8f69c, int aContextPosition=0x00000001, int aContextSize=0x00000001, nsIDOMElement * aBindElement=0x04e0bb64, int aIsOuter=0x00000001)  Line 2514 + 0x5d	C++
 	xforms.dll!nsXFormsModelElement::ProcessBindElements()  Line 2061 + 0x57	C++
 	xforms.dll!nsXFormsModelElement::Rebuild()  Line 1070 + 0xb	C++
 	xforms.dll!nsXFormsModelElement::HandleDefault(nsIDOMEvent * aEvent=0x04e0ca00, int * aHandled=0x0012e990)  Line 948 + 0x10	C++
 	gklayout.dll!nsXTFElementWrapper::PostHandleEvent(nsEventChainPostVisitor & aVisitor={...})  Line 874 + 0x17	C++
Comment 5 alexander :surkov 2007-10-17 04:47:37 PDT
I guess the problem is nsSchemaValidator::IsValidSchemaDate() returns true for '2007-00-01' date which seems to be invalid.
Comment 6 Merle Sterling 2007-12-04 18:58:54 PST
nsSchemaValidatorUtils::GetMaximumDayInMonthFor(PRUint32 aYearValue, PRUint8 aMonthValue) will return 28 as the maximum day of the month if the month is < 1 or > 12. For a date of '2007-00-01' 01 is <= than 28 so IsValidSchemaDate will return true.

Ideally we need the schema validator to be fixed because there is no good way to work around the problem without duplicating all of the date validation code. 
Comment 7 Merle Sterling 2007-12-06 17:11:17 PST
Created attachment 291979 [details] [diff] [review]
patch

Check for invalid month and day values in ParseSchemaDate.
Comment 8 alexander :surkov 2007-12-09 03:09:08 PST
Comment on attachment 291979 [details] [diff] [review]
patch

looks ok, even GetMaximumDayInMonthFor() assumes that month can be greater than 12 but per http://www.w3.org/TR/xmlschema-2/#isoformats it seems not valid date.
Comment 9 aaronr 2008-01-07 12:31:06 PST
Created attachment 295821 [details]
testcase2

current testcase is bad xforms.  Uses @ref on xf:bind instead of @nodeset.  Also was applying multiple calculates to the same data node.  This testcase has both of those fixed.
Comment 10 aaronr 2008-01-07 12:49:12 PST
checked into trunk for msterlin
Comment 11 aaronr 2008-01-08 19:04:20 PST
checked into 1.8 branch for msterlin

Note You need to log in before you can comment on or make changes to this bug.