Crash [@ nsHTMLEditRules::WillDeleteSelection]

RESOLVED FIXED

Status

()

Core
Editor
--
critical
RESOLVED FIXED
10 years ago
3 years ago

People

(Reporter: Jesse Ruderman, Assigned: smaug)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
crash, testcase
Points:
---
Bug Flags:
wanted1.9.1 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

10 years ago
Created attachment 310943 [details]
testcase (crashes Firefox when loaded)

Crashes in nsHTMLEditRules::WillDeleteSelection because leftParent is null and rightParent is not (it is an nsHTMLBodyElement).
(I just tested this on mozilla-central latest-trunk nightly build on WinXP SP3)

Turning security-sensitive and blocking1.9.1? just to be safe as !exploitable shows this to be PROBABLY_EXPLOITABLE.

0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** WARNING: Unable to verify checksum for C:\Documents and Settings\Administrator\Desktop\firefox\js3250.dll
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:105f2668 mov edx,dword ptr [eax]

Basic Block:
    105f2668 mov edx,dword ptr [eax]
       Tainted Input Operands: eax
    105f266a push ecx
    105f266b mov ecx,eax
       Tainted Input Operands: eax
    105f266d call dword ptr [edx+44h]
       Tainted Input Operands: ecx, edx

Exception Hash (Major/Minor): 0x2f222a7a.0x440b1d43

Stack Trace:
xul!nsWSRunObject::GetNextWSNode+0x7f
xul!nsWSRunObject::GetNextWSNode+0x33
xul!nsWSRunObject::GetWSNodes+0x4de
xul!nsWSRunObject::nsWSRunObject+0x7b
xul!nsWSRunObject::PrepareToDeleteRange+0x86
xul!nsHTMLEditRules::WillDeleteSelection+0xf9c
xul!nsHTMLEditRules::WillDoAction+0x266
xul!nsPlaintextEditor::DeleteSelection+0x146
xul!nsEditor::DeleteSelectionAndPrepareToCreateNode+0x71
xul!nsHTMLEditor::InsertElementAtSelection+0x111
xul!nsInsertTagCommand::DoCommandParams+0x27f
xul!nsControllerCommandTable::DoCommandParams+0x4b
xul!nsBaseCommandController::DoCommandWithParams+0x67
xul!nsCommandManager::DoCommand+0x73
xul!nsHTMLDocument::ExecCommand+0x264
xul!NS_InvokeByIndex_P+0x27
xul!XPCWrappedNative::CallMethod+0x4fb
xul!NS_NewAtom+0x46
xul!nsCOMPtr_base::~nsCOMPtr_base+0xe
xul!nsDocumentSH::NewResolve+0x78
xul!nsHTMLDocumentSH::NewResolve+0x83
xul!XPCCallContext::XPCCallContext+0x118
xul!XPC_WN_CallMethod+0x114
js3250!js_Interpret+0x31d0
xul!XPCWrappedNative::GetNewOrUsed+0x749
xul!XPCConvert::NativeInterface2JSObject+0x193
xul!XPCConvert::NativeInterface2JSObject+0x274
Instruction Address: 0x105f2668

Description: Data from Faulting Address controls Code Flow
Short Description: TaintedDataControlsCodeFlow
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at xul!nsWSRunObject::GetNextWSNode+0x7f (Hash=0x2f222a7a.0x440b1d43)

The data from the faulting address is later used as the target for a branch.
Group: core-security
Flags: blocking1.9.1?
OS: Mac OS X → All
Hardware: x86 → All
Whiteboard: [sg:critical?]
(Assignee)

Updated

9 years ago
Assignee: nobody → Olli.Pettay
(Assignee)

Comment 2

9 years ago
Created attachment 369880 [details] [diff] [review]
null check

Yet another null check fix. This requires the patch for bug 481139.

I'm not quite happy to this fix, since this leaves ###!!! ASSERTION: bad action nesting!: 'mActionNesting>0' assertion.
But fixing that would require larger changes. Rearchitecting editor for 1.9.1
doesn't sound too good idea.
Peter, any comments?
Attachment #369880 - Flags: superreview?(peterv)
Attachment #369880 - Flags: review?(peterv)
Flags: blocking1.9.1? → wanted1.9.1+
Hmm, if leftParent is null then mHTMLEditor->GetBlockNodeParent(startNode) returned null? What is startNode?
(Assignee)

Comment 4

9 years ago
startNode is #document.
Attachment #369880 - Flags: superreview?(peterv)
Attachment #369880 - Flags: superreview+
Attachment #369880 - Flags: review?(peterv)
Attachment #369880 - Flags: review+
(Assignee)

Comment 5

9 years ago
http://hg.mozilla.org/mozilla-central/rev/5d9d6c5d237f
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Crash Signature: [@ nsHTMLEditRules::WillDeleteSelection]

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.