Closed
Bug 428669
(CVE-2008-1380)
Opened 16 years ago
Closed 16 years ago
Crash testcase for bug 425576
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: moz_bug_r_a4, Unassigned)
References
Details
(Keywords: crash, testcase, verified1.8.1.14, Whiteboard: [sg:critical?] fixed by 425576)
Attachments
(2 files)
I'm filing this bug to attach a testcase for bug 425576, since I'm not sure whether this is an exploitable crash or not. Upcoming testcase is based on http://www.exblog.jp/ page and bug 425576 comment #38.
Reporter | ||
Comment 1•16 years ago
|
||
This testcase consists of two pages. Cross origin page B is: http://landfill.bugzilla.org/bugzilla-3.0-branch/attachment.cgi?id=904 Note: * You need to set pref security.warn_leaving_secure to false. * If bfcache is disabled, this testcase is not reproducible. Steps to reproduce: 1. Load the page A. 2. Click "Click me!" button. 3. Wait a few seconds. fx-2.0.0.14pre-2008-04-01-03: crash fx-2.0.0.14pre-2008-04-02-03: no crash Here is what happens with this testcase: 1. In the page A, set focus on an input element that has onblur attribute. 2. Load the cross origin page B. 3. Unload the page B before <body> element starts. 4. Firefox tries to compile onblur event handler of the input element in the page A in bfcache, and fails in JS_CompileUCFunctionForPrincipals. (Error Console shows this error: Error: uncaught exception: Permission denied to set property EventTarget.addEventListener)
Updated•16 years ago
|
Comment 2•16 years ago
|
||
Here's a crash log from 10.5. See also, bug 425594 and the attachment in bug 425576. The top of the first thread using this testcase is: Thread 0 Crashed: 0 libmozjs.dylib 0x00c4dfb7 js_MarkGCThing + 26 1 libmozjs.dylib 0x00c4ee71 js_GC + 1955 2 libmozjs.dylib 0x00c223e5 JS_GC + 50 3 org.mozilla.firefox 0x005014ec nsJSContext::SetGCOnDestruction(int) + 86 Compared to the testcase in bug 425576, which crashes at: Thread 0 Crashed: 0 libmozjs.dylib 0x00c4ee4e js_GC + 1920 1 libmozjs.dylib 0x00c2240b JS_GC + 88 2 org.mozilla.firefox 0x005042b1 nsJSContext::DOMBranchCallback(JSContext*, JSScript*) + 125 3 libmozjs.dylib 0x00c5bafb js_Interpret + 43126
Updated•16 years ago
|
Keywords: fixed1.8.1.14
Whiteboard: [sg:critical?] → [sg:critical?] fixed by 425576
Comment 3•16 years ago
|
||
Verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.14) Gecko/2008040413 Firefox/2.0.0.14. This crashes 2.0.0.13 but not 2.0.0.14 as comment 1 says.
Flags: blocking1.8.1.14+
Keywords: fixed1.8.1.14 → verified1.8.1.14
Updated•16 years ago
|
Alias: CVE-2008-1380
Updated•16 years ago
|
Group: security
Updated•16 years ago
|
Updated•16 years ago
|
Flags: in-testsuite?
Updated•16 years ago
|
Keywords: fixed1.8.1.15
Updated•11 years ago
|
Flags: in-testsuite? → in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•