Bug 428669 (CVE-2008-1380)

Crash testcase for bug 425576




JavaScript Engine
10 years ago
5 years ago


(Reporter: moz_bug_r_a4, Unassigned)


({crash, testcase, verified1.8.1.14})

1.8 Branch
Windows XP
crash, testcase, verified1.8.1.14
Bug Flags:
blocking1.8.1.14 +
in-testsuite -

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [sg:critical?] fixed by 425576)


(2 attachments)



10 years ago
I'm filing this bug to attach a testcase for bug 425576, since I'm not sure
whether this is an exploitable crash or not.

Upcoming testcase is based on http://www.exblog.jp/ page and bug 425576 comment

Comment 1

10 years ago
Created attachment 315278 [details]
testcase - page A

This testcase consists of two pages.  Cross origin page B is:

* You need to set pref security.warn_leaving_secure to false.
* If bfcache is disabled, this testcase is not reproducible.

Steps to reproduce:
1. Load the page A.
2. Click "Click me!" button.
3. Wait a few seconds.

fx- crash
fx- no crash

Here is what happens with this testcase:
1. In the page A, set focus on an input element that has onblur attribute.
2. Load the cross origin page B.
3. Unload the page B before <body> element starts.
4. Firefox tries to compile onblur event handler of the input element in the
   page A in bfcache, and fails in JS_CompileUCFunctionForPrincipals.  (Error
   Console shows this error: Error: uncaught exception: Permission denied to
   set property EventTarget.addEventListener)
Depends on: 425576
Keywords: crash, testcase
Whiteboard: [sg:critical?]
Created attachment 315303 [details]
Crash log from 10.5

Here's a crash log from 10.5.

See also, bug 425594 and the attachment in bug 425576.

The top of the first thread using this testcase is:

Thread 0 Crashed:
0   libmozjs.dylib                	0x00c4dfb7 js_MarkGCThing + 26
1   libmozjs.dylib                	0x00c4ee71 js_GC + 1955
2   libmozjs.dylib                	0x00c223e5 JS_GC + 50
3   org.mozilla.firefox           	0x005014ec nsJSContext::SetGCOnDestruction(int) + 86

Compared to the testcase in bug 425576, which crashes at:

Thread 0 Crashed:
0   libmozjs.dylib                	0x00c4ee4e js_GC + 1920
1   libmozjs.dylib                	0x00c2240b JS_GC + 88
2   org.mozilla.firefox           	0x005042b1 nsJSContext::DOMBranchCallback(JSContext*, JSScript*) + 125
3   libmozjs.dylib                	0x00c5bafb js_Interpret + 43126
Keywords: fixed1.8.1.14
Whiteboard: [sg:critical?] → [sg:critical?] fixed by 425576
Verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv: Gecko/2008040413 Firefox/

This crashes but not as comment 1 says.
Flags: blocking1.8.1.14+
Keywords: fixed1.8.1.14 → verified1.8.1.14
Alias: CVE-2008-1380
Group: security
Last Resolved: 10 years ago
Keywords: fixed1.8.1.15
Resolution: --- → FIXED
Flags: in-testsuite?
Keywords: fixed1.8.1.15
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.