Last Comment Bug 428669 - (CVE-2008-1380) Crash testcase for bug 425576
(CVE-2008-1380)
: Crash testcase for bug 425576
Status: RESOLVED FIXED
[sg:critical?] fixed by 425576
: crash, testcase, verified1.8.1.14
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: 1.8 Branch
: x86 Windows XP
: -- normal (vote)
: ---
Assigned To: general
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on: 425576
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-12 07:37 PDT by moz_bug_r_a4
Modified: 2013-03-26 08:03 PDT (History)
7 users (show)
samuel.sidler+old: blocking1.8.1.14+
choller: in‑testsuite-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase - page A (228 bytes, text/html)
2008-04-12 07:39 PDT, moz_bug_r_a4
no flags Details
Crash log from 10.5 (25.99 KB, text/plain)
2008-04-12 14:26 PDT, Samuel Sidler (old account; do not CC)
no flags Details

Description moz_bug_r_a4 2008-04-12 07:37:30 PDT
I'm filing this bug to attach a testcase for bug 425576, since I'm not sure
whether this is an exploitable crash or not.

Upcoming testcase is based on http://www.exblog.jp/ page and bug 425576 comment
#38.
Comment 1 moz_bug_r_a4 2008-04-12 07:39:46 PDT
Created attachment 315278 [details]
testcase - page A

This testcase consists of two pages.  Cross origin page B is:
http://landfill.bugzilla.org/bugzilla-3.0-branch/attachment.cgi?id=904

Note:
* You need to set pref security.warn_leaving_secure to false.
* If bfcache is disabled, this testcase is not reproducible.

Steps to reproduce:
1. Load the page A.
2. Click "Click me!" button.
3. Wait a few seconds.

fx-2.0.0.14pre-2008-04-01-03: crash
fx-2.0.0.14pre-2008-04-02-03: no crash

Here is what happens with this testcase:
1. In the page A, set focus on an input element that has onblur attribute.
2. Load the cross origin page B.
3. Unload the page B before <body> element starts.
4. Firefox tries to compile onblur event handler of the input element in the
   page A in bfcache, and fails in JS_CompileUCFunctionForPrincipals.  (Error
   Console shows this error: Error: uncaught exception: Permission denied to
   set property EventTarget.addEventListener)
Comment 2 Samuel Sidler (old account; do not CC) 2008-04-12 14:26:47 PDT
Created attachment 315303 [details]
Crash log from 10.5

Here's a crash log from 10.5.

See also, bug 425594 and the attachment in bug 425576.

The top of the first thread using this testcase is:

Thread 0 Crashed:
0   libmozjs.dylib                	0x00c4dfb7 js_MarkGCThing + 26
1   libmozjs.dylib                	0x00c4ee71 js_GC + 1955
2   libmozjs.dylib                	0x00c223e5 JS_GC + 50
3   org.mozilla.firefox           	0x005014ec nsJSContext::SetGCOnDestruction(int) + 86


Compared to the testcase in bug 425576, which crashes at:

Thread 0 Crashed:
0   libmozjs.dylib                	0x00c4ee4e js_GC + 1920
1   libmozjs.dylib                	0x00c2240b JS_GC + 88
2   org.mozilla.firefox           	0x005042b1 nsJSContext::DOMBranchCallback(JSContext*, JSScript*) + 125
3   libmozjs.dylib                	0x00c5bafb js_Interpret + 43126
Comment 3 Samuel Sidler (old account; do not CC) 2008-04-14 17:42:05 PDT
Verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.14) Gecko/2008040413 Firefox/2.0.0.14.

This crashes 2.0.0.13 but not 2.0.0.14 as comment 1 says.

Note You need to log in before you can comment on or make changes to this bug.