Closed Bug 428669 (CVE-2008-1380) Opened 17 years ago Closed 17 years ago

Crash testcase for bug 425576

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: moz_bug_r_a4, Unassigned)

References

Details

(Keywords: crash, testcase, verified1.8.1.14, Whiteboard: [sg:critical?] fixed by 425576)

Attachments

(2 files)

testcase - page A
228 bytes, text/html
Details
Crash log from 10.5
25.99 KB, text/plain
Details
I'm filing this bug to attach a testcase for bug 425576, since I'm not sure whether this is an exploitable crash or not. Upcoming testcase is based on http://www.exblog.jp/ page and bug 425576 comment #38.
Attached file testcase - page A
This testcase consists of two pages. Cross origin page B is: http://landfill.bugzilla.org/bugzilla-3.0-branch/attachment.cgi?id=904 Note: * You need to set pref security.warn_leaving_secure to false. * If bfcache is disabled, this testcase is not reproducible. Steps to reproduce: 1. Load the page A. 2. Click "Click me!" button. 3. Wait a few seconds. fx-2.0.0.14pre-2008-04-01-03: crash fx-2.0.0.14pre-2008-04-02-03: no crash Here is what happens with this testcase: 1. In the page A, set focus on an input element that has onblur attribute. 2. Load the cross origin page B. 3. Unload the page B before <body> element starts. 4. Firefox tries to compile onblur event handler of the input element in the page A in bfcache, and fails in JS_CompileUCFunctionForPrincipals. (Error Console shows this error: Error: uncaught exception: Permission denied to set property EventTarget.addEventListener)
Depends on: 425576
Keywords: crash, testcase
Whiteboard: [sg:critical?]
Attached file Crash log from 10.5
Here's a crash log from 10.5. See also, bug 425594 and the attachment in bug 425576. The top of the first thread using this testcase is: Thread 0 Crashed: 0 libmozjs.dylib 0x00c4dfb7 js_MarkGCThing + 26 1 libmozjs.dylib 0x00c4ee71 js_GC + 1955 2 libmozjs.dylib 0x00c223e5 JS_GC + 50 3 org.mozilla.firefox 0x005014ec nsJSContext::SetGCOnDestruction(int) + 86 Compared to the testcase in bug 425576, which crashes at: Thread 0 Crashed: 0 libmozjs.dylib 0x00c4ee4e js_GC + 1920 1 libmozjs.dylib 0x00c2240b JS_GC + 88 2 org.mozilla.firefox 0x005042b1 nsJSContext::DOMBranchCallback(JSContext*, JSScript*) + 125 3 libmozjs.dylib 0x00c5bafb js_Interpret + 43126
Keywords: fixed1.8.1.14
Whiteboard: [sg:critical?] → [sg:critical?] fixed by 425576
Verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.14) Gecko/2008040413 Firefox/2.0.0.14. This crashes 2.0.0.13 but not 2.0.0.14 as comment 1 says.
Flags: blocking1.8.1.14+
Keywords: fixed1.8.1.14verified1.8.1.14
Alias: CVE-2008-1380
Group: security
Status: NEW → RESOLVED
Closed: 17 years ago
Keywords: fixed1.8.1.15
Resolution: --- → FIXED
Flags: in-testsuite?
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: