Closed Bug 431906 Opened 15 years ago Closed 14 years ago

Crash [@ dosprintf][@ AtomImpl::ToString] with command, id and setting attributes

Categories

(Core :: XPConnect, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: martijn.martijn, Assigned: sicking)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:nse] stack overflow)

Crash Data

Attachments

(2 files)

Attached file testcase
See testcase, which crashes current trunk builds after 100ms.

This seems to have regressed between 2007-11-01 and 2007-11-03 (those older builds crash on closing):
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-11-01+05&maxdate=2007-11-03+07&cvsroot=%2Fcvsroot
I guess a regression from bug 401687?

http://crash-stats.mozilla.com/report/index/2fdd0259-1881-11dd-bbc5-001cc45a2c28?p=1
0  	nspr4.dll  	dosprintf  	 mozilla/nsprpub/pr/src/io/prprf.c:682
1 	nspr4.dll 	PR_snprintf 	mozilla/nsprpub/pr/src/io/prprf.c:1169
2 	xul.dll 	xul.dll@0x7c7d93
Maybe this is security sensitive, don't know.
Group: security
It seems like an infinite recursion crash:
>	xpcom_core.dll!AtomImpl::ToString(nsAString_internal & aBuf={...})  Line 517 + 0x15 bytes	C++
 	gklayout.dll!nsAttrValue::ToString(nsAString_internal & aResult={...})  Line 325	C++
 	gklayout.dll!nsXULElement::GetAttr(int aNameSpaceID=0, nsIAtom * aName=0x041e95bc, nsAString_internal & aResult={...})  Line 1248	C++
 	gklayout.dll!nsXULDocument::AttributeChanged(nsIDocument * aDocument=0x06ba8eb0, nsIContent * aElement=0x060ce438, int aNameSpaceID=0, nsIAtom * aAttribute=0x041e95bc, int aModType=1, unsigned int aStateMask=0)  Line 954 + 0x1d bytes	C++
 	gklayout.dll!nsNodeUtils::AttributeChanged(nsIContent * aContent=0x060ce438, int aNameSpaceID=0, nsIAtom * aAttribute=0x041e95bc, int aModType=1, unsigned int aStateMask=0)  Line 109 + 0xf3 bytes	C++
 	gklayout.dll!nsGenericElement::SetAttrAndNotify(int aNamespaceID=0, nsIAtom * aName=0x041e95bc, nsIAtom * aPrefix=0x00000000, const nsAString_internal & aOldValue={...}, nsAttrValue & aParsedValue={...}, int aModification=1, int aFireMutation=0, int aNotify=1)  Line 3797 + 0x1d bytes	C++
 	gklayout.dll!nsGenericElement::SetAttr(int aNamespaceID=0, nsIAtom * aName=0x041e95bc, nsIAtom * aPrefix=0x00000000, const nsAString_internal & aValue={...}, int aNotify=1)  Line 3725 + 0x34 bytes	C++
 	gklayout.dll!nsIContent::SetAttr(int aNameSpaceID=0, nsIAtom * aName=0x041e95bc, const nsAString_internal & aValue={...}, int aNotify=1)  Line 255	C++
 	gklayout.dll!nsXULDocument::AttributeChanged(nsIDocument * aDocument=0x06ba8eb0, nsIContent * aElement=0x0632e6a0, int aNameSpaceID=0, nsIAtom * aAttribute=0x041e95bc, int aModType=1, unsigned int aStateMask=0)  Line 978	C++
 	gklayout.dll!nsNodeUtils::AttributeChanged(nsIContent * aContent=0x0632e6a0, int aNameSpaceID=0, nsIAtom * aAttribute=0x041e95bc, int aModType=1, unsigned int aStateMask=0)  Line 109 + 0xf3 bytes	C++
etc...
Still crashes in current trunk build.
Flags: blocking1.9.1?
This is a DOS attack, but not an exploitable crash. Not going to block on it.
Assignee: nobody → jonas
Flags: blocking1.9.1? → blocking1.9.1-
Group: core-security
Flags: wanted1.8.1.x-
Whiteboard: [sg:nse] stack overflow
This is now worksforme in current trunk build, I think Olli fixed this in one of his recent patches.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ dosprintf] [@ AtomImpl::ToString]
You need to log in before you can comment on or make changes to this bug.