Crash [@ dosprintf][@ AtomImpl::ToString] with command, id and setting attributes

RESOLVED WORKSFORME

Status

()

Core
XPConnect
--
critical
RESOLVED WORKSFORME
10 years ago
7 years ago

People

(Reporter: Martijn Wargers (zombie), Assigned: sicking)

Tracking

({crash, regression, testcase})

Trunk
x86
Windows XP
crash, regression, testcase
Points:
---
Bug Flags:
blocking1.9.1 -
wanted1.8.1.x -
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:nse] stack overflow, crash signature)

Attachments

(2 attachments)

(Reporter)

Description

10 years ago
Created attachment 319066 [details]
testcase

See testcase, which crashes current trunk builds after 100ms.

This seems to have regressed between 2007-11-01 and 2007-11-03 (those older builds crash on closing):
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-11-01+05&maxdate=2007-11-03+07&cvsroot=%2Fcvsroot
I guess a regression from bug 401687?

http://crash-stats.mozilla.com/report/index/2fdd0259-1881-11dd-bbc5-001cc45a2c28?p=1
0  	nspr4.dll  	dosprintf  	 mozilla/nsprpub/pr/src/io/prprf.c:682
1 	nspr4.dll 	PR_snprintf 	mozilla/nsprpub/pr/src/io/prprf.c:1169
2 	xul.dll 	xul.dll@0x7c7d93
(Reporter)

Comment 1

10 years ago
Maybe this is security sensitive, don't know.
Group: security
(Reporter)

Comment 2

10 years ago
Created attachment 319067 [details]
Stack trace of debug build, zipped

It seems like an infinite recursion crash:
>	xpcom_core.dll!AtomImpl::ToString(nsAString_internal & aBuf={...})  Line 517 + 0x15 bytes	C++
 	gklayout.dll!nsAttrValue::ToString(nsAString_internal & aResult={...})  Line 325	C++
 	gklayout.dll!nsXULElement::GetAttr(int aNameSpaceID=0, nsIAtom * aName=0x041e95bc, nsAString_internal & aResult={...})  Line 1248	C++
 	gklayout.dll!nsXULDocument::AttributeChanged(nsIDocument * aDocument=0x06ba8eb0, nsIContent * aElement=0x060ce438, int aNameSpaceID=0, nsIAtom * aAttribute=0x041e95bc, int aModType=1, unsigned int aStateMask=0)  Line 954 + 0x1d bytes	C++
 	gklayout.dll!nsNodeUtils::AttributeChanged(nsIContent * aContent=0x060ce438, int aNameSpaceID=0, nsIAtom * aAttribute=0x041e95bc, int aModType=1, unsigned int aStateMask=0)  Line 109 + 0xf3 bytes	C++
 	gklayout.dll!nsGenericElement::SetAttrAndNotify(int aNamespaceID=0, nsIAtom * aName=0x041e95bc, nsIAtom * aPrefix=0x00000000, const nsAString_internal & aOldValue={...}, nsAttrValue & aParsedValue={...}, int aModification=1, int aFireMutation=0, int aNotify=1)  Line 3797 + 0x1d bytes	C++
 	gklayout.dll!nsGenericElement::SetAttr(int aNamespaceID=0, nsIAtom * aName=0x041e95bc, nsIAtom * aPrefix=0x00000000, const nsAString_internal & aValue={...}, int aNotify=1)  Line 3725 + 0x34 bytes	C++
 	gklayout.dll!nsIContent::SetAttr(int aNameSpaceID=0, nsIAtom * aName=0x041e95bc, const nsAString_internal & aValue={...}, int aNotify=1)  Line 255	C++
 	gklayout.dll!nsXULDocument::AttributeChanged(nsIDocument * aDocument=0x06ba8eb0, nsIContent * aElement=0x0632e6a0, int aNameSpaceID=0, nsIAtom * aAttribute=0x041e95bc, int aModType=1, unsigned int aStateMask=0)  Line 978	C++
 	gklayout.dll!nsNodeUtils::AttributeChanged(nsIContent * aContent=0x0632e6a0, int aNameSpaceID=0, nsIAtom * aAttribute=0x041e95bc, int aModType=1, unsigned int aStateMask=0)  Line 109 + 0xf3 bytes	C++
etc...
(Reporter)

Comment 3

10 years ago
Still crashes in current trunk build.
Flags: blocking1.9.1?
This is a DOS attack, but not an exploitable crash. Not going to block on it.
Assignee: nobody → jonas
Flags: blocking1.9.1? → blocking1.9.1-
Group: core-security
Flags: wanted1.8.1.x-
Whiteboard: [sg:nse] stack overflow
(Reporter)

Comment 5

9 years ago
This is now worksforme in current trunk build, I think Olli fixed this in one of his recent patches.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → WORKSFORME
crash test added
http://hg.mozilla.org/mozilla-central/rev/9901f6f21c1c
Flags: in-testsuite+
Crash Signature: [@ dosprintf] [@ AtomImpl::ToString]
You need to log in before you can comment on or make changes to this bug.