Closed Bug 434458 Opened 17 years ago Closed 17 years ago

Crash [@ nsINode::GetCurrentDoc] with showPopup on popup removed from document

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: martijn.martijn, Assigned: enndeakin)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:dos] null deref)

Crash Data

Attachments

(5 files)

testcase
421 bytes, application/vnd.mozilla.xul+xml
Details
testcase2
421 bytes, application/vnd.mozilla.xul+xml
Details
testcase3
429 bytes, application/vnd.mozilla.xul+xml
Details
testcase4
376 bytes, application/vnd.mozilla.xul+xml
Details
add some null-checks, also fixes bug 434456
5.19 KB, patch
smaug
: review+
dbaron
: superreview+
Details | Diff | Splinter Review
See testcase, which crashes current trunk build after 100ms. This regressed when the patch for bug 279703 landed. http://crash-stats.mozilla.com/report/index/be52d180-2584-11dd-b103-0013211cbf8a?p=1 0 xul.dll nsINode::GetCurrentDoc nsINode.h:275 1 xul.dll nsXULPopupManager::GetFrameOfTypeForContent mozilla/layout/xul/base/src/nsXULPopupManager.cpp:260 2 xul.dll nsXULPopupManager::GetPopupFrameForContent mozilla/layout/xul/base/src/nsXULPopupManager.cpp:288 3 xul.dll nsPopupBoxObject::ShowPopup mozilla/layout/xul/base/src/nsPopupBoxObject.cpp:116 4 xul.dll XPCConvert::JSData2Native mozilla/js/src/xpconnect/src/xpcconvert.cpp:848
Attached file testcase
Attached file testcase2
Also happens with openPopup.
Attached file testcase3
And with openPopupAtScreen.
Attached file testcase4
A similar crash happens also with sizeTo: http://crash-stats.mozilla.com/report/index/d1ac78a3-258a-11dd-8220-0013211cbf8a?p=1 0 xul.dll nsIContent::SetAttr nsIContent.h:254 1 xul.dll nsPopupBoxObject::SizeTo mozilla/layout/xul/base/src/nsPopupBoxObject.cpp:167 2 xul.dll NS_InvokeByIndex_P mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101 3 xul.dll XPCWrappedNative::CallMethod mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2388
Looks like nsPopupBoxObject just needs some nullchecks for mContent in its methods.
Component: XP Toolkit/Widgets: Menus → XUL
QA Contact: xptoolkit.menus → xptoolkit.widgets
Assignee: nobody → enndeakin
Status: NEW → ASSIGNED
Attachment #333439 - Flags: superreview?
Attachment #333439 - Flags: review?(Olli.Pettay)
Blocks: 434456
Attachment #333439 - Flags: superreview? → superreview?(dbaron)
Attachment #333439 - Flags: review?(Olli.Pettay) → review+
Comment on attachment 333439 [details] [diff] [review] add some null-checks, also fixes bug 434456 >\ No newline at end of file Have a newline, please. sr=dbaron
Attachment #333439 - Flags: superreview?(dbaron) → superreview+
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
the test was checked in and is public. 1.9.0 !exploitable report, I didn't see a crash on 1.9.1 winxp. PROBABLY_EXPLOITABLE: Probably Exploitable - Data from Faulting Address controls Code Flow starting at gklayout!nsPopupBoxObject::EnableKeyboardNavigator
Flags: in-testsuite+
Flags: blocking1.9.0.11?
We could take this on the 1.9.0 branch, but it's not exploitable.
Group: core-security
Flags: blocking1.9.0.11? → wanted1.9.0.x+
Whiteboard: [sg:dos] null deref
Crash Signature: [@ nsINode::GetCurrentDoc]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: