441559 - DOM modification using JavaScript causes Access Violation [@ nsFileControlFrame::CreateAnonymousContent] (appears to be NULL pointer)

Status: RESOLVED WORKSFORME

(Core :: Layout, defect)

Description

[u315569]

User-Agent:       Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14

This sample code crashes FireFox:
<BODY onload="go()"><SCRIPT>
    function go() {
        o=document.createElement("map");
        document.body.parentNode.replaceChild(o,document.body);
        o.innerHTML='<param><legend><body></body><legend></legend></legend><style></style><input type=file></param>';
    }
</SCRIPT></BODY>

Another example, appears to trigger the same bug:
<BODY onload="go()"><SCRIPT>
    function go() {
        o=document.createElement('font');
        document.body.appendChild(o);
        o.innerHTML='<fieldSet></fieldSet><frame>x</frame><style><input type=file>';
        location.reload();
    }
</SCRIPT></BODY>


Reproducible: Always

Steps to Reproduce:
Load one of these two URLs:
* http://skypher.com/SkyLined/Repro/FireFox/AccessViolation%20cff39b5a%20(1).html
* http://skypher.com/SkyLined/Repro/FireFox/AccessViolation%20cff39b5a%20(2).html

Actual Results:  
FireFox crashes because of an Access Violation


Marked as security problem because I'm not sure if it is a NULL pointer or not.

Comment 2

[Brandon Sterne (:bsterne)]

Yes, this appears to be a null deref.  The first testcase crashes 2.0.0.14 but not trunk.  I'll attach a backtrace from the branch crash.

Comment 3

[Brandon Sterne (:bsterne)]

Attachment: Backtrace from branch crash

Comment 4

[Martijn Wargers (dead)]

I don't crash with trunk.
Talkback ID: TB46895999M
Stack Trace  	
nsFileControlFrame::CreateAnonymousContent  [mozilla/layout/forms/nsFileControlFrame.cpp, line 154]
nsCSSFrameConstructor::CreateAnonymousFrames  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 5885]
nsCSSFrameConstructor::CreateAnonymousFrames  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 5772]
nsCSSFrameConstructor::ConstructHTMLFrame  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 5706]
nsCSSFrameConstructor::ConstructFrameInternal  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 7910]
nsCSSFrameConstructor::ConstructFrame  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 7786]
nsCSSFrameConstructor::ProcessInlineChildren  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13548]
nsCSSFrameConstructor::ConstructInline  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13356]
nsCSSFrameConstructor::ConstructFrameByDisplayType  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 6813]
nsCSSFrameConstructor::ConstructFrameInternal  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 7974]
nsCSSFrameConstructor::ConstructFrame  [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 7786]
etc..


I get the same fix range as for bug 441561:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2006-01-29+06&maxdate=2006-02-02+09&cvsroot=%2Fcvsroot

So I guess this is probably related/the same as bug 441561.

Comment 5

[Daniel Veditz [:dveditz]]

Attachment: testcase from url