Closed Bug 450876 Opened 17 years ago Closed 16 years ago

Crash [@ nsEventStateManager::GetNextTabbableMapArea] with img usemap and tabindex

Categories

(Core :: DOM: UI Events & Focus Handling, defect)

Product:
Core
Component:
DOM: UI Events & Focus Handling
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.2a1

People

(Reporter: martijn.martijn, Assigned: martijn.martijn)

Details

(5 keywords, Whiteboard: [sg:nse] null deref)

Crash Data

Attachments

(5 files, 2 obsolete files)

testcase
182 bytes, text/html
Details
patch
3.26 KB, patch
smaug
: review+
roc
: superreview+
beltzner
: approval1.9.1+
Details | Diff | Splinter Review
testcase 2 (crashes Firefox when loaded)
206 bytes, application/xhtml+xml
Details
1.9.0.x patch
3.80 KB, patch
dveditz
: superreview+
dveditz
: approval1.9.0.9+
Details | Diff | Splinter Review
1.8.1.x patch
1.29 KB, patch
dveditz
: superreview+
dveditz
: approval1.8.1.next+
dveditz
: approval1.8.0.next?
Details | Diff | Splinter Review
Attached file testcase
See testcase, which crashes in Firefox 2, Firefox 3 and current trunk build when tabbing in the document. http://crash-stats.mozilla.com/report/index/adce7268-6b72-11dd-a999-001a4bd43ed6?p=1 0 xul.dll nsEventStateManager::GetNextTabbableMapArea content/events/src/nsEventStateManager.cpp:3955 1 xul.dll nsEventStateManager::GetNextTabbableContent content/events/src/nsEventStateManager.cpp:3915
Attached patch patch (obsolete) — Splinter Review
Attachment #334103 - Flags: review?(Olli.Pettay)
Attached patch diff -w of patch (obsolete) — Splinter Review
Or rather a hg diff -NprwU20 it seems.
perhaps early return? if (!imageMap) { return nsnull; }
Attached patch patchSplinter Review
I assume the img should not be tabbable, right? That's what IE seems to be doing.
Attachment #334103 - Attachment is obsolete: true
Attachment #334104 - Attachment is obsolete: true
Attachment #334106 - Flags: review?(Olli.Pettay)
Attachment #334103 - Flags: review?(Olli.Pettay)
(In reply to comment #4) > I assume the img should not be tabbable, right? That's what IE seems to be > doing. Does that have anything to do with this bug?
Attachment #334106 - Flags: review?(Olli.Pettay) → review+
Well, the patch makes the img with the non-existing usemap non-tabbable.
Attachment #334106 - Flags: superreview?(roc)
how? It is just a null check for a case which would otherwise crash when mapContent is used.
You're right. Would probably better to file a new bug for that (different issue (if issue at all)).
Hrm, with a slightly different testcase, I'm crashing in IE8 too.
Attachment #334106 - Flags: superreview?(roc) → superreview+
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x+
Flags: blocking1.9.0.2?
Flags: blocking1.8.1.17?
This appears to be an unexploitable null deref crash if this patch fixes it, and if that's true it's not a blocker. But we'd approve this simple fix if this works for the branches.
Flags: blocking1.9.0.2?
Flags: blocking1.8.1.17?
Whiteboard: [sg:nse] null deref
Assignee: nobody → martijn.martijn
Keywords: checkin-needed
Flags: blocking1.9.1?
Not a blocker, but feel free to land this any time the tree is green.
Flags: blocking1.9.1? → blocking1.9.1-
This testcase is fun in that it manages to trigger the tabbing code without any user interaction.
http://hg.mozilla.org/mozilla-central/rev/3a616f9b649e
Status: NEW → RESOLVED
Closed: 16 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.2a1
Attachment #334106 - Flags: approval1.9.1?
Comment on attachment 334106 [details] [diff] [review] patch a191=beltzner
Attachment #334106 - Flags: approval1.9.1? → approval1.9.1+
Keywords: checkin-needed
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/f305bb515add Does this same patch apply on 1.9.0 and 1.8.1?
Keywords: checkin-neededfixed1.9.1
Not sure if this applies to 1.8.0.x as well, but I'll let those drivers determine whether they want it or not (since it's a null deref, maybe not even if it does apply).
Flags: wanted1.8.0.x?
Flags: blocking1.8.0.next?
Whiteboard: [sg:nse] null deref → [sg:nse] null deref [needs 1.9.0 and 1.8.1 patches]
Group: core-security
Flags: blocking1.9.0.7?
Flags: blocking1.9.0.7? → blocking1.9.0.7+
Martijn: Can you please work up 1.9.0 and 1.8.1 patches? Code freeze is technically tomorrow at 11:59pm...
Martijn: Please get a patch worked up for this in the next week or two so we can take it in 1.9.0.8.
Flags: blocking1.9.0.7+ → blocking1.9.0.8+
Attached patch 1.9.0.x patchSplinter Review
Sorry, electricity went down yesterday, which made it impossible to submit a patch. Do I need to ask review for these patches, I guess? Should I also add the tests? I haven't tested this patch yet, I don't worry about the patch causing problems, though, more about the test.
Attachment #360480 - Flags: review?(dveditz)
Attached patch 1.8.1.x patchSplinter Review
The 1.8.1 tree doesn't seem to have tests.
Attachment #360481 - Flags: review?(dveditz)
Comment on attachment 360481 [details] [diff] [review] 1.8.1.x patch Sorry, never mind, 1.8.1 is Firefox 2, which isn't supported anymore.
Attachment #360481 - Attachment is obsolete: true
Attachment #360481 - Flags: review?(dveditz)
Attachment #360481 - Attachment is obsolete: false
Attachment #360481 - Flags: review?(dveditz)
Comment on attachment 360481 [details] [diff] [review] 1.8.1.x patch We still want this patch on 1.8.1 for Thunderbird 2 and for Firefox 2 which distros still ship.
Verified fix on Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090209 Shiretoko/3.1b3pre and Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090209 Minefield/3.2a1pre
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1
Comment on attachment 360480 [details] [diff] [review] 1.9.0.x patch sr=dveditz
Attachment #360480 - Flags: review?(dveditz) → superreview+
Comment on attachment 360481 [details] [diff] [review] 1.8.1.x patch sr=dveditz
Attachment #360481 - Flags: review?(dveditz) → superreview+
Attachment #360480 - Flags: approval1.9.0.8?
Attachment #360481 - Flags: approval1.8.1.next?
Attachment #360481 - Flags: approval1.8.0.next?
Comment on attachment 360480 [details] [diff] [review] 1.9.0.x patch Approved for 1.9.0.8, a=dveditz for release-drivers
Attachment #360480 - Flags: approval1.9.0.8? → approval1.9.0.8+
Comment on attachment 360481 [details] [diff] [review] 1.8.1.x patch Approved for 1.8.1.21, a=dveditz for release-drivers
Attachment #360481 - Flags: approval1.8.1.next? → approval1.8.1.next+
Whiteboard: [sg:nse] null deref [needs 1.9.0 and 1.8.1 patches] → [sg:nse] null deref
Checking in content/events/src/nsEventStateManager.cpp; /cvsroot/mozilla/content/events/src/nsEventStateManager.cpp,v <-- nsEventStateManager.cpp new revision: 1.743; previous revision: 1.742 done Checking in content/events/test/Makefile.in; /cvsroot/mozilla/content/events/test/Makefile.in,v <-- Makefile.in new revision: 1.19; previous revision: 1.18 done RCS file: /cvsroot/mozilla/content/events/test/test_bug450876.html,v done Checking in content/events/test/test_bug450876.html; /cvsroot/mozilla/content/events/test/test_bug450876.html,v <-- test_bug450876.html initial revision: 1.1 done Checked into the 1.9.0.x tree.
Keywords: fixed1.9.0.8
Checking in content/events/src/nsEventStateManager.cpp; /cvsroot/mozilla/content/events/src/nsEventStateManager.cpp,v <-- nsEventStateManager.cpp new revision: 1.595.2.32; previous revision: 1.595.2.31 done Checked into the 1.8.1.x tree.
Keywords: fixed1.8.1.21
Verified 1.9.0.8 using testcase attached and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8pre) Gecko/2009031905 GranParadiso/3.0.8pre (.NET CLR 3.5.30729). Crashes 1.9.0.7 cleanly.
Keywords: fixed1.9.0.8verified1.9.0.8
Crash Signature: [@ nsEventStateManager::GetNextTabbableMapArea]
Component: Event Handling → User events and focus handling
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: