Closed
Bug 453278
Opened 16 years ago
Closed 16 years ago
Crash [@ nsContentUtils::TriggerLink] with xlink stuff in display: none iframe
Categories
(Core :: XML, defect)
Core
XML
Tracking
()
VERIFIED
FIXED
mozilla1.9.1b1
People
(Reporter: martijn.martijn, Assigned: MatsPalmgren_bugz)
Details
(4 keywords, Whiteboard: [sg:nse dos] null-pointer access)
Crash Data
Attachments
(5 files)
|
121 bytes,
text/xml
|
Details | |
|
292 bytes,
text/html
|
Details | |
|
1.05 KB,
patch
|
Details | Diff | Splinter Review | |
|
867 bytes,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
dveditz
:
approval1.9.0.4+
|
Details | Diff | Splinter Review |
|
681 bytes,
patch
|
bzbarsky
:
review+
dveditz
:
approval1.8.1.19+
asac
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
See upcoming testcase, which crashes current trunk build.
It even crashes in Mozilla1.7, so no regression.
For some reason, I can't use a data url as the iframe content, it doesn't crash then.
http://crash-stats.mozilla.com/report/index/fc75e6bd-78d6-11dd-8ccb-001cc45a2c28?p=1
0 xul.dll nsContentUtils::TriggerLink content/base/src/nsContentUtils.cpp:3832
1 xul.dll nsXMLElement::MaybeTriggerAutoLink content/xml/content/src/nsXMLElement.cpp:191
2 xul.dll nsXMLContentSink::AddAttributes content/xml/document/src/nsXMLContentSink.cpp:1506
3 xul.dll nsXMLContentSink::HandleStartElement content/xml/document/src/nsXMLContentSink.cpp:1038
4 xul.dll storeAtts parser/expat/lib/xmlparse.c:3112
5 xul.dll doContent parser/expat/lib/xmlparse.c:2464
|
Reporter | |
Updated•16 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
Reporter | |
Comment 1•16 years ago
|
||
|
Assignee | |
Comment 2•16 years ago
|
||
Assignee: nobody → mats.palmgren
|
|
Assignee | |
Comment 3•16 years ago
|
||
Add a null-check.
Attachment #336889 -
Flags: superreview?(bzbarsky)
Attachment #336889 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Updated•16 years ago
|
Whiteboard: [sg:nse] null-pointer access
|
||
Comment 4•16 years ago
|
||
Comment on attachment 336889 [details] [diff] [review]
Patch rev. 1
Looks good, but please add a regression test.
Attachment #336889 -
Flags: superreview?(bzbarsky)
Attachment #336889 -
Flags: superreview+
Attachment #336889 -
Flags: review?(bzbarsky)
Attachment #336889 -
Flags: review+
|
|
Assignee | |
Comment 5•16 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/5319e4d5d651
http://hg.mozilla.org/mozilla-central/rev/d4e1a062ae8d
-> FIXED
Flags: in-testsuite+
OS: Windows XP → All
Hardware: PC → All
Whiteboard: [sg:nse] null-pointer access → [sg:dos] null-pointer access
Target Milestone: --- → mozilla1.9.1b1
|
|
Assignee | |
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 6•16 years ago
|
||
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080905031348 Minefield/3.1b1pre
Status: RESOLVED → VERIFIED
|
|
Assignee | |
Updated•16 years ago
|
Attachment #336889 -
Flags: approval1.9.0.4?
|
||
Updated•16 years ago
|
Whiteboard: [sg:dos] null-pointer access → [sg:nse dos] null-pointer access
|
|
||
Updated•16 years ago
|
Attachment #336889 -
Flags: approval1.9.0.4? → approval1.9.0.4+
|
|
||
Comment 7•16 years ago
|
||
Comment on attachment 336889 [details] [diff] [review]
Patch rev. 1
Approved for 1.9.0.4, a=dveditz for release-drivers
|
|
Assignee | |
Comment 8•16 years ago
|
||
Landed on CVS trunk for 1.9.0.4:
mozilla/content/xml/content/src/nsXMLElement.cpp 1.153
mozilla/content/xml/content/crashtest/453278-frame.xml 1.1
mozilla/content/xml/content/crashtest/453278.html 1.1
mozilla/content/xml/content/crashtest/crashtests.list 1.2
Keywords: fixed1.9.0.4
|
||
Comment 9•16 years ago
|
||
Verified for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102104 GranParadiso/3.0.4pre.
Keywords: fixed1.9.0.4 → verified1.9.0.4
|
||
Comment 10•16 years ago
|
||
|
|
||
Comment 11•16 years ago
|
||
Comment on attachment 346659 [details] [diff] [review]
fix for 1.8 branch
Boris, can you please check this one?
Attachment #346659 -
Flags: review?(bzbarsky)
|
|
||
Updated•16 years ago
|
Attachment #346659 -
Flags: review?(bzbarsky) → review+
|
|
||
Updated•16 years ago
|
Keywords: checkin-needed
Whiteboard: [sg:nse dos] null-pointer access → [sg:nse dos] null-pointer access, needs 1.8 branch checkin
|
||
Comment 12•16 years ago
|
||
Comment on attachment 346659 [details] [diff] [review]
fix for 1.8 branch
a=asac for 1.8.0 branch
Attachment #346659 -
Flags: approval1.8.0.15+
|
|
||
Updated•16 years ago
|
Attachment #346659 -
Flags: approval1.8.1.19?
|
|
||
Comment 13•16 years ago
|
||
Comment on attachment 346659 [details] [diff] [review]
fix for 1.8 branch
Approved for 1.8.1.18, a=dveditz for release-drivers
Attachment #346659 -
Flags: approval1.8.1.19? → approval1.8.1.19+
|
|
||
Comment 14•16 years ago
|
||
Checked into 1.8 branch
Group: core-security
Keywords: checkin-needed → fixed1.8.1.19
Whiteboard: [sg:nse dos] null-pointer access, needs 1.8 branch checkin → [sg:nse dos] null-pointer access
|
|
||
Comment 15•16 years ago
|
||
Verified for 1.8.1.19 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.19pre) Gecko/2008112503 BonEcho/2.0.0.19pre.
Keywords: fixed1.8.1.19 → verified1.8.1.19
|
||
Updated•14 years ago
|
Crash Signature: [@ nsContentUtils::TriggerLink]
You need to log in
before you can comment on or make changes to this bug.
Description
•