The default bug view has changed. See this FAQ.

Crash [@ nsContentUtils::TriggerLink] with xlink stuff in display: none iframe

VERIFIED FIXED in mozilla1.9.1b1

Status

()

Core
XML
--
critical
VERIFIED FIXED
9 years ago
6 years ago

People

(Reporter: Martijn Wargers (dead), Assigned: mats)

Tracking

(4 keywords)

Trunk
mozilla1.9.1b1
crash, testcase, verified1.8.1.19, verified1.9.0.4
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:nse dos] null-pointer access, crash signature)

Attachments

(5 attachments)

(Reporter)

Description

9 years ago
Created attachment 336460 [details]
xml file needed for testcase

See upcoming testcase, which crashes current trunk build.
It even crashes in Mozilla1.7, so no regression.

For some reason, I can't use a data url as the iframe content, it doesn't crash then.

http://crash-stats.mozilla.com/report/index/fc75e6bd-78d6-11dd-8ccb-001cc45a2c28?p=1
0  	xul.dll  	nsContentUtils::TriggerLink  	 content/base/src/nsContentUtils.cpp:3832
1 	xul.dll 	nsXMLElement::MaybeTriggerAutoLink 	content/xml/content/src/nsXMLElement.cpp:191
2 	xul.dll 	nsXMLContentSink::AddAttributes 	content/xml/document/src/nsXMLContentSink.cpp:1506
3 	xul.dll 	nsXMLContentSink::HandleStartElement 	content/xml/document/src/nsXMLContentSink.cpp:1038
4 	xul.dll 	storeAtts 	parser/expat/lib/xmlparse.c:3112
5 	xul.dll 	doContent 	parser/expat/lib/xmlparse.c:2464
(Reporter)

Updated

9 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Reporter)

Comment 1

9 years ago
Created attachment 336461 [details]
testcase
(Assignee)

Comment 2

9 years ago
Created attachment 336886 [details] [diff] [review]
crashtest.diff
Assignee: nobody → mats.palmgren
(Assignee)

Comment 3

9 years ago
Created attachment 336889 [details] [diff] [review]
Patch rev. 1

Add a null-check.
Attachment #336889 - Flags: superreview?(bzbarsky)
Attachment #336889 - Flags: review?(bzbarsky)
(Assignee)

Updated

9 years ago
Whiteboard: [sg:nse] null-pointer access
Comment on attachment 336889 [details] [diff] [review]
Patch rev. 1

Looks good, but please add a regression test.
Attachment #336889 - Flags: superreview?(bzbarsky)
Attachment #336889 - Flags: superreview+
Attachment #336889 - Flags: review?(bzbarsky)
Attachment #336889 - Flags: review+
(Assignee)

Comment 5

9 years ago
http://hg.mozilla.org/mozilla-central/rev/5319e4d5d651
http://hg.mozilla.org/mozilla-central/rev/d4e1a062ae8d

-> FIXED
Flags: in-testsuite+
OS: Windows XP → All
Hardware: PC → All
Whiteboard: [sg:nse] null-pointer access → [sg:dos] null-pointer access
Target Milestone: --- → mozilla1.9.1b1
(Assignee)

Updated

9 years ago
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
(Reporter)

Comment 6

9 years ago
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080905031348 Minefield/3.1b1pre
Status: RESOLVED → VERIFIED
(Assignee)

Updated

9 years ago
Attachment #336889 - Flags: approval1.9.0.4?
Whiteboard: [sg:dos] null-pointer access → [sg:nse dos] null-pointer access
Attachment #336889 - Flags: approval1.9.0.4? → approval1.9.0.4+
Comment on attachment 336889 [details] [diff] [review]
Patch rev. 1

Approved for 1.9.0.4, a=dveditz for release-drivers
(Assignee)

Comment 8

9 years ago
Landed on CVS trunk for 1.9.0.4:
mozilla/content/xml/content/src/nsXMLElement.cpp 	1.153
mozilla/content/xml/content/crashtest/453278-frame.xml 	1.1
mozilla/content/xml/content/crashtest/453278.html 	1.1
mozilla/content/xml/content/crashtest/crashtests.list 	1.2
Keywords: fixed1.9.0.4
Verified for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102104 GranParadiso/3.0.4pre.
Keywords: fixed1.9.0.4 → verified1.9.0.4

Comment 10

9 years ago
Created attachment 346659 [details] [diff] [review]
fix for 1.8 branch

Comment 11

9 years ago
Comment on attachment 346659 [details] [diff] [review]
fix for 1.8 branch

Boris, can you please check this one?
Attachment #346659 - Flags: review?(bzbarsky)
Attachment #346659 - Flags: review?(bzbarsky) → review+
Keywords: checkin-needed
Whiteboard: [sg:nse dos] null-pointer access → [sg:nse dos] null-pointer access, needs 1.8 branch checkin

Comment 12

9 years ago
Comment on attachment 346659 [details] [diff] [review]
fix for 1.8 branch

a=asac for 1.8.0 branch
Attachment #346659 - Flags: approval1.8.0.15+
Attachment #346659 - Flags: approval1.8.1.19?
Comment on attachment 346659 [details] [diff] [review]
fix for 1.8 branch

Approved for 1.8.1.18, a=dveditz for release-drivers
Attachment #346659 - Flags: approval1.8.1.19? → approval1.8.1.19+
Checked into 1.8 branch
Group: core-security
Keywords: checkin-needed → fixed1.8.1.19
Whiteboard: [sg:nse dos] null-pointer access, needs 1.8 branch checkin → [sg:nse dos] null-pointer access
Verified for 1.8.1.19 with  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.19pre) Gecko/2008112503 BonEcho/2.0.0.19pre.
Keywords: fixed1.8.1.19 → verified1.8.1.19
Crash Signature: [@ nsContentUtils::TriggerLink]
You need to log in before you can comment on or make changes to this bug.