456727 - document designMode on, replace/delete HTML tag, queryCommand*('backcolor'); causes NULL pointer

Status: RESOLVED FIXED

(Core :: DOM: Editor, defect)

Description

[u315569]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.30 Safari/525.13
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

This HTML crashes FireFox with a NULL pointer:
<BODY onload="
document.designMode='on';
document.replaceChild(document.createElement('HTML'), document.firstChild);
document.queryCommandValue('backcolor');
">


Reproducible: Always

Steps to Reproduce:
1. Load the supplied URL in FireFox 3
 or
1. Create a HTML file with this contents:
<BODY onload="
document.designMode='on';
document.replaceChild(document.createElement('HTML'), document.firstChild);
document.queryCommandValue('backcolor');
">
2. Load the file in FireFox 3.

Actual Results:  
NULL pointer Access Violation

Expected Results:  
normal page load, potentially with JavaScript error.

Comment 1

[u315569]

Variation:
<BODY onload="
document.designMode='on';//string
document.removeChild(document.firstChild);//object
document.queryCommandState('BackColor');
">

Also NULL pointer, but in different part of the code. Likely both 'queryCommandState' and 'queryCommandValue' use the same object which can be set to null by deleting or replacing the HTML element.

Comment 2

[u315569]

Another variation: using 'queryCommandIndeterm' gives same result as 'queryCommandValue'.

Comment 4

[Chris Pearce [:cpearce (Not reading bugmail)]]

Attachment: Testcase - crashes browser

Comment 6

[Reed Loden [:reed]]

This is http://milw0rm.com/exploits/8091.

Comment 7

[Michael Kohler [:mkohler]]

wanted1.9.0.x is good since this bug was filed into the milw0rm database today.

Comment 9

[Martijn Wargers (dead)]

Hmm, this doesn't seem to crash in current trunk build.
Is this a duplicate of bug 448329?

Comment 10

[Samuel Sidler (old account; do not CC)]

Mats: Can you confirm that the patch in bug 448329 fixes this?

Comment 11

[Samuel Sidler (old account; do not CC)]

qawanted: Please determine if the patch in bug 448329 fixes this bug.

Comment 13

[Mats Palmgren (inactive)]

I backed out bug 448329 locally and debugged this bug, both testcases
in comment 0 and 1 crashed with a null-pointer access at
nsHTMLEditor.cpp:2412 which is now fixed by bug 448329.

I pushed the tests:
http://hg.mozilla.org/mozilla-central/rev/d3ce1f2c44bb
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/4ad867d7a548

Comment 14

[Al Billings [:abillings - ex-MoCo]]

Before checkin of bug 448329 on 1.9.1, the testcase clearly crashes immediately. It does not crash after the checkin, confirming what Mats says.

Comment 16

[Mats Palmgren (inactive)]

Adding fixed1.9.0.8, fixed1.9.1 since bug 448329 is, to avoid this bug
showing up in queries.

Comment 17

[Daniel Veditz [:dveditz]]

The variation from comment 1 was uploaded to milw0rm by Aditya K Sood (secniche.org) with no credit to SkyLined or mention of this bug:
http://www.milw0rm.com/exploits/8219

Comment 18

[Al Billings [:abillings - ex-MoCo]]

Verified for 1.9.0.8 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.8pre) Gecko/2009031604 GranParadiso/3.0.8pre. Definitely crashes earlier 1.9.0 versions.

Verified for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090316 Shiretoko/3.1b4pre

Comment 19

[Daniel Veditz [:dveditz]]

Hm, this was already on milw0rm as http://www.milw0rm.com/exploits/8091

The title for 8219 says "onbeforeunload" but the testcase itself uses onload
like 8091 (and is otherwise identical except for two added alerts).

Comment 21

[Justin]

Showed up in milw0rm too.

Comment 24

[Samuel Sidler (old account; do not CC)]

This doesn't crash using Firefox 2.0.0.20.