Last Comment Bug 456727 - document designMode on, replace/delete HTML tag, queryCommand*('backcolor'); causes NULL pointer
: document designMode on, replace/delete HTML tag, queryCommand*('backcolor'); ...
Status: RESOLVED FIXED
[sg:dos][fixed by bug 448329]
: crash, verified1.9.0.9, verified1.9.1
Product: Core
Classification: Components
Component: Editor (show other bugs)
: Trunk
: All All
-- normal with 1 vote (vote)
: ---
Assigned To: Mats Palmgren (:mats)
:
: Makoto Kato [:m_kato]
Mentors:
http://skypher.com/SkyLined/Repro/Fir...
: 472507 479813 479958 480272 480712 483655 483775 484503 (view as bug list)
Depends on: 448329
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-24 04:23 PDT by u315569
Modified: 2009-04-01 16:11 PDT (History)
21 users (show)
roc: blocking1.9.1-
roc: wanted1.9.1+
dveditz: blocking1.9.0.9+
samuel.sidler+old: wanted1.9.0.x+
samuel.sidler+old: wanted1.8.1.x-
mats: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Testcase - crashes browser (183 bytes, text/html)
2009-01-07 17:18 PST, Chris Pearce (:cpearce)
no flags Details

Description User image u315569 2008-09-24 04:23:15 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.30 Safari/525.13
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

This HTML crashes FireFox with a NULL pointer:
<BODY onload="
document.designMode='on';
document.replaceChild(document.createElement('HTML'), document.firstChild);
document.queryCommandValue('backcolor');
">


Reproducible: Always

Steps to Reproduce:
1. Load the supplied URL in FireFox 3
 or
1. Create a HTML file with this contents:
<BODY onload="
document.designMode='on';
document.replaceChild(document.createElement('HTML'), document.firstChild);
document.queryCommandValue('backcolor');
">
2. Load the file in FireFox 3.

Actual Results:  
NULL pointer Access Violation

Expected Results:  
normal page load, potentially with JavaScript error.
Comment 1 User image u315569 2008-10-06 09:14:54 PDT
Variation:
<BODY onload="
document.designMode='on';//string
document.removeChild(document.firstChild);//object
document.queryCommandState('BackColor');
">

Also NULL pointer, but in different part of the code. Likely both 'queryCommandState' and 'queryCommandValue' use the same object which can be set to null by deleting or replacing the HTML element.
Comment 2 User image u315569 2008-10-06 09:21:41 PDT
Another variation: using 'queryCommandIndeterm' gives same result as 'queryCommandValue'.
Comment 3 User image Brandon Sterne (:bsterne) 2009-01-07 10:12:36 PST
*** Bug 472507 has been marked as a duplicate of this bug. ***
Comment 4 User image Chris Pearce (:cpearce) 2009-01-07 17:18:25 PST
Created attachment 355902 [details]
Testcase - crashes browser
Comment 5 User image Reed Loden [:reed] (use needinfo?) 2009-02-23 11:05:56 PST
*** Bug 479813 has been marked as a duplicate of this bug. ***
Comment 6 User image Reed Loden [:reed] (use needinfo?) 2009-02-23 11:12:18 PST
This is http://milw0rm.com/exploits/8091.
Comment 7 User image Michael Kohler [:mkohler] 2009-02-23 11:12:35 PST
wanted1.9.0.x is good since this bug was filed into the milw0rm database today.
Comment 8 User image Martijn Wargers [:mwargers] 2009-02-24 06:02:49 PST
*** Bug 479958 has been marked as a duplicate of this bug. ***
Comment 9 User image Martijn Wargers [:mwargers] 2009-02-24 07:49:31 PST
Hmm, this doesn't seem to crash in current trunk build.
Is this a duplicate of bug 448329?
Comment 10 User image Samuel Sidler (old account; do not CC) 2009-02-24 08:07:09 PST
Mats: Can you confirm that the patch in bug 448329 fixes this?
Comment 11 User image Samuel Sidler (old account; do not CC) 2009-02-25 15:31:55 PST
qawanted: Please determine if the patch in bug 448329 fixes this bug.
Comment 12 User image Arie Paap [:wildmyron] 2009-02-26 01:37:09 PST
*** Bug 480272 has been marked as a duplicate of this bug. ***
Comment 13 User image Mats Palmgren (:mats) 2009-02-26 04:12:36 PST
I backed out bug 448329 locally and debugged this bug, both testcases
in comment 0 and 1 crashed with a null-pointer access at
nsHTMLEditor.cpp:2412 which is now fixed by bug 448329.

I pushed the tests:
http://hg.mozilla.org/mozilla-central/rev/d3ce1f2c44bb
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/4ad867d7a548
Comment 14 User image Al Billings [:abillings] 2009-02-26 13:41:48 PST
Before checkin of bug 448329 on 1.9.1, the testcase clearly crashes immediately. It does not crash after the checkin, confirming what Mats says.
Comment 15 User image Reed Loden [:reed] (use needinfo?) 2009-02-28 07:18:22 PST
*** Bug 480712 has been marked as a duplicate of this bug. ***
Comment 16 User image Mats Palmgren (:mats) 2009-03-06 05:28:59 PST
Adding fixed1.9.0.8, fixed1.9.1 since bug 448329 is, to avoid this bug
showing up in queries.
Comment 17 User image Daniel Veditz [:dveditz] 2009-03-16 12:25:45 PDT
The variation from comment 1 was uploaded to milw0rm by Aditya K Sood (secniche.org) with no credit to SkyLined or mention of this bug:
http://www.milw0rm.com/exploits/8219
Comment 18 User image Al Billings [:abillings] 2009-03-16 12:40:03 PDT
Verified for 1.9.0.8 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.8pre) Gecko/2009031604 GranParadiso/3.0.8pre. Definitely crashes earlier 1.9.0 versions.

Verified for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090316 Shiretoko/3.1b4pre
Comment 19 User image Daniel Veditz [:dveditz] 2009-03-16 13:02:15 PDT
Hm, this was already on milw0rm as http://www.milw0rm.com/exploits/8091

The title for 8219 says "onbeforeunload" but the testcase itself uses onload
like 8091 (and is otherwise identical except for two added alerts).
Comment 20 User image Daniel Veditz [:dveditz] 2009-03-16 13:43:36 PDT
*** Bug 483655 has been marked as a duplicate of this bug. ***
Comment 21 User image Justin 2009-03-16 13:51:51 PDT
Showed up in milw0rm too.
Comment 22 User image Mats Palmgren (:mats) 2009-03-17 19:58:32 PDT
*** Bug 483775 has been marked as a duplicate of this bug. ***
Comment 23 User image Martijn Wargers [:mwargers] 2009-03-20 22:59:49 PDT
*** Bug 484503 has been marked as a duplicate of this bug. ***
Comment 24 User image Samuel Sidler (old account; do not CC) 2009-04-01 16:11:24 PDT
This doesn't crash using Firefox 2.0.0.20.

Note You need to log in before you can comment on or make changes to this bug.