document designMode on, replace/delete HTML tag, queryCommand*('backcolor'); causes NULL pointer

RESOLVED FIXED

Status

()

Core
Editor
RESOLVED FIXED
9 years ago
9 years ago

People

(Reporter: u315569, Assigned: Mats Palmgren (vacation - back in August))

Tracking

({crash, verified1.9.0.9, verified1.9.1})

Trunk
crash, verified1.9.0.9, verified1.9.1
Points:
---
Bug Flags:
blocking1.9.1 -
wanted1.9.1 +
blocking1.9.0.9 +
wanted1.9.0.x +
wanted1.8.1.x -
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos][fixed by bug 448329], URL)

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.30 Safari/525.13
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

This HTML crashes FireFox with a NULL pointer:
<BODY onload="
document.designMode='on';
document.replaceChild(document.createElement('HTML'), document.firstChild);
document.queryCommandValue('backcolor');
">


Reproducible: Always

Steps to Reproduce:
1. Load the supplied URL in FireFox 3
 or
1. Create a HTML file with this contents:
<BODY onload="
document.designMode='on';
document.replaceChild(document.createElement('HTML'), document.firstChild);
document.queryCommandValue('backcolor');
">
2. Load the file in FireFox 3.

Actual Results:  
NULL pointer Access Violation

Expected Results:  
normal page load, potentially with JavaScript error.
(Reporter)

Comment 1

9 years ago
Variation:
<BODY onload="
document.designMode='on';//string
document.removeChild(document.firstChild);//object
document.queryCommandState('BackColor');
">

Also NULL pointer, but in different part of the code. Likely both 'queryCommandState' and 'queryCommandValue' use the same object which can be set to null by deleting or replacing the HTML element.
(Reporter)

Updated

9 years ago
Summary: document designMode on, replace HTML tag, queryCommandValue('backcolor'); causes NULL pointer → document designMode on, replace/delete HTML tag, queryCommand*('backcolor'); causes NULL pointer
(Reporter)

Comment 2

9 years ago
Another variation: using 'queryCommandIndeterm' gives same result as 'queryCommandValue'.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Duplicate of this bug: 472507
Keywords: crash
Whiteboard: [sg:low dos]
Component: General → Editor
Product: Firefox → Core
QA Contact: general → editor
Version: unspecified → Trunk
Created attachment 355902 [details]
Testcase - crashes browser

Updated

9 years ago
Flags: wanted1.9.1?
Flags: blocking1.9.1?
Flags: wanted1.9.1?
Flags: wanted1.9.1+
Flags: blocking1.9.1?
Duplicate of this bug: 479813
Flags: wanted1.9.0.x?
This is http://milw0rm.com/exploits/8091.
wanted1.9.0.x is good since this bug was filed into the milw0rm database today.
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.8?
Flags: blocking1.9.1?
Whiteboard: [sg:low dos] → [sg:dos]

Updated

9 years ago
Duplicate of this bug: 479958
Hmm, this doesn't seem to crash in current trunk build.
Is this a duplicate of bug 448329?
Mats: Can you confirm that the patch in bug 448329 fixes this?
Assignee: nobody → mats.palmgren
Flags: blocking1.9.1? → blocking1.9.1-

Updated

9 years ago
Depends on: 448329
Flags: blocking1.9.0.8? → blocking1.9.0.8+
qawanted: Please determine if the patch in bug 448329 fixes this bug.
Keywords: qawanted

Updated

9 years ago
Duplicate of this bug: 480272
I backed out bug 448329 locally and debugged this bug, both testcases
in comment 0 and 1 crashed with a null-pointer access at
nsHTMLEditor.cpp:2412 which is now fixed by bug 448329.

I pushed the tests:
http://hg.mozilla.org/mozilla-central/rev/d3ce1f2c44bb
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/4ad867d7a548
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Flags: in-testsuite+
Keywords: qawanted
OS: Windows Vista → All
Hardware: x86 → All
Resolution: --- → FIXED
Before checkin of bug 448329 on 1.9.1, the testcase clearly crashes immediately. It does not crash after the checkin, confirming what Mats says.
Whiteboard: [sg:dos] → [sg:dos][fixed by bug 448329]
Duplicate of this bug: 480712
Adding fixed1.9.0.8, fixed1.9.1 since bug 448329 is, to avoid this bug
showing up in queries.
Keywords: fixed1.9.0.8, fixed1.9.1
The variation from comment 1 was uploaded to milw0rm by Aditya K Sood (secniche.org) with no credit to SkyLined or mention of this bug:
http://www.milw0rm.com/exploits/8219
Verified for 1.9.0.8 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.8pre) Gecko/2009031604 GranParadiso/3.0.8pre. Definitely crashes earlier 1.9.0 versions.

Verified for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090316 Shiretoko/3.1b4pre
Keywords: fixed1.9.0.8, fixed1.9.1 → verified1.9.0.8, verified1.9.1
Hm, this was already on milw0rm as http://www.milw0rm.com/exploits/8091

The title for 8219 says "onbeforeunload" but the testcase itself uses onload
like 8091 (and is otherwise identical except for two added alerts).
Duplicate of this bug: 483655

Comment 21

9 years ago
Showed up in milw0rm too.
Duplicate of this bug: 483775

Updated

9 years ago
Duplicate of this bug: 484503
This doesn't crash using Firefox 2.0.0.20.
Flags: wanted1.8.1.x-
You need to log in before you can comment on or make changes to this bug.