document designMode on, replace/delete HTML tag, queryCommand*('backcolor'); causes NULL pointer

RESOLVED FIXED

Status

()

defect
RESOLVED FIXED
11 years ago
10 years ago

People

(Reporter: u315569, Assigned: mats)

Tracking

({crash, verified1.9.0.9, verified1.9.1})

Trunk
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9.1 -
wanted1.9.1 +
blocking1.9.0.9 +
wanted1.9.0.x +
wanted1.8.1.x -
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos][fixed by bug 448329], )

Attachments

(1 attachment)

Reporter

Description

11 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.30 Safari/525.13
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

This HTML crashes FireFox with a NULL pointer:
<BODY onload="
document.designMode='on';
document.replaceChild(document.createElement('HTML'), document.firstChild);
document.queryCommandValue('backcolor');
">


Reproducible: Always

Steps to Reproduce:
1. Load the supplied URL in FireFox 3
 or
1. Create a HTML file with this contents:
<BODY onload="
document.designMode='on';
document.replaceChild(document.createElement('HTML'), document.firstChild);
document.queryCommandValue('backcolor');
">
2. Load the file in FireFox 3.

Actual Results:  
NULL pointer Access Violation

Expected Results:  
normal page load, potentially with JavaScript error.
Reporter

Comment 1

11 years ago
Variation:
<BODY onload="
document.designMode='on';//string
document.removeChild(document.firstChild);//object
document.queryCommandState('BackColor');
">

Also NULL pointer, but in different part of the code. Likely both 'queryCommandState' and 'queryCommandValue' use the same object which can be set to null by deleting or replacing the HTML element.
Reporter

Updated

11 years ago
Summary: document designMode on, replace HTML tag, queryCommandValue('backcolor'); causes NULL pointer → document designMode on, replace/delete HTML tag, queryCommand*('backcolor'); causes NULL pointer
Reporter

Comment 2

11 years ago
Another variation: using 'queryCommandIndeterm' gives same result as 'queryCommandValue'.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Duplicate of this bug: 472507
Keywords: crash
Whiteboard: [sg:low dos]
Component: General → Editor
Product: Firefox → Core
QA Contact: general → editor
Version: unspecified → Trunk

Updated

11 years ago
Flags: wanted1.9.1?
Flags: blocking1.9.1?
Flags: wanted1.9.1?
Flags: wanted1.9.1+
Flags: blocking1.9.1?
Duplicate of this bug: 479813
Flags: wanted1.9.0.x?
wanted1.9.0.x is good since this bug was filed into the milw0rm database today.
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.8?
Flags: blocking1.9.1?
Whiteboard: [sg:low dos] → [sg:dos]
Duplicate of this bug: 479958
Hmm, this doesn't seem to crash in current trunk build.
Is this a duplicate of bug 448329?
Mats: Can you confirm that the patch in bug 448329 fixes this?
Assignee: nobody → mats.palmgren
Flags: blocking1.9.1? → blocking1.9.1-
Depends on: 448329
Flags: blocking1.9.0.8? → blocking1.9.0.8+
qawanted: Please determine if the patch in bug 448329 fixes this bug.
Keywords: qawanted
Duplicate of this bug: 480272
Assignee

Comment 13

11 years ago
I backed out bug 448329 locally and debugged this bug, both testcases
in comment 0 and 1 crashed with a null-pointer access at
nsHTMLEditor.cpp:2412 which is now fixed by bug 448329.

I pushed the tests:
http://hg.mozilla.org/mozilla-central/rev/d3ce1f2c44bb
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/4ad867d7a548
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Keywords: qawanted
OS: Windows Vista → All
Hardware: x86 → All
Resolution: --- → FIXED
Before checkin of bug 448329 on 1.9.1, the testcase clearly crashes immediately. It does not crash after the checkin, confirming what Mats says.
Whiteboard: [sg:dos] → [sg:dos][fixed by bug 448329]
Duplicate of this bug: 480712
Assignee

Comment 16

10 years ago
Adding fixed1.9.0.8, fixed1.9.1 since bug 448329 is, to avoid this bug
showing up in queries.
The variation from comment 1 was uploaded to milw0rm by Aditya K Sood (secniche.org) with no credit to SkyLined or mention of this bug:
http://www.milw0rm.com/exploits/8219
Verified for 1.9.0.8 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.8pre) Gecko/2009031604 GranParadiso/3.0.8pre. Definitely crashes earlier 1.9.0 versions.

Verified for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090316 Shiretoko/3.1b4pre
Hm, this was already on milw0rm as http://www.milw0rm.com/exploits/8091

The title for 8219 says "onbeforeunload" but the testcase itself uses onload
like 8091 (and is otherwise identical except for two added alerts).
Duplicate of this bug: 483655

Comment 21

10 years ago
Showed up in milw0rm too.
Assignee

Updated

10 years ago
Duplicate of this bug: 483775
Duplicate of this bug: 484503
This doesn't crash using Firefox 2.0.0.20.
Flags: wanted1.8.1.x-
You need to log in before you can comment on or make changes to this bug.