Last Comment Bug 456727 - document designMode on, replace/delete HTML tag, queryCommand*('backcolor'); causes NULL pointer
: document designMode on, replace/delete HTML tag, queryCommand*('backcolor'); ...
Status: RESOLVED FIXED
[sg:dos][fixed by bug 448329]
: crash, verified1.9.0.9, verified1.9.1
Product: Core
Classification: Components
Component: Editor (show other bugs)
: Trunk
: All All
: -- normal with 1 vote (vote)
: ---
Assigned To: Mats Palmgren (:mats)
:
: Makoto Kato [:m_kato]
Mentors:
http://skypher.com/SkyLined/Repro/Fir...
: 472507 479813 479958 480272 480712 483655 483775 484503 (view as bug list)
Depends on: 448329
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-24 04:23 PDT by u315569
Modified: 2009-04-01 16:11 PDT (History)
21 users (show)
roc: blocking1.9.1-
roc: wanted1.9.1+
dveditz: blocking1.9.0.9+
samuel.sidler+old: wanted1.9.0.x+
samuel.sidler+old: wanted1.8.1.x-
mats: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Testcase - crashes browser (183 bytes, text/html)
2009-01-07 17:18 PST, Chris Pearce (:cpearce)
no flags Details

Description u315569 2008-09-24 04:23:15 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.30 Safari/525.13
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

This HTML crashes FireFox with a NULL pointer:
<BODY onload="
document.designMode='on';
document.replaceChild(document.createElement('HTML'), document.firstChild);
document.queryCommandValue('backcolor');
">


Reproducible: Always

Steps to Reproduce:
1. Load the supplied URL in FireFox 3
 or
1. Create a HTML file with this contents:
<BODY onload="
document.designMode='on';
document.replaceChild(document.createElement('HTML'), document.firstChild);
document.queryCommandValue('backcolor');
">
2. Load the file in FireFox 3.

Actual Results:  
NULL pointer Access Violation

Expected Results:  
normal page load, potentially with JavaScript error.
Comment 1 u315569 2008-10-06 09:14:54 PDT
Variation:
<BODY onload="
document.designMode='on';//string
document.removeChild(document.firstChild);//object
document.queryCommandState('BackColor');
">

Also NULL pointer, but in different part of the code. Likely both 'queryCommandState' and 'queryCommandValue' use the same object which can be set to null by deleting or replacing the HTML element.
Comment 2 u315569 2008-10-06 09:21:41 PDT
Another variation: using 'queryCommandIndeterm' gives same result as 'queryCommandValue'.
Comment 3 Brandon Sterne (:bsterne) 2009-01-07 10:12:36 PST
*** Bug 472507 has been marked as a duplicate of this bug. ***
Comment 4 Chris Pearce (:cpearce) 2009-01-07 17:18:25 PST
Created attachment 355902 [details]
Testcase - crashes browser
Comment 5 Reed Loden [:reed] (use needinfo?) 2009-02-23 11:05:56 PST
*** Bug 479813 has been marked as a duplicate of this bug. ***
Comment 6 Reed Loden [:reed] (use needinfo?) 2009-02-23 11:12:18 PST
This is http://milw0rm.com/exploits/8091.
Comment 7 Michael Kohler [:mkohler] 2009-02-23 11:12:35 PST
wanted1.9.0.x is good since this bug was filed into the milw0rm database today.
Comment 8 Martijn Wargers [:mwargers] (not working for Mozilla) 2009-02-24 06:02:49 PST
*** Bug 479958 has been marked as a duplicate of this bug. ***
Comment 9 Martijn Wargers [:mwargers] (not working for Mozilla) 2009-02-24 07:49:31 PST
Hmm, this doesn't seem to crash in current trunk build.
Is this a duplicate of bug 448329?
Comment 10 Samuel Sidler (old account; do not CC) 2009-02-24 08:07:09 PST
Mats: Can you confirm that the patch in bug 448329 fixes this?
Comment 11 Samuel Sidler (old account; do not CC) 2009-02-25 15:31:55 PST
qawanted: Please determine if the patch in bug 448329 fixes this bug.
Comment 12 Arie Paap [:wildmyron] 2009-02-26 01:37:09 PST
*** Bug 480272 has been marked as a duplicate of this bug. ***
Comment 13 Mats Palmgren (:mats) 2009-02-26 04:12:36 PST
I backed out bug 448329 locally and debugged this bug, both testcases
in comment 0 and 1 crashed with a null-pointer access at
nsHTMLEditor.cpp:2412 which is now fixed by bug 448329.

I pushed the tests:
http://hg.mozilla.org/mozilla-central/rev/d3ce1f2c44bb
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/4ad867d7a548
Comment 14 Al Billings [:abillings] 2009-02-26 13:41:48 PST
Before checkin of bug 448329 on 1.9.1, the testcase clearly crashes immediately. It does not crash after the checkin, confirming what Mats says.
Comment 15 Reed Loden [:reed] (use needinfo?) 2009-02-28 07:18:22 PST
*** Bug 480712 has been marked as a duplicate of this bug. ***
Comment 16 Mats Palmgren (:mats) 2009-03-06 05:28:59 PST
Adding fixed1.9.0.8, fixed1.9.1 since bug 448329 is, to avoid this bug
showing up in queries.
Comment 17 Daniel Veditz [:dveditz] 2009-03-16 12:25:45 PDT
The variation from comment 1 was uploaded to milw0rm by Aditya K Sood (secniche.org) with no credit to SkyLined or mention of this bug:
http://www.milw0rm.com/exploits/8219
Comment 18 Al Billings [:abillings] 2009-03-16 12:40:03 PDT
Verified for 1.9.0.8 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.8pre) Gecko/2009031604 GranParadiso/3.0.8pre. Definitely crashes earlier 1.9.0 versions.

Verified for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090316 Shiretoko/3.1b4pre
Comment 19 Daniel Veditz [:dveditz] 2009-03-16 13:02:15 PDT
Hm, this was already on milw0rm as http://www.milw0rm.com/exploits/8091

The title for 8219 says "onbeforeunload" but the testcase itself uses onload
like 8091 (and is otherwise identical except for two added alerts).
Comment 20 Daniel Veditz [:dveditz] 2009-03-16 13:43:36 PDT
*** Bug 483655 has been marked as a duplicate of this bug. ***
Comment 21 Justin 2009-03-16 13:51:51 PDT
Showed up in milw0rm too.
Comment 22 Mats Palmgren (:mats) 2009-03-17 19:58:32 PDT
*** Bug 483775 has been marked as a duplicate of this bug. ***
Comment 23 Martijn Wargers [:mwargers] (not working for Mozilla) 2009-03-20 22:59:49 PDT
*** Bug 484503 has been marked as a duplicate of this bug. ***
Comment 24 Samuel Sidler (old account; do not CC) 2009-04-01 16:11:24 PDT
This doesn't crash using Firefox 2.0.0.20.

Note You need to log in before you can comment on or make changes to this bug.