Closed Bug 470419 Opened 16 years ago Closed 16 years ago

Crash [@ nsXBLPrototypeHandler::MouseEventMatched] dispatching mousedown UIEvent and xbl event handler

Categories

(Core :: DOM: Events, defect, P2)

x86
Windows XP
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: smaug)

Details

(5 keywords, Whiteboard: [sg:nse] null deref)

Crash Data

Attachments

(2 files, 1 obsolete file)

Attached file testcase
See testcase, which crashes current trunk build within 100ms. It also crashes Firefox 3, so marking security sensitive for now.

It doesn't crash Firefox 2, I can look for a regression range, if wanted.

http://crash-stats.mozilla.com/report/index/b1fd4791-48e6-43e8-a320-5213b2081219?p=1
0  	xul.dll  	nsXBLPrototypeHandler::MouseEventMatched  	 content/xbl/src/nsXBLPrototypeHandler.cpp:628
1 	xul.dll 	nsXBLMouseEventHandler::EventMatched 	content/xbl/src/nsXBLEventHandler.cpp:106
2 	xul.dll 	nsXBLEventHandler::HandleEvent 	content/xbl/src/nsXBLEventHandler.cpp:81
3 	xul.dll 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:1090
4 	xul.dll 	nsEventListenerManager::HandleEvent 	content/events/src/nsEventListenerManager.cpp:1195
5 	xul.dll 	nsEventTargetChainItem::HandleEvent 	content/events/src/nsEventDispatcher.cpp:227
6 	xul.dll 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:291
7 	xul.dll 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:508
8 	xul.dll 	nsEventDispatcher::DispatchDOMEvent 	content/events/src/nsEventDispatcher.cpp:570
9 	xul.dll 	nsEventListenerManager::DispatchEvent 	content/events/src/nsEventListenerManager.cpp:1320
10 	xul.dll 	nsDOMEventRTTearoff::DispatchEvent 	content/base/src/nsGenericElement.cpp:1544
11 	xul.dll 	nsIDOMEventTarget_DispatchEvent 	obj-firefox/js/src/xpconnect/src/dom_quickstubs.cpp:5125
12 	js3250.dll 	js_Interpret 	js/src/jsinterp.cpp:5122
13 	js3250.dll 	js_Invoke 	js/src/jsinterp.cpp:1334
14 	js3250.dll 	js_InternalInvoke 	js/src/jsinterp.cpp:1391
15 	js3250.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5247
16 	xul.dll 	nsJSContext::CallEventHandler 	dom/src/base/nsJSEnvironment.cpp:1987
17 	xul.dll 	nsGlobalWindow::RunTimeout 	dom/src/base/nsGlobalWindow.cpp:7665
18 	xul.dll 	nsGlobalWindow::TimerCallback 	dom/src/base/nsGlobalWindow.cpp:7997
19 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:420
20 	xul.dll 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:512
21 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
22 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
23 	nspr4.dll 	PR_GetEnv 	
24 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:87
25 	firefox.exe 	firefox.exe@0x2197 	
26 	kernel32.dll 	BaseProcessStart
Flags: blocking1.9.1?
It doesn't seem to crash online. In that case, you can test it by going offline or test the testcase locally.
Assignee: nobody → Olli.Pettay
Attached patch null check (obsolete) — Splinter Review
This is what we need to do for now.
And this keeps the old behavior where XBL listens explicitly
mouse events (not that I like that).
Attachment #353816 - Flags: superreview?(bzbarsky)
Attachment #353816 - Flags: review?(bzbarsky)
Comment on attachment 353816 [details] [diff] [review]
null check

How about:

return mouse && mProto....

?  With that, r+sr=bzbarsky.
Attachment #353816 - Flags: superreview?(bzbarsky)
Attachment #353816 - Flags: superreview+
Attachment #353816 - Flags: review?(bzbarsky)
Attachment #353816 - Flags: review+
Attached patch mouse && protoSplinter Review
Attachment #353816 - Attachment is obsolete: true
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Attachment #353889 - Flags: approval1.9.1?
Attachment #353889 - Flags: approval1.9.0.6?
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20081220 Minefield/3.2a1pre
Status: RESOLVED → VERIFIED
Looks like a null deref, is this still thought to be a potential vulnerability?
Whiteboard: [sg:nse] null deref
Attachment #353889 - Flags: approval1.9.0.6? → approval1.9.0.6+
Comment on attachment 353889 [details] [diff] [review]
mouse && proto

Approved for 1.9.0.6, a=dveditz for release-drivers.
This is just a null deref.
Group: core-security
Keywords: fixed1.9.0.6
Comment on attachment 353889 [details] [diff] [review]
mouse && proto

a191=beltzner
Attachment #353889 - Flags: approval1.9.1? → approval1.9.1+
Keywords: fixed1.9.1
1.9 regression ... if this patch would still make sense in one way or the other on 1.8 branches, please push wanted flags back to ? or +. Thanks!
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
Verified for 1.9.0.6 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6pre) Gecko/2009010506 GranParadiso/3.0.6pre.
Verified fixed on the 1.9.1 branch using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b3pre) Gecko/20090120 Shiretoko/3.1b3pre.
1.9.1 checkin was http://hg.mozilla.org/releases/mozilla-1.9.1/rev/f612d82889d0
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
Flags: in-testsuite?
Crash Signature: [@ nsXBLPrototypeHandler::MouseEventMatched]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: