Closed
Bug 470419
Opened 16 years ago
Closed 16 years ago
Crash [@ nsXBLPrototypeHandler::MouseEventMatched] dispatching mousedown UIEvent and xbl event handler
Categories
(Core :: DOM: Events, defect, P2)
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Assigned: smaug)
Details
(5 keywords, Whiteboard: [sg:nse] null deref)
Crash Data
Attachments
(2 files, 1 obsolete file)
687 bytes,
application/vnd.mozilla.xul+xml
|
Details | |
790 bytes,
patch
|
beltzner
:
approval1.9.1+
dveditz
:
approval1.9.0.6+
|
Details | Diff | Splinter Review |
See testcase, which crashes current trunk build within 100ms. It also crashes Firefox 3, so marking security sensitive for now. It doesn't crash Firefox 2, I can look for a regression range, if wanted. http://crash-stats.mozilla.com/report/index/b1fd4791-48e6-43e8-a320-5213b2081219?p=1 0 xul.dll nsXBLPrototypeHandler::MouseEventMatched content/xbl/src/nsXBLPrototypeHandler.cpp:628 1 xul.dll nsXBLMouseEventHandler::EventMatched content/xbl/src/nsXBLEventHandler.cpp:106 2 xul.dll nsXBLEventHandler::HandleEvent content/xbl/src/nsXBLEventHandler.cpp:81 3 xul.dll nsEventListenerManager::HandleEventSubType content/events/src/nsEventListenerManager.cpp:1090 4 xul.dll nsEventListenerManager::HandleEvent content/events/src/nsEventListenerManager.cpp:1195 5 xul.dll nsEventTargetChainItem::HandleEvent content/events/src/nsEventDispatcher.cpp:227 6 xul.dll nsEventTargetChainItem::HandleEventTargetChain content/events/src/nsEventDispatcher.cpp:291 7 xul.dll nsEventDispatcher::Dispatch content/events/src/nsEventDispatcher.cpp:508 8 xul.dll nsEventDispatcher::DispatchDOMEvent content/events/src/nsEventDispatcher.cpp:570 9 xul.dll nsEventListenerManager::DispatchEvent content/events/src/nsEventListenerManager.cpp:1320 10 xul.dll nsDOMEventRTTearoff::DispatchEvent content/base/src/nsGenericElement.cpp:1544 11 xul.dll nsIDOMEventTarget_DispatchEvent obj-firefox/js/src/xpconnect/src/dom_quickstubs.cpp:5125 12 js3250.dll js_Interpret js/src/jsinterp.cpp:5122 13 js3250.dll js_Invoke js/src/jsinterp.cpp:1334 14 js3250.dll js_InternalInvoke js/src/jsinterp.cpp:1391 15 js3250.dll JS_CallFunctionValue js/src/jsapi.cpp:5247 16 xul.dll nsJSContext::CallEventHandler dom/src/base/nsJSEnvironment.cpp:1987 17 xul.dll nsGlobalWindow::RunTimeout dom/src/base/nsGlobalWindow.cpp:7665 18 xul.dll nsGlobalWindow::TimerCallback dom/src/base/nsGlobalWindow.cpp:7997 19 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:420 20 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:512 21 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:510 22 xul.dll nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:170 23 nspr4.dll PR_GetEnv 24 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:87 25 firefox.exe firefox.exe@0x2197 26 kernel32.dll BaseProcessStart
Flags: blocking1.9.1?
Reporter | ||
Comment 1•16 years ago
|
||
It doesn't seem to crash online. In that case, you can test it by going offline or test the testcase locally.
Assignee | ||
Updated•16 years ago
|
Assignee: nobody → Olli.Pettay
Assignee | ||
Comment 2•16 years ago
|
||
This is what we need to do for now. And this keeps the old behavior where XBL listens explicitly mouse events (not that I like that).
Attachment #353816 -
Flags: superreview?(bzbarsky)
Attachment #353816 -
Flags: review?(bzbarsky)
Comment 3•16 years ago
|
||
Comment on attachment 353816 [details] [diff] [review] null check How about: return mouse && mProto.... ? With that, r+sr=bzbarsky.
Attachment #353816 -
Flags: superreview?(bzbarsky)
Attachment #353816 -
Flags: superreview+
Attachment #353816 -
Flags: review?(bzbarsky)
Attachment #353816 -
Flags: review+
Assignee | ||
Comment 4•16 years ago
|
||
Attachment #353816 -
Attachment is obsolete: true
Assignee | ||
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•16 years ago
|
Attachment #353889 -
Flags: approval1.9.1?
Attachment #353889 -
Flags: approval1.9.0.6?
Reporter | ||
Comment 5•16 years ago
|
||
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20081220 Minefield/3.2a1pre
Status: RESOLVED → VERIFIED
Comment 6•16 years ago
|
||
Looks like a null deref, is this still thought to be a potential vulnerability?
Whiteboard: [sg:nse] null deref
Updated•16 years ago
|
Attachment #353889 -
Flags: approval1.9.0.6? → approval1.9.0.6+
Comment 7•16 years ago
|
||
Comment on attachment 353889 [details] [diff] [review] mouse && proto Approved for 1.9.0.6, a=dveditz for release-drivers.
Assignee | ||
Comment 8•16 years ago
|
||
This is just a null deref.
Updated•16 years ago
|
Group: core-security
Assignee | ||
Updated•16 years ago
|
Keywords: fixed1.9.0.6
Comment 9•16 years ago
|
||
Comment on attachment 353889 [details] [diff] [review] mouse && proto a191=beltzner
Attachment #353889 -
Flags: approval1.9.1? → approval1.9.1+
Assignee | ||
Updated•16 years ago
|
Keywords: fixed1.9.1
Comment 10•15 years ago
|
||
1.9 regression ... if this patch would still make sense in one way or the other on 1.8 branches, please push wanted flags back to ? or +. Thanks!
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
Comment 11•15 years ago
|
||
Verified for 1.9.0.6 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6pre) Gecko/2009010506 GranParadiso/3.0.6pre.
Keywords: fixed1.9.0.6 → verified1.9.0.6
Comment 12•15 years ago
|
||
Verified fixed on the 1.9.1 branch using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b3pre) Gecko/20090120 Shiretoko/3.1b3pre.
Keywords: fixed1.9.1 → verified1.9.1
Comment 13•15 years ago
|
||
1.9.1 checkin was http://hg.mozilla.org/releases/mozilla-1.9.1/rev/f612d82889d0
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
Updated•15 years ago
|
Flags: in-testsuite?
Updated•13 years ago
|
Crash Signature: [@ nsXBLPrototypeHandler::MouseEventMatched]
You need to log in
before you can comment on or make changes to this bug.
Description
•