full disclosure DOS crash at [@ nsHTMLEditor::GetCSSBackgroundColorState(int*, nsAString_internal&, int) ]

RESOLVED DUPLICATE of bug 456727

Status

()

defect
RESOLVED DUPLICATE of bug 456727
11 years ago
8 years ago

People

(Reporter: chofmann, Unassigned)

Tracking

({crash})

Trunk
x86
macOS
Points:
---
Bug Flags:
blocking1.9.1 -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos], crash signature)

Reporter

Description

11 years ago
reported as

Firefox 3.0.5 remote vulnerability via queryCommandState - http://seclists.org/fulldisclosure/2009/Jan/0219.html

looks like it also crashes trunk Build identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090105 Shiretoko/3.1b3pre Ubiquity/0.1.4



0  	XUL  	nsHTMLEditor::GetCSSBackgroundColorState  	editor/libeditor/html/nsHTMLEditor.cpp:2419
1 	XUL 	nsHTMLEditor::GetBackgroundColorState 	editor/libeditor/html/nsHTMLEditor.cpp:2317
2 	XUL 	nsBackgroundColorStateCommand::GetCurrentState 	editor/composer/src/nsComposerCommands.cpp:1004
3 	XUL 	nsMultiStateCommand::GetCommandStateParams 	editor/composer/src/nsComposerCommands.cpp:681
4 	XUL 	nsControllerCommandTable::GetCommandState 	embedding/components/commandhandler/src/nsControllerCommandTable.cpp:226
5 	XUL 	nsBaseCommandController::GetCommandStateWithParams 	embedding/components/commandhandler/src/nsBaseCommandController.cpp:201
6 	XUL 	nsCommandManager::GetCommandState 	embedding/components/commandhandler/src/nsCommandManager.cpp:249
7 	XUL 	nsHTMLDocument::QueryCommandState 	content/html/document/src/nsHTMLDocument.cpp:3981
8 	XUL 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179
9 	XUL 	XPCWrappedNative::CallMethod 	js/src/xpconnect/src/xpcwrappednative.cpp:2424
10 	XUL 	XPC_WN_CallMethod 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1477
11 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1313
12 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:5136
13 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1331
14 	libmozjs.dylib 	js_InternalInvoke 	js/src/jsinterp.cpp:1388
15 	libmozjs.dylib 	JS_CallFunctionValue 	js/src/jsapi.cpp:5244
16 	XUL 	nsJSContext::CallEventHandler 	dom/src/base/nsJSEnvironment.cpp:1989
17 	XUL 	nsJSEventListener::HandleEvent 	dom/src/events/nsJSEventListener.cpp:247
18 	XUL 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:1090
19 	XUL 	nsEventListenerManager::HandleEvent 	content/events/src/nsEventListenerManager.cpp:1195
20 	XUL 	nsEventTargetChainItem::HandleEvent 	content/events/src/nsEventDispatcher.cpp:236
21 	XUL 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:300
22 	XUL 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:514
23 	XUL 	DocumentViewerImpl::LoadComplete 	layout/base/nsDocumentViewer.cpp:989
24 	XUL 	nsDocShell::EndPageLoad 	docshell/base/nsDocShell.cpp:5185
25 	XUL 	nsWebShell::EndPageLoad 	docshell/base/nsWebShell.cpp:1015
26 	XUL 	nsDocShell::OnStateChange 	docshell/base/nsDocShell.cpp:5081
27 	XUL 	nsDocLoader::FireOnStateChange 	uriloader/base/nsDocLoader.cpp:1235
28 	XUL 	nsDocLoader::doStopDocumentLoad 	uriloader/base/nsDocLoader.cpp:858
29 	XUL 	nsDocLoader::DocLoaderIsEmpty 	uriloader/base/nsDocLoader.cpp:763
30 	XUL 	nsDocLoader::OnStopRequest 	uriloader/base/nsDocLoader.cpp:679
31 	XUL 	nsLoadGroup::RemoveRequest 	netwerk/base/src/nsLoadGroup.cpp:688
32 	XUL 	nsDocument::DoUnblockOnload 	content/base/src/nsDocument.cpp:7016
33 	XUL 	nsDocument::DispatchContentLoadedEvents 	content/base/src/nsDocument.cpp:3945
34 	XUL 	nsRunnableMethod<nsDocument>::Run 	nsThreadUtils.h:264
35 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
36 	XUL 	NS_ProcessPendingEvents_P 	nsThreadUtils.cpp:180
37 	XUL 	nsBaseAppShell::NativeEventCallback 	widget/src/xpwidgets/nsBaseAppShell.cpp:121
38 	XUL 	nsAppShell::ProcessGeckoEvents 	widget/src/cocoa/nsAppShell.mm:374
39 	CoreFoundation 	CoreFoundation@0x735f4 	
40 	CoreFoundation 	CoreFoundation@0x73cd7 	
41 	HIToolbox 	HIToolbox@0x302bf 	
42 	HIToolbox 	HIToolbox@0x30011 	
43 	HIToolbox 	HIToolbox@0x2ff4c 	
44 	AppKit 	AppKit@0x40d7c 	
45 	AppKit 	AppKit@0x4062f 	
46 	JavaEmbeddingPlugin 	-[MyNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 	Controller.m:205
47 	XUL 	nsAppShell::ProcessNextNativeEvent 	widget/src/cocoa/nsAppShell.mm:626
48 	XUL 	nsBaseAppShell::DoProcessNextNativeEvent 	widget/src/xpwidgets/nsBaseAppShell.cpp:151
49 	XUL 	nsBaseAppShell::OnProcessNextEvent 	widget/src/xpwidgets/nsBaseAppShell.cpp:278
50 	XUL 	nsAppShell::OnProcessNextEvent 	widget/src/cocoa/nsAppShell.mm:766
51 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:497
52 	XUL 	NS_ProcessPendingEvents_P 	nsThreadUtils.cpp:180
53 	XUL 	nsBaseAppShell::NativeEventCallback 	widget/src/xpwidgets/nsBaseAppShell.cpp:121
54 	XUL 	nsAppShell::ProcessGeckoEvents 	widget/src/cocoa/nsAppShell.mm:374
55 	CoreFoundation 	CoreFoundation@0x735f4 	
56 	CoreFoundation 	CoreFoundation@0x73cd7 	
57 	HIToolbox 	HIToolbox@0x302bf 	
58 	HIToolbox 	HIToolbox@0x30011 	
59 	HIToolbox 	HIToolbox@0x2ff4c 	
60 	AppKit 	AppKit@0x40d7c 	
61 	AppKit 	AppKit@0x4062f 	
62 	JavaEmbeddingPlugin 	-[MyNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 	Controller.m:205
63 	AppKit 	AppKit@0x3966a 	
64 	XUL 	nsAppShell::Run 	widget/src/cocoa/nsAppShell.mm:693
65 	XUL 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:192
66 	XUL 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3269
67 	firefox-bin 	main 	browser/app/nsBrowserApp.cpp:156
68 	firefox-bin 	firefox-bin@0x1541 	
69 	firefox-bin 	firefox-bin@0x1468 	
70 		@0x2
Reporter

Updated

11 years ago
Summary: fulldiscloser DOS crash at [@ nsHTMLEditor::GetCSSBackgroundColorState(int*, nsAString_internal&, int) ] → full disclosure DOS crash at [@ nsHTMLEditor::GetCSSBackgroundColorState(int*, nsAString_internal&, int) ]
Reporter

Updated

11 years ago
Flags: blocking1.9.1?
Whiteboard: sg:low?
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 456727
Flags: blocking1.9.1? → blocking1.9.1-
Whiteboard: sg:low? → [sg:dos]
Crash Signature: [@ nsHTMLEditor::GetCSSBackgroundColorState(int*, nsAString_internal&, int) ]
You need to log in before you can comment on or make changes to this bug.