Closed Bug 472507 Opened 16 years ago Closed 16 years ago

full disclosure DOS crash at [@ nsHTMLEditor::GetCSSBackgroundColorState(int*, nsAString_internal&, int) ]

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 456727

People

(Reporter: chofmann, Unassigned)

Details

(Keywords: crash, Whiteboard: [sg:dos])

Crash Data

reported as Firefox 3.0.5 remote vulnerability via queryCommandState - http://seclists.org/fulldisclosure/2009/Jan/0219.html looks like it also crashes trunk Build identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090105 Shiretoko/3.1b3pre Ubiquity/0.1.4 0 XUL nsHTMLEditor::GetCSSBackgroundColorState editor/libeditor/html/nsHTMLEditor.cpp:2419 1 XUL nsHTMLEditor::GetBackgroundColorState editor/libeditor/html/nsHTMLEditor.cpp:2317 2 XUL nsBackgroundColorStateCommand::GetCurrentState editor/composer/src/nsComposerCommands.cpp:1004 3 XUL nsMultiStateCommand::GetCommandStateParams editor/composer/src/nsComposerCommands.cpp:681 4 XUL nsControllerCommandTable::GetCommandState embedding/components/commandhandler/src/nsControllerCommandTable.cpp:226 5 XUL nsBaseCommandController::GetCommandStateWithParams embedding/components/commandhandler/src/nsBaseCommandController.cpp:201 6 XUL nsCommandManager::GetCommandState embedding/components/commandhandler/src/nsCommandManager.cpp:249 7 XUL nsHTMLDocument::QueryCommandState content/html/document/src/nsHTMLDocument.cpp:3981 8 XUL NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179 9 XUL XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:2424 10 XUL XPC_WN_CallMethod js/src/xpconnect/src/xpcwrappednativejsops.cpp:1477 11 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1313 12 libmozjs.dylib js_Interpret js/src/jsinterp.cpp:5136 13 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1331 14 libmozjs.dylib js_InternalInvoke js/src/jsinterp.cpp:1388 15 libmozjs.dylib JS_CallFunctionValue js/src/jsapi.cpp:5244 16 XUL nsJSContext::CallEventHandler dom/src/base/nsJSEnvironment.cpp:1989 17 XUL nsJSEventListener::HandleEvent dom/src/events/nsJSEventListener.cpp:247 18 XUL nsEventListenerManager::HandleEventSubType content/events/src/nsEventListenerManager.cpp:1090 19 XUL nsEventListenerManager::HandleEvent content/events/src/nsEventListenerManager.cpp:1195 20 XUL nsEventTargetChainItem::HandleEvent content/events/src/nsEventDispatcher.cpp:236 21 XUL nsEventTargetChainItem::HandleEventTargetChain content/events/src/nsEventDispatcher.cpp:300 22 XUL nsEventDispatcher::Dispatch content/events/src/nsEventDispatcher.cpp:514 23 XUL DocumentViewerImpl::LoadComplete layout/base/nsDocumentViewer.cpp:989 24 XUL nsDocShell::EndPageLoad docshell/base/nsDocShell.cpp:5185 25 XUL nsWebShell::EndPageLoad docshell/base/nsWebShell.cpp:1015 26 XUL nsDocShell::OnStateChange docshell/base/nsDocShell.cpp:5081 27 XUL nsDocLoader::FireOnStateChange uriloader/base/nsDocLoader.cpp:1235 28 XUL nsDocLoader::doStopDocumentLoad uriloader/base/nsDocLoader.cpp:858 29 XUL nsDocLoader::DocLoaderIsEmpty uriloader/base/nsDocLoader.cpp:763 30 XUL nsDocLoader::OnStopRequest uriloader/base/nsDocLoader.cpp:679 31 XUL nsLoadGroup::RemoveRequest netwerk/base/src/nsLoadGroup.cpp:688 32 XUL nsDocument::DoUnblockOnload content/base/src/nsDocument.cpp:7016 33 XUL nsDocument::DispatchContentLoadedEvents content/base/src/nsDocument.cpp:3945 34 XUL nsRunnableMethod<nsDocument>::Run nsThreadUtils.h:264 35 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:510 36 XUL NS_ProcessPendingEvents_P nsThreadUtils.cpp:180 37 XUL nsBaseAppShell::NativeEventCallback widget/src/xpwidgets/nsBaseAppShell.cpp:121 38 XUL nsAppShell::ProcessGeckoEvents widget/src/cocoa/nsAppShell.mm:374 39 CoreFoundation CoreFoundation@0x735f4 40 CoreFoundation CoreFoundation@0x73cd7 41 HIToolbox HIToolbox@0x302bf 42 HIToolbox HIToolbox@0x30011 43 HIToolbox HIToolbox@0x2ff4c 44 AppKit AppKit@0x40d7c 45 AppKit AppKit@0x4062f 46 JavaEmbeddingPlugin -[MyNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] Controller.m:205 47 XUL nsAppShell::ProcessNextNativeEvent widget/src/cocoa/nsAppShell.mm:626 48 XUL nsBaseAppShell::DoProcessNextNativeEvent widget/src/xpwidgets/nsBaseAppShell.cpp:151 49 XUL nsBaseAppShell::OnProcessNextEvent widget/src/xpwidgets/nsBaseAppShell.cpp:278 50 XUL nsAppShell::OnProcessNextEvent widget/src/cocoa/nsAppShell.mm:766 51 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:497 52 XUL NS_ProcessPendingEvents_P nsThreadUtils.cpp:180 53 XUL nsBaseAppShell::NativeEventCallback widget/src/xpwidgets/nsBaseAppShell.cpp:121 54 XUL nsAppShell::ProcessGeckoEvents widget/src/cocoa/nsAppShell.mm:374 55 CoreFoundation CoreFoundation@0x735f4 56 CoreFoundation CoreFoundation@0x73cd7 57 HIToolbox HIToolbox@0x302bf 58 HIToolbox HIToolbox@0x30011 59 HIToolbox HIToolbox@0x2ff4c 60 AppKit AppKit@0x40d7c 61 AppKit AppKit@0x4062f 62 JavaEmbeddingPlugin -[MyNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] Controller.m:205 63 AppKit AppKit@0x3966a 64 XUL nsAppShell::Run widget/src/cocoa/nsAppShell.mm:693 65 XUL nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:192 66 XUL XRE_main toolkit/xre/nsAppRunner.cpp:3269 67 firefox-bin main browser/app/nsBrowserApp.cpp:156 68 firefox-bin firefox-bin@0x1541 69 firefox-bin firefox-bin@0x1468 70 @0x2
Summary: fulldiscloser DOS crash at [@ nsHTMLEditor::GetCSSBackgroundColorState(int*, nsAString_internal&, int) ] → full disclosure DOS crash at [@ nsHTMLEditor::GetCSSBackgroundColorState(int*, nsAString_internal&, int) ]
Flags: blocking1.9.1?
Whiteboard: sg:low?
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Flags: blocking1.9.1? → blocking1.9.1-
Whiteboard: sg:low? → [sg:dos]
Crash Signature: [@ nsHTMLEditor::GetCSSBackgroundColorState(int*, nsAString_internal&, int) ]
You need to log in before you can comment on or make changes to this bug.