Closed
Bug 472774
Opened 16 years ago
Closed 15 years ago
[1.9.1 branch] "ASSERTION: null frame is not allowed" and crash [@ IsPercentageAware] with -moz-column, :first-letter
Categories
(Core :: Layout, defect)
Tracking
()
VERIFIED
FIXED
mozilla1.9.1
Tracking | Status | |
---|---|---|
status1.9.2 | --- | unaffected |
blocking1.9.1 | --- | .8+ |
status1.9.1 | --- | .8-fixed |
People
(Reporter: jruderman, Assigned: MatsPalmgren_bugz)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [sg:dos null-deref][fixed by 399412])
Crash Data
Attachments
(1 file)
386 bytes,
text/html
|
Details |
###!!! ASSERTION: null frame is not allowed: 'aFrame', file /Users/jruderman/central/layout/generic/nsLineLayout.cpp, line 670 Crash [@ IsPercentageAware]
kid is 0 at http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/generic/nsFirstLetterFrame.cpp&rev=1.82&mark=203#190 at other places we check if kid is zero, here we do not. However the code is pretty old (1.1)
Reporter | ||
Comment 2•15 years ago
|
||
WFM Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090517 Minefield/3.6a1pre I'll add this testcase as a crashtest.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Reporter | ||
Comment 3•15 years ago
|
||
Added crashtest: http://hg.mozilla.org/mozilla-central/rev/63120a5301f2
Flags: in-testsuite+
Comment 4•15 years ago
|
||
attachment id=356112 crashes with null pointer [@ IsPercentageAware] 1.9.1/mac, reopening and targeting to 1.9.1
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Version: Trunk → 1.9.1 Branch
Reporter | ||
Updated•15 years ago
|
Summary: "ASSERTION: null frame is not allowed" and crash [@ IsPercentageAware] with -moz-column, :first-letter → [1.9.1 branch] "ASSERTION: null frame is not allowed" and crash [@ IsPercentageAware] with -moz-column, :first-letter
Comment 5•15 years ago
|
||
fyi, on windows !exploitable says: (9b8.f54): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=7ffd4000 ecx=00000000 edx=00000000 esi=0000b6d0 edi=00240000 eip=02c26742 esp=0012c354 ebp=0012c378 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at gklayout!IsPercentageAware+0x0000000000000032 (Hash=0x1d0e112e.0x21731e0c) The data from the faulting address is later used as the target for a branch.
Comment 6•15 years ago
|
||
isPercentageAware is one of the signatures in Bug 526587 -- new crashes as fall out of frame poisoning. combination of comment 5 and bug 526587 makes me think we should hide this bug. reopen if this doesn't sound right.
Blocks: PoisonFrameCrash
Group: core-security
Comment 7•15 years ago
|
||
http://crash-stats.mozilla.com/report/index/8b2dfdc2-7044-4c2f-98ad-42c3f2091031 is a crash found in 3.6beta1 data.
Assignee | ||
Comment 8•15 years ago
|
||
I'll dig into this one and see what I can find...
Assignee: nobody → matspal
Assignee | ||
Comment 9•15 years ago
|
||
This was fixed on trunk in the range: 2009-05-08-03 -- 2009-05-09-03 http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c4fcaec2898a&tochange=baf06abf0af4 By bug 399412 it seems. I can reproduce the crash in a local 1.9.1 build. The crash does NOT occur in a local trunk, 1.9.2. or 1.9.0 build. Applying the patch in bug 399412 to my 1.9.1 build fixes this crash. That leaves to explain the 3.6b1 crash in comment 7. It's a different bug that also ends up crashing in IsPercentageAware?
Assignee | ||
Updated•15 years ago
|
status1.9.2:
--- → unaffected
Updated•15 years ago
|
blocking1.9.1: --- → ?
Flags: wanted1.9.0.x-
Assignee | ||
Comment 10•15 years ago
|
||
The 3.6b1 crash in comment 7 could be bug 491547 which was fixed 2009-11-02 on the 1.9.2 branch (for beta 2).
Comment 11•15 years ago
|
||
We've had twelve different bugs resulting in crashes at IsPercentageAware. comment 5 is an example of where !exploitable guesses wrong. We're using a nsCOMPtr there and it will definitely be null if not set correctly.
Depends on: 399412
Whiteboard: [sg:dos null-deref]
Updated•15 years ago
|
blocking1.9.1: ? → .7+
status1.9.1:
--- → wanted
Updated•15 years ago
|
Whiteboard: [sg:dos null-deref] → [sg:dos null-deref][fixed by 399412]
Assignee | ||
Comment 12•15 years ago
|
||
Fixed by bug 399412.
Status: REOPENED → RESOLVED
Closed: 15 years ago → 15 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•15 years ago
|
Comment 13•14 years ago
|
||
Verified fixed on 1.9.1 with builds on all platforms like Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8pre) Gecko/20100127 Shiretoko/3.5.8pre (.NET CLR 3.5.30729) ID:20100127050511
Status: RESOLVED → VERIFIED
Keywords: verified1.9.1
OS: Mac OS X → All
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.1
Updated•14 years ago
|
Group: core-security
Updated•13 years ago
|
Crash Signature: [@ IsPercentageAware]
You need to log in
before you can comment on or make changes to this bug.
Description
•