Closed
Bug 476000
Opened 15 years ago
Closed 15 years ago
Crash [@ NS_GetInnermostURI(nsIURI*) ] attempting to right-click specific selected text
Categories
(Thunderbird :: Mail Window Front End, defect)
Thunderbird
Mail Window Front End
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 470804
People
(Reporter: mdudziak, Unassigned)
Details
(Keywords: crash, testcase, topcrash)
Crash Data
Attachments
(2 files)
locals info from WinDbg
The problem is that Thunderbird will crash if you attempt to right click specific selected text. To reproduce: - Open the message in the attached zip file - Scroll down to the text: Type: \\bank\smart\software\centauri\client\CentauriV406-Patches.zip - Select the text from "\\bank\smart\software\centauri\client\CentauriV406-Patches.zip" - Right click the selection - Crash - 100% reproducible for me. Tested on Mac (Intel) and Windows XP.
|
||
Comment 1•15 years ago
|
||
need your crash report. If you are running trunk here's now to get it http://kb.mozillazine.org/Breakpad#Location_of_crash_reports
Severity: major → critical
Keywords: crash
|
|
||
Comment 2•15 years ago
|
||
Matt, you can get crash reports to post in bug report per http://kb.mozillazine.org/Breakpad#Location_of_crash_reports What version where you using? If nightlies, how long have you been using nightlies? If nightly, perhaps this is a regression of bug 470804. This crashes on windows and is a top 10 crash for b2 bp-dda0e5bf-31e7-477b-b9c8-19a442090311 0 thunderbird.exe NS_GetInnermostURI objdir-tb/mozilla/dist/include/necko/nsNetUtil.h:1413 1 thunderbird.exe nsScriptSecurityManager::CheckLoadURIWithPrincipal caps/src/nsScriptSecurityManager.cpp:1321 2 xpcom_core.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101 3 thunderbird.exe XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:2265 4 thunderbird.exe XPC_WN_CallMethod js/src/xpconnect/src/xpcwrappednativejsops.cpp:1587 5 js3250.dll js_Invoke js/src/jsinterp.cpp:1313
Flags: blocking-thunderbird3?
Keywords: topcrash
Summary: CRASH attempting to right-click specific selected text → CRASH attempting to right-click specific selected text [@ NS_GetInnermostURI(nsIURI*) ]
|
||
Comment 3•15 years ago
|
||
I tested this testcase using the STR in comment #0 on an old (circa 11 Jan 09 build) debug WinXP TB3 build, and boy, did I have fun debugging on this using !exploitable. My old build doesn't really matter - it seems to be a topcrash for b2 whatever the case. Turning this security-sensitive because !exploitable notes that this is PROBABLY_EXPLOITABLE. Is this something to do with CAPS? (for which it should head to some MailNews Core component) ===== 0:000> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception *** WARNING: Unable to verify checksum for C:\objdir-tb\mozilla\dist\bin\xpcom_core.dll *** WARNING: Unable to verify checksum for C:\objdir-tb\mozilla\dist\bin\components\xpc3250.dll *** WARNING: Unable to verify checksum for C:\objdir-tb\mozilla\dist\bin\js3250.dll *** WARNING: Unable to verify checksum for C:\objdir-tb\mozilla\dist\bin\components\gklayout.dll *** WARNING: Unable to verify checksum for C:\objdir-tb\mozilla\dist\bin\components\gkwidget.dll *** WARNING: Unable to verify checksum for C:\objdir-tb\mozilla\dist\bin\components\tkitcmps.dll *** WARNING: Unable to verify checksum for C:\objdir-tb\mozilla\dist\bin\xul.dll Exception Faulting Address: 0x0 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation Faulting Instruction:017b45a9 mov edx,dword ptr [ecx] Basic Block: 017b45a9 mov edx,dword ptr [ecx] Tainted Input Operands: ecx 017b45ab mov eax,dword ptr [ebp+0ch] 017b45ae push eax 017b45af mov ecx,dword ptr [edx+4] Tainted Input Operands: edx 017b45b2 call ecx Tainted Input Operands: ecx, edx Exception Hash (Major/Minor): 0x64391905.0x34361c71 Stack Trace: caps!NS_GetInnermostURI+0x59 caps!nsScriptSecurityManager::CheckLoadURIWithPrincipal+0x2de xpcom_core!NS_InvokeByIndex_P+0x27 xpc3250!XPCWrappedNative::CallMethod+0x1289 xpc3250!XPC_WN_CallMethod+0x181 js3250!js_Invoke+0x87a js3250!js_Interpret+0xdfce js3250!js_Invoke+0x8f7 js3250!js_InternalInvoke+0x6d js3250!JS_CallFunctionValue+0x5d gklayout!nsJSContext::CallEventHandler+0x2ec gklayout!nsJSEventListener::HandleEvent+0x10d9 gklayout!nsEventListenerManager::HandleEventSubType+0x1ad gklayout!nsEventListenerManager::HandleEvent+0x374 gklayout!nsEventTargetChainItem::HandleEvent+0x130 gklayout!nsEventTargetChainItem::HandleEventTargetChain+0x194 gklayout!nsEventDispatcher::Dispatch+0x51e gklayout!nsXULPopupManager::FirePopupShowingEvent+0xbf gklayout!nsXULPopupManager::ShowPopupAtScreen+0x7a gklayout!nsXULPopupListener::LaunchPopup+0xa78 gklayout!nsXULPopupListener::PreLaunchPopup+0x717 gklayout!nsXULPopupListener::ContextMenu+0x1b gklayout!DispatchToInterface+0x63 gklayout!nsEventListenerManager::HandleEvent+0x346 gklayout!nsEventTargetChainItem::HandleEvent+0x130 gklayout!nsEventTargetChainItem::HandleEventTargetChain+0x26c gklayout!nsEventDispatcher::Dispatch+0x51e gklayout!PresShell::HandleEventInternal+0x2e4 gklayout!PresShell::HandlePositionedEvent+0x158 gklayout!PresShell::HandleEvent+0x505 gklayout!nsViewManager::HandleEvent+0x59 gklayout!nsViewManager::DispatchEvent+0xbbf gklayout!HandleEvent+0x4b gkwidget!nsWindow::DispatchEvent+0xc3 gkwidget!nsWindow::DispatchWindowEvent+0x26 gkwidget!nsWindow::DispatchMouseEvent+0x6fa gkwidget!ChildWindow::DispatchMouseEvent+0xad gkwidget!nsWindow::ProcessMessage+0xd54 gkwidget!nsWindow::WindowProc+0x178 USER32!InternalCallWinProc+0x28 USER32!UserCallWinProcCheckWow+0x150 USER32!DispatchClientMessage+0xa3 USER32!__fnDWORD+0x24 ntdll!KiUserCallbackDispatcher+0x13 USER32!NtUserMessageCall+0xc USER32!RealDefWindowProcW+0x47 USER32!DefWindowProcW+0x72 gkwidget!nsWindow::DefaultWindowProc+0x19 USER32!InternalCallWinProc+0x28 USER32!UserCallWinProcCheckWow+0x150 USER32!CallWindowProcAorW+0x98 USER32!CallWindowProcW+0x1b gkwidget!nsWindow::WindowProc+0x1c2 USER32!InternalCallWinProc+0x28 USER32!UserCallWinProcCheckWow+0x150 USER32!DispatchMessageWorker+0x306 USER32!DispatchMessageW+0xf gkwidget!nsAppShell::ProcessNextNativeEvent+0x8f gkwidget!nsBaseAppShell::DoProcessNextNativeEvent+0x3c gkwidget!nsBaseAppShell::OnProcessNextEvent+0x143 xpcom_core!nsThread::ProcessNextEvent+0x128 xpcom_core!NS_ProcessNextEvent_P+0x53 gkwidget!nsBaseAppShell::Run+0x5d tkitcmps!nsAppStartup::Run+0x6b Instruction Address: 0x17b45a9 Description: Data from Faulting Address controls Code Flow Short Description: TaintedDataControlsCodeFlow Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at caps!NS_GetInnermostURI+0x59 (Hash=0x64391905.0x34361c71) The data from the faulting address is later used as the target for a branch.
Group: core-security
Keywords: testcase
Summary: CRASH attempting to right-click specific selected text [@ NS_GetInnermostURI(nsIURI*) ] → Crash [@ NS_GetInnermostURI(nsIURI*) ] attempting to right-click specific selected text
|
||
Comment 4•15 years ago
|
||
Test case does not crash for me using SeaMonkey with either mozilla-central or mozilla-1.9.1 backend. (In reply to comment #3) > caps!NS_GetInnermostURI+0x59 > caps!nsScriptSecurityManager::CheckLoadURIWithPrincipal+0x2de It would be interesting to know what the URI parameters are (they may be the same or different). If you can figure out WinDbg's Locals window, you might even be able to find out the spec of each URI, but this depends on the concrete type so I can't give you an example.
|
|
||
Comment 5•15 years ago
|
||
Reproducible in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090330 Lightning/1.0pre Shredder/3.0b3pre Attached is the locals window immediately after the access violation occurred, top right is WinDbg console, and bottom right is the source code (I think). I'm not sure if this is entirely what Neil meant.
|
|
||
Comment 6•15 years ago
|
||
I did a backtrace from the WinDbg console but they all seem to be equivalent information. 0:000> kp ChildEBP RetAddr 0012ce38 022816ce caps!NS_GetInnermostURI(class nsIURI * uri = 0x00000000)+0x59 [c:\objdir-tb\mozilla\dist\include\necko\nsnetutil.h @ 1427] 0012d11c 004b7227 caps!nsScriptSecurityManager::CheckLoadURIWithPrincipal(class nsIPrincipal * aPrincipal = 0x062eaa88, class nsIURI * aTargetURI = 0x00000000, unsigned int aFlags = 0)+0x2de [c:\comm-central\mozilla\caps\src\nsscriptsecuritymanager.cpp @ 1321] 0012d140 0140f4fe xpcom_core!NS_InvokeByIndex_P(class nsISupports * that = 0x01ee4388, unsigned int methodIndex = 0xa, unsigned int paramCount = 3, struct nsXPTCVariant * params = 0x0012d2c4)+0x27 [c:\comm-central\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp @ 102] 0012d454 0141bc87 xpc3250!XPCWrappedNative::CallMethod(class XPCCallContext * ccx = 0x01ee4388, XPCWrappedNative::CallMode mode = 10 (No matching enumerant))+0x12ae [c:\comm-central\mozilla\js\src\xpconnect\src\xpcwrappednative.cpp @ 2434] 0012d520 005cee22 xpc3250!XPC_WN_CallMethod(struct JSContext * cx = 0x060486d8, struct JSObject * obj = 0x041a0d80, unsigned int argc = 3, int * argv = 0x060f4340, int * vp = 0x0012d594)+0x187 [c:\comm-central\mozilla\js\src\xpconnect\src\xpcwrappednativejsops.cpp @ 1587] 0012d60c 005e086d js3250!js_Invoke(struct JSContext * cx = 0x060486d8, unsigned int argc = 3, int * vp = 0x060f4338, unsigned int flags = 2)+0x8a2 [c:\comm-central\mozilla\js\src\jsinterp.cpp @ 1313] 0012dcc4 005cee99 js3250!js_Interpret(struct JSContext * cx = 0x060486d8)+0xf4ad [c:\comm-central\mozilla\js\src\jsinterp.cpp @ 5024] 0012dda0 005cf772 js3250!js_Invoke(struct JSContext * cx = 0x060486d8, unsigned int argc = 1, int * vp = 0x060f4034, unsigned int flags = 0)+0x919 [c:\comm-central\mozilla\js\src\jsinterp.cpp @ 1331] 0012ddc4 0058216d js3250!js_InternalInvoke(struct JSContext * cx = 0x060486d8, struct JSObject * obj = 0x06ad1220, int fval = 43845952, unsigned int flags = 0, unsigned int argc = 1, int * argv = 0x060f4030, int * rval = 0x0012de88)+0x82 [c:\comm-central\mozilla\js\src\jsinterp.cpp @ 1389] 0012ddec 036df1a5 js3250!JS_CallFunctionValue(struct JSContext * cx = 0x060486d8, struct JSObject * obj = 0x06ad1220, int fval = 43845952, unsigned int argc = 1, int * argv = 0x060f4030, int * rval = 0x0012de88)+0x5d [c:\comm-central\mozilla\js\src\jsapi.cpp @ 5296] 0012de9c 03740b49 gklayout!nsJSContext::CallEventHandler(class nsISupports * aTarget = 0x060b2158, void * aScope = 0x054512a0, void * aHandler = 0x029d0940, class nsIArray * aargv = 0x05e64d18, class nsIVariant ** arv = 0x0012e054)+0x2f5 [c:\comm-central\mozilla\dom\src\base\nsjsenvironment.cpp @ 2007] 0012e110 0359a17d gklayout!nsJSEventListener::HandleEvent(class nsIDOMEvent * aEvent = 0x05738010)+0x10d9 [c:\comm-central\mozilla\dom\src\events\nsjseventlistener.cpp @ 247] 0012e208 0359a584 gklayout!nsEventListenerManager::HandleEventSubType(struct nsListenerStruct * aListenerStruct = 0x0618a8c0, class nsIDOMEventListener * aListener = 0x05896a28, class nsIDOMEvent * aDOMEvent = 0x05738010, class nsPIDOMEventTarget * aCurrentTarget = 0x060b2158, unsigned int aPhaseFlags = 6)+0x1ad [c:\comm-central\mozilla\content\events\src\nseventlistenermanager.cpp @ 1101] 0012e274 0359e1b0 gklayout!nsEventListenerManager::HandleEvent(class nsPresContext * aPresContext = 0x01f12a40, class nsEvent * aEvent = 0x0012e410, class nsIDOMEvent ** aDOMEvent = 0x0012e354, class nsPIDOMEventTarget * aCurrentTarget = 0x060b2158, unsigned int aFlags = 6, nsEventStatus * aEventStatus = 0x0012e358)+0x374 [c:\comm-central\mozilla\content\events\src\nseventlistenermanager.cpp @ 1208] 0012e2b4 0359e3f4 gklayout!nsEventTargetChainItem::HandleEvent(class nsEventChainPostVisitor * aVisitor = 0x0012e34c, unsigned int aFlags = 6, int aMayHaveNewListenerManagers = 1)+0x130 [c:\comm-central\mozilla\content\events\src\nseventdispatcher.cpp @ 237] 0012e2f0 0359eb0e gklayout!nsEventTargetChainItem::HandleEventTargetChain(class nsEventChainPostVisitor * aVisitor = 0x0012e34c, unsigned int aFlags = 6, class nsDispatchingCallback * aCallback = 0x00000000, int aMayHaveNewListenerManagers = 1)+0x194 [c:\comm-central\mozilla\content\events\src\nseventdispatcher.cpp @ 302] 0012e3bc 03499b5f gklayout!nsEventDispatcher::Dispatch(class nsISupports * aTarget = 0x060b2158, class nsPresContext * aPresContext = 0x01f12a40, class nsEvent * aEvent = 0x0012e410, class nsIDOMEvent * aDOMEvent = 0x00000000, nsEventStatus * aEventStatus = 0x0012e40c, class nsDispatchingCallback * aCallback = 0x00000000)+0x51e [c:\comm-central\mozilla\content\events\src\nseventdispatcher.cpp @ 514] 0012e478 0349855a gklayout!nsXULPopupManager::FirePopupShowingEvent(class nsIContent * aPopup = 0x060b2158, class nsIContent * aMenu = 0x00000000, class nsPresContext * aPresContext = 0x01f12a40, nsPopupType aPopupType = ePopupTypeMenu (1), int aIsContextMenu = 1, int aSelectFirstItem = 0)+0xbf [c:\comm-central\mozilla\layout\xul\base\src\nsxulpopupmanager.cpp @ 1001] 0012e4a0 0381e898 gklayout!nsXULPopupManager::ShowPopupAtScreen(class nsIContent * aPopup = 0x060b2158, int aXPos = 494, int aYPos = 343, int aIsContextMenu = 1, class nsIDOMEvent * aTriggerEvent = 0x025c35b0)+0x7a [c:\comm-central\mozilla\layout\xul\base\src\nsxulpopupmanager.cpp @ 476] 0012e6f8 0381d9f7 gklayout!nsXULPopupListener::LaunchPopup(class nsIDOMEvent * aEvent = 0x025c35b0, class nsIContent * aTargetContent = 0x0634c0a8)+0xa78 [c:\comm-central\mozilla\content\xul\content\src\nsxulpopuplistener.cpp @ 486]
|
|
||
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
|
|
||
Comment 8•15 years ago
|
||
Taking out of core-security because bug 470804 is open.
Group: core-security
|
||
Updated•15 years ago
|
Flags: blocking-thunderbird3?
|
Assignee | |
Updated•13 years ago
|
Crash Signature: [@ NS_GetInnermostURI(nsIURI*) ]
You need to log in
before you can comment on or make changes to this bug.
Description
•