Closed Bug 488274 Opened 13 years ago Closed 13 years ago

Crash [@ nsObjectLoadingContent::OnStartRequest] with object, DOMAttrModified and colorpicker

Categories

(Core :: DOM: Core & HTML, defect)

defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla1.9.3a1
Tracking Status
status1.9.2 --- beta2-fixed
status1.9.1 --- .6-fixed

People

(Reporter: martijn.martijn, Assigned: jst)

Details

(5 keywords, Whiteboard: [sg:dos] null deref)

Crash Data

Attachments

(3 files)

Attached file testcase
See testcase, which crashes current trunk build and Firefox3.0.7 on load.

http://crash-stats.mozilla.com/report/index/41738fe7-3cb8-4456-8911-5deee2090414?p=1
0  	xul.dll  	nsObjectLoadingContent::OnStartRequest  	 content/base/src/nsObjectLoadingContent.cpp:540
1 	xul.dll 	nsBaseChannel::OnStartRequest 	netwerk/base/src/nsBaseChannel.cpp:665
2 	xul.dll 	nsInputStreamPump::OnStateStart 	netwerk/base/src/nsInputStreamPump.cpp:439
3 	xul.dll 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:395
4 	xul.dll 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:190
5 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
6 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
7 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:192
8 	nspr4.dll 	PR_GetEnv 	
9 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:107
10 	firefox.exe 	firefox.exe@0x21a7 	
11 	kernel32.dll 	BaseProcessStart
The testcase doesn't seem to crash online.
Flags: wanted1.9.2?
Flags: wanted1.9.1?
Flags: blocking1.9.2?
Flags: blocking1.9.1?
jst/jonas: can we get a blocking decision here?
Flags: wanted1.9.0.x?
#7  0x00002aaab0dfa75b in nsObjectLoadingContent::RemovedFromDocument (this=0xf4b920)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsObjectLoadingContent.cpp:1375
#8  0x00002aaab0e92b74 in nsHTMLObjectElement::UnbindFromTree (this=0xf4b8d0, aDeep=27046, aNullParent=6)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/html/content/src/nsHTMLObjectElement.cpp:239
#9  0x00002aaab0de9ba1 in nsGenericElement::doRemoveChildAt (aIndex=1, aNotify=1, aKid=0xf4b8d0, aParent=0x17d51e0, 
    aDocument=<value optimized out>, aChildArray=@0x17d5218)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:3398
#10 0x00002aaab0de9e58 in nsGenericElement::RemoveChildAt (this=0x17d51e0, aIndex=1, aNotify=1)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:3325
#11 0x00002aaab109ab84 in nsXULElement::RemoveChildAt (this=0x17d51e0, aIndex=1, aNotify=1)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xul/content/src/nsXULElement.cpp:961
#12 0x00002aaab0de85cf in nsGenericElement::doRemoveChild (aOldChild=0xf4b9c8, aParent=<value optimized out>, 
    aDocument=<value optimized out>, aReturn=0x7fffc508bff0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:4002
#13 0x00002aaab06a1ced in nsIDOMNode_RemoveChild (cx=<value optimized out>, argc=1, vp=0x1a9d678) at dom_quickstubs.cpp:2936
#14 0x00002aaaaad760a5 in js_Interpret (cx=0x1bd0a80) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:5118
#15 0x00002aaaaad7f60b in js_Invoke (cx=0x1bd0a80, argc=1, vp=0x1a9d660, flags=0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1375
#16 0x00002aaaaad7faa5 in js_InternalInvoke (cx=0x1bd0a80, obj=0x16eb580, fval=15782912, flags=0, argc=1, argv=0x1a9d658, 
    rval=0x7fffc508c5c0) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1428
#17 0x00002aaaaad26c54 in JS_CallFunctionValue (cx=0x1bd0a80, obj=0x16eb580, fval=15782912, argc=1, argv=0x1a9d658, 
    rval=0x7fffc508c5c0) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsapi.cpp:5191
#18 0x00002aaab0f7fa57 in nsJSContext::CallEventHandler (this=0x1dc7150, aTarget=<value optimized out>, 
    aScope=<value optimized out>, aHandler=0xf0d400, aargv=0x17aa390, arv=0x7fffc508c7e0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/dom/base/nsJSEnvironment.cpp:2026
#19 0x00002aaab0fc9b2b in nsJSEventListener::HandleEvent (this=0x11b08a0, aEvent=0x1ad2428)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/dom/src/events/nsJSEventListener.cpp:247
#20 0x00002aaab0e3745f in nsEventListenerManager::HandleEventSubType (this=0x1ae4b30, aListenerStruct=0x1ae4b78, 
    aListener=0x11b08a0, aDOMEvent=0x1ad2428, aCurrentTarget=0x17ab800, aPhaseFlags=<value optimized out>)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventListenerManager.cpp:1090
#21 0x00002aaab0e379e7 in nsEventListenerManager::HandleEvent (this=0x1ae4b30, aPresContext=0x0, aEvent=0x7fffc508ced0, 
    aDOMEvent=0x7fffc508cc00, aCurrentTarget=0x17ab800, aFlags=2, aEventStatus=0x7fffc508cc08)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventListenerManager.cpp:1187
#22 0x00002aaab0e5b85d in nsEventTargetChainItem::HandleEvent (this=0x1acb118, aVisitor=@0x7fffc508cbf0, aFlags=2, 
    aMayHaveNewListenerManagers=<value optimized out>)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventDispatcher.cpp:227
#23 0x00002aaab0e5bacc in nsEventTargetChainItem::HandleEventTargetChain (this=0x1acb428, aVisitor=@0x7fffc508cbf0, 
    aFlags=6, aCallback=0x0, aMayHaveNewListenerManagers=<value optimized out>)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventDispatcher.cpp:315
#24 0x00002aaab0e5bfbe in nsEventDispatcher::Dispatch (aTarget=<value optimized out>, aPresContext=<value optimized out>, 
---Type <return> to continue, or q <return> to quit---
    aEvent=0x7fffc508ced0, aDOMEvent=0x0, aEventStatus=0x0, aCallback=0x0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventDispatcher.cpp:508
#25 0x00002aaab0de7b9e in nsGenericElement::SetAttrAndNotify (this=0x205b180, aNamespaceID=0, aName=0xa21b88, 
    aPrefix=<value optimized out>, aOldValue=@0x7fffc508d030, aParsedValue=<value optimized out>, aModification=0, 
    aFireMutation=1, aNotify=1, aValueForAfterSetAttr=0x7fffc508d190)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:4406
#26 0x00002aaab0de8045 in nsGenericElement::SetAttr (this=0x205b180, aNamespaceID=0, aName=0xa21b88, aPrefix=0x0, 
    aValue=@0x7fffc508d190, aNotify=1)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:4300
#27 0x00002aaab0de1ad9 in nsGenericElement::SetAttribute (this=0x205b180, aName=@0x7fffc508d1b0, aValue=@0x7fffc508d190)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.h:386
#28 0x00002aaab06a4cb3 in nsIDOMElement_SetAttribute (cx=0x1bd0a80, argc=2, vp=0x1a9d620) at dom_quickstubs.cpp:2213
#29 0x00002aaaaad760a5 in js_Interpret (cx=0x1bd0a80) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:5118
#30 0x00002aaaaad7f60b in js_Invoke (cx=0x1bd0a80, argc=0, vp=0x1a9d418, flags=0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1375
#31 0x00002aaaaad7faa5 in js_InternalInvoke (cx=0x1bd0a80, obj=0x16eb6c0, fval=15783936, flags=0, argc=0, argv=0x0, 
    rval=0x7fffc508d720) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1428
#32 0x00002aaaaad26c54 in JS_CallFunctionValue (cx=0x1bd0a80, obj=0x16eb6c0, fval=15783936, argc=0, argv=0x0, 
    rval=0x7fffc508d720) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsapi.cpp:5191
#33 0x00002aaab0f3eba9 in nsXBLProtoImplAnonymousMethod::Execute (this=0x14a27d0, aBoundElement=0x177cc40)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xbl/src/nsXBLProtoImplMethod.cpp:332
#34 0x00002aaab0f4cb1d in nsBindingManager::ProcessAttachedQueue (this=0x1a97db0, aSkipSize=0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xbl/src/nsBindingManager.cpp:1015
#35 0x00002aaab0c06d1a in PresShell::FlushPendingNotifications (this=0x2092290, aType=<value optimized out>)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsPresShell.cpp:4765
#36 0x00002aaab0dc7a8d in nsDocument::FlushPendingNotifications (this=<value optimized out>, aType=Flush_Style)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsDocument.cpp:6273
#37 0x00002aaab0dfb040 in nsObjectLoadingContent::NotifyStateChanged (this=0xf4b920, 
    aOldType=nsObjectLoadingContent::eType_Loading, aOldState=2097152, aSync=1)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsObjectLoadingContent.cpp:1528
#38 0x00002aaab0dfe6a8 in AutoNotifier::Notify (this=0x7fffc508da50)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsObjectLoadingContent.cpp:235
#39 0x00002aaab0dfc25e in nsObjectLoadingContent::OnStartRequest (this=0xf4b920, aRequest=0x1938df0, aContext=0x0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsObjectLoadingContent.cpp:534
This is not an exploitable crash, just a simple null dereference crash. Opening bug to the public.
Group: core-security
I don't think we should block on this, but I'd like to see a patch approved. I think what we want to do here is exactly what smaug's patch does, except w/o warning and throwing a better error. Updated patch coming up.
Flags: wanted1.9.2?
Flags: wanted1.9.2+
Flags: wanted1.9.1?
Flags: wanted1.9.1+
Flags: blocking1.9.2?
Flags: blocking1.9.2-
Flags: blocking1.9.1?
Flags: blocking1.9.1-
Assignee: nobody → jst
Status: NEW → ASSIGNED
Attachment #377088 - Flags: superreview?(bzbarsky)
Attachment #377088 - Flags: review+
Attachment #377088 - Attachment is patch: true
Attachment #377088 - Attachment mime type: application/octet-stream → text/plain
Whiteboard: [sg:dos] null deref
Attachment #377088 - Flags: superreview?(bzbarsky) → superreview+
Is the fix ready to be checked in?
It doesn't block 3.5 and also doesn't have approval1.9.1. So given by the tree rules it cannot be checked in right now.
Is the fix now ready to be checked in?
Can the fix be checked in?
http://hg.mozilla.org/mozilla-central/rev/acfc95cc1e92
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a1
Verified fixed on trunk with builds on all platforms like Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.3a1pre) Gecko/20091003 Minefield/3.7a1pre ID:20091003031247

I'm not able to crash any build on Windows but any branch on OS X and Linux crashes immediately when loading the testcase. Can we get in the crashtest too?

Johnny, can we request approvals on your patch for the remaining branches?
Status: RESOLVED → VERIFIED
status1.9.1: --- → ?
Flags: in-testsuite?
OS: Windows XP → All
Hardware: x86 → All
Comment on attachment 377088 [details] [diff] [review]
Smaugs fix, tweaked.

Sure. This is adding a null pointer check, perfectly safe. We should take this for older releases...
Attachment #377088 - Flags: approval1.9.0.16?
Attachment #377088 - Flags: approval1.9.0.15?
As that in my comment above it still crashes on 1.9.2 and 1.9.1 too. This bug is not marked as blocking so we would also need flags for both branches too.
Attachment #377088 - Flags: approval1.9.2+
Attachment #377088 - Flags: approval1.9.1.4?
Comment on attachment 377088 [details] [diff] [review]
Smaugs fix, tweaked.

Not for 1.9.1.4. Pushing out approval request.
Attachment #377088 - Flags: approval1.9.1.5?
Attachment #377088 - Flags: approval1.9.1.4?
Attachment #377088 - Flags: approval1.9.0.15?
Attachment #377088 - Flags: approval1.9.1.5?
Attachment #377088 - Flags: approval1.9.1.5+
Attachment #377088 - Flags: approval1.9.0.16?
Attachment #377088 - Flags: approval1.9.0.16+
Comment on attachment 377088 [details] [diff] [review]
Smaugs fix, tweaked.

Approved for 1.9.1.5 and 1.9.0.16, a=dveditz for release-drivers
Flags: wanted1.9.0.x? → wanted1.9.0.x+
Keywords: checkin-needed
Johnny: Can we get this landed on 1.9.0 asap?
Fixed in CVS.
Keywords: fixed1.9.0.16
Keywords: checkin-needed
Whiteboard: [sg:dos] null deref [needs 1.9.0 landing] → [sg:dos] null deref
Verified fixed on 1.9.2 and 1.9.1 with builds on Linux and OS X:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2b3pre) Gecko/20091114 Namoroka/3.6b3pre ID:20091114033807

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.6pre) Gecko/20091108 Shiretoko/3.5.6pre ID:20091108030959
Verified for 1.9.0.16 using Martijn's testcase with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.16pre) Gecko/2009111921 GranParadiso/3.0.16pre (.NET CLR 3.5.30729). Testcase crashes 1.9.0.15 on load on the same system.
Crash Signature: [@ nsObjectLoadingContent::OnStartRequest]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.