Closed Bug 489546 Opened 15 years ago Closed 15 years ago

XUL Tree Selection Null-Deref [@ nsTreeSelection::GetSingle ]

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 399227
Tracking Flags:
Tracking Status
status1.9.1 --- wanted

People

(Reporter: nils, Assigned: smaug)

Details

(Keywords: crash, testcase, Whiteboard: [sg:dos] null deref)

Crash Data

Attachments

(1 file)

testcase
668 bytes, application/xhtml+xml
Details 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009032711 Ubuntu/8.10 (intrepid) Firefox/3.0.8
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009032711 Ubuntu/8.10 (intrepid) Firefox/3.0.8

I will attach a testcase which crashes Firefox with following stack trace:

#0  0x00007ff25722c93b in raise () from /lib/libpthread.so.0
#0  0x00007ff25722c93b in raise () from /lib/libpthread.so.0
#1  0x00007ff2560aa643 in nsProfileLock::FatalSignalHandler (signo=11)
    at nsProfileLock.cpp:212
#2  <signal handler called>
#3  nsTreeSelection::GetSingle (this=<value optimized out>, 
    aSingle=0x7fff5f653480)
    at /home/nils/mozilla/layout/xul/base/src/tree/src/nsTreeSelection.cpp:307
#4  0x00007ff2567f3afa in NS_InvokeByIndex_P (that=0x7ff245fc7c40, 
    methodIndex=5, paramCount=1, params=0x7fff5f653480)
    at /home/nils/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_linux.cpp:208
#5  0x00007ff2560cc179 in XPCWrappedNative::CallMethod (ccx=@0x7fff5f653830, 
    mode=<value optimized out>)
    at /home/nils/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2393
#6  0x00007ff2560d3bfa in XPC_WN_GetterSetter (cx=0x7ff2471c0c00, 
    obj=<value optimized out>, argc=0, argv=0x7ff24606b510, vp=0x7fff5f653a38)
    at /home/nils/mozilla/js/src/xpconnect/src/xpcprivate.h:2254
#7  0x00007ff255a0eb53 in js_Invoke (cx=0x7ff2471c0c00, argc=0, 
    vp=0x7ff24606b500, flags=2) at /home/nils/mozilla/js/src/jsinterp.c:1304
#8  0x00007ff255a0eefe in js_InternalInvoke (cx=0x7ff2471c0c00, 
    obj=0x7ff246a11e00, fval=140678532291136, flags=0, argc=0, 
    argv=<value optimized out>, rval=0x7fff5f653e20)
    at /home/nils/mozilla/js/src/jsinterp.c:1376
#9  0x00007ff255a0f00d in js_InternalGetOrSet (cx=0x7ff2471c0c00, 
    obj=0x7ff246a11e00, id=<value optimized out>, fval=140678532291136, 
    mode=<value optimized out>, argc=0, argv=0x0, rval=0x7fff5f653e20)
    at /home/nils/mozilla/js/src/jsinterp.c:1434


Reproducible: Always

Steps to Reproduce:
1. Load testcase
2. see crash
Actual Results:  
Crash

Expected Results:  
No Crash

Tested on Windows Firefox 3.0.9 and Ubuntu current Firefox version.
Attached file testcase 

    
    

    
  
Assertion on a debug build on linux in gdb:


###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../../../dist/include/xpcom/nsCOMPtr.h, line 868

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ff56a123780 (LWP 1551)]
0x00007ff5589c6316 in nsTreeSelection::GetSingle (this=0x7ff550b44cf0,
    aSingle=0x7fff72144410)
    at /home/nils/firefox/mozilla/layout/xul/base/src/tree/src/nsTreeSelection.cpp:305
305       boxObject->GetElement(getter_AddRefs(element));
(gdb) bt 5
#0  0x00007ff5589c6316 in nsTreeSelection::GetSingle (this=0x7ff550b44cf0,
    aSingle=0x7fff72144410)
    at /home/nils/firefox/mozilla/layout/xul/base/src/tree/src/nsTreeSelection.cpp:305
#1  0x00007ff5690c85c7 in NS_InvokeByIndex_P (that=0x7ff550b44cf0,
    methodIndex=5, paramCount=1, params=0x7fff72144410)
    at /home/nils/firefox/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_linux.cpp:208
#2  0x00007ff55c41e6d0 in XPCWrappedNative::CallMethod (ccx=@0x7fff72144880,
    mode=XPCWrappedNative::CALL_GETTER)
    at /home/nils/firefox/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2393
#3  0x00007ff55c42e56d in XPCWrappedNative::GetAttribute (ccx=@0x7fff72144880)
    at /home/nils/firefox/mozilla/js/src/xpconnect/src/xpcprivate.h:2254
#4  0x00007ff55c42b1c2 in XPC_WN_GetterSetter (cx=0x7ff5527c4c00,
    obj=0x7ff559e173c0, argc=0, argv=0x7ff5514bc188, vp=0x7fff72144a28)
    at /home/nils/firefox/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1505
(More stack frames follow...)
(gdb)

Code:
(gdb) list
300     NS_IMETHODIMP nsTreeSelection::GetSingle(PRBool* aSingle)
301     {
302       nsCOMPtr<nsIBoxObject> boxObject = do_QueryInterface(mTree);
303
304       nsCOMPtr<nsIDOMElement> element;
305       boxObject->GetElement(getter_AddRefs(element));

    
  
Severity: normal → critical
Component: General → XP Toolkit/Widgets: XUL
Keywords: crash
Product: Firefox → Core
QA Contact: general → xptoolkit.xul
Summary: XUL Tree Selection Null-Deref getSingle() → XUL Tree Selection Null-Deref [@ nsTreeSelection::GetSingle ]
Version: unspecified → Trunk
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: testcase
Whiteboard: [sg:dos] null deref

    
    

    
  
!exploitable output for 1.9.0 debug builds:Probably Exploitable - Data from Faulting Address control s Code Flow starting at gklayout!nsTreeSelection::GetSingle+0x0000000000000056 (
Hash=0x7513130a.0x386e5f5f)
Flags: blocking1.9.0.15?
Assignee: nobody → Olli.Pettay

          status1.9.1:
          --- → wanted
Flags: blocking1.9.0.15? → wanted1.9.0.x+

    
    

    
  
This is a dup of bug 399227.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Crash Signature: [@ nsTreeSelection::GetSingle ]

    
    

    
  
Moving to Core:XUL per https://bugzilla.mozilla.org/show_bug.cgi?id=1455336
Component: XP Toolkit/Widgets: XUL → XUL

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: