Closed Bug 489546 Opened 16 years ago Closed 15 years ago

XUL Tree Selection Null-Deref [@ nsTreeSelection::GetSingle ]

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 399227
Tracking Flags:
Tracking Status
status1.9.1 --- wanted

People

(Reporter: nils, Assigned: smaug)

Details

(Keywords: crash, testcase, Whiteboard: [sg:dos] null deref)

Crash Data

Attachments

(1 file)

testcase
668 bytes, application/xhtml+xml
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009032711 Ubuntu/8.10 (intrepid) Firefox/3.0.8 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009032711 Ubuntu/8.10 (intrepid) Firefox/3.0.8 I will attach a testcase which crashes Firefox with following stack trace: #0 0x00007ff25722c93b in raise () from /lib/libpthread.so.0 #0 0x00007ff25722c93b in raise () from /lib/libpthread.so.0 #1 0x00007ff2560aa643 in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:212 #2 <signal handler called> #3 nsTreeSelection::GetSingle (this=<value optimized out>, aSingle=0x7fff5f653480) at /home/nils/mozilla/layout/xul/base/src/tree/src/nsTreeSelection.cpp:307 #4 0x00007ff2567f3afa in NS_InvokeByIndex_P (that=0x7ff245fc7c40, methodIndex=5, paramCount=1, params=0x7fff5f653480) at /home/nils/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_linux.cpp:208 #5 0x00007ff2560cc179 in XPCWrappedNative::CallMethod (ccx=@0x7fff5f653830, mode=<value optimized out>) at /home/nils/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2393 #6 0x00007ff2560d3bfa in XPC_WN_GetterSetter (cx=0x7ff2471c0c00, obj=<value optimized out>, argc=0, argv=0x7ff24606b510, vp=0x7fff5f653a38) at /home/nils/mozilla/js/src/xpconnect/src/xpcprivate.h:2254 #7 0x00007ff255a0eb53 in js_Invoke (cx=0x7ff2471c0c00, argc=0, vp=0x7ff24606b500, flags=2) at /home/nils/mozilla/js/src/jsinterp.c:1304 #8 0x00007ff255a0eefe in js_InternalInvoke (cx=0x7ff2471c0c00, obj=0x7ff246a11e00, fval=140678532291136, flags=0, argc=0, argv=<value optimized out>, rval=0x7fff5f653e20) at /home/nils/mozilla/js/src/jsinterp.c:1376 #9 0x00007ff255a0f00d in js_InternalGetOrSet (cx=0x7ff2471c0c00, obj=0x7ff246a11e00, id=<value optimized out>, fval=140678532291136, mode=<value optimized out>, argc=0, argv=0x0, rval=0x7fff5f653e20) at /home/nils/mozilla/js/src/jsinterp.c:1434 Reproducible: Always Steps to Reproduce: 1. Load testcase 2. see crash Actual Results: Crash Expected Results: No Crash Tested on Windows Firefox 3.0.9 and Ubuntu current Firefox version.
Attached file testcase
Assertion on a debug build on linux in gdb: ###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../../../dist/include/xpcom/nsCOMPtr.h, line 868 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ff56a123780 (LWP 1551)] 0x00007ff5589c6316 in nsTreeSelection::GetSingle (this=0x7ff550b44cf0, aSingle=0x7fff72144410) at /home/nils/firefox/mozilla/layout/xul/base/src/tree/src/nsTreeSelection.cpp:305 305 boxObject->GetElement(getter_AddRefs(element)); (gdb) bt 5 #0 0x00007ff5589c6316 in nsTreeSelection::GetSingle (this=0x7ff550b44cf0, aSingle=0x7fff72144410) at /home/nils/firefox/mozilla/layout/xul/base/src/tree/src/nsTreeSelection.cpp:305 #1 0x00007ff5690c85c7 in NS_InvokeByIndex_P (that=0x7ff550b44cf0, methodIndex=5, paramCount=1, params=0x7fff72144410) at /home/nils/firefox/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_linux.cpp:208 #2 0x00007ff55c41e6d0 in XPCWrappedNative::CallMethod (ccx=@0x7fff72144880, mode=XPCWrappedNative::CALL_GETTER) at /home/nils/firefox/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2393 #3 0x00007ff55c42e56d in XPCWrappedNative::GetAttribute (ccx=@0x7fff72144880) at /home/nils/firefox/mozilla/js/src/xpconnect/src/xpcprivate.h:2254 #4 0x00007ff55c42b1c2 in XPC_WN_GetterSetter (cx=0x7ff5527c4c00, obj=0x7ff559e173c0, argc=0, argv=0x7ff5514bc188, vp=0x7fff72144a28) at /home/nils/firefox/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1505 (More stack frames follow...) (gdb) Code: (gdb) list 300 NS_IMETHODIMP nsTreeSelection::GetSingle(PRBool* aSingle) 301 { 302 nsCOMPtr<nsIBoxObject> boxObject = do_QueryInterface(mTree); 303 304 nsCOMPtr<nsIDOMElement> element; 305 boxObject->GetElement(getter_AddRefs(element));
Severity: normal → critical
Component: General → XP Toolkit/Widgets: XUL
Keywords: crash
Product: Firefox → Core
QA Contact: general → xptoolkit.xul
Summary: XUL Tree Selection Null-Deref getSingle() → XUL Tree Selection Null-Deref [@ nsTreeSelection::GetSingle ]
Version: unspecified → Trunk
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: testcase
Whiteboard: [sg:dos] null deref
!exploitable output for 1.9.0 debug builds:Probably Exploitable - Data from Faulting Address control s Code Flow starting at gklayout!nsTreeSelection::GetSingle+0x0000000000000056 ( Hash=0x7513130a.0x386e5f5f)
Flags: blocking1.9.0.15?
Assignee: nobody → Olli.Pettay
status1.9.1: --- → wanted
Flags: blocking1.9.0.15? → wanted1.9.0.x+
This is a dup of bug 399227.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Crash Signature: [@ nsTreeSelection::GetSingle ]
Moving to Core:XUL per https://bugzilla.mozilla.org/show_bug.cgi?id=1455336
Component: XP Toolkit/Widgets: XUL → XUL
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: