Closed Bug 545927 Opened 16 years ago Closed 16 years ago

xslt number formatting function crashes on big numbers [@ txRomanCounter::appendNumber(int, nsAString_internal&) ]

Categories

(Core :: XSLT, defect)

Product:
Core
Component:
XSLT
Version:
1.9.2 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking1.9.2 --- .7+
status1.9.2 --- .7-fixed
blocking1.9.1 --- .11+
status1.9.1 --- .11-fixed

People

(Reporter: serg.glazunov, Assigned: bzbarsky)

References

(
URL
)

Details

(4 keywords)

Crash Data

Attachments

(2 files, 2 obsolete files)

one file javascript version
719 bytes, text/html
Details
Proposed fix
2.48 KB, patch
sicking
: review+
dveditz
: approval1.9.2.7+
dveditz
: approval1.9.1.11+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.89 Safari/532.5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2) Gecko/20100115 Firefox/3.6 Mozilla crashes while transforms a large number (like 1000000000000000) into the Roman numeral system using XSLT (<xsl:number value="1000000000000000" format="i"/>). Reproducible: Always
Attached file malformed xslt document (obsolete) —
Attached file xml file to open (obsolete) —
I don't crash using Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6. I tried using a trunk build and it seemed when I tried to shut down that Minefield closed. Do you have a crash report from about:crashes (in the URL bar)?
i found out where the bug in the code is. there is the check in the txRomanCounter::appendNumber method: if (aNumber >= 4000) { but aNumber is considered as signed int, so it passes the check if it equals at least 2147483648.
0 xul.dll txRomanCounter::appendNumber content/xslt/src/xslt/txXSLTNumberCounters.cpp:239 1 xul.dll txXSLTNumber::createNumber content/xslt/src/xslt/txXSLTNumber.cpp:94 2 xul.dll txNumber::execute content/xslt/src/xslt/txInstructions.cpp:597 3 xul.dll txXSLTProcessor::execute content/xslt/src/xslt/txXSLTProcessor.cpp:104 4 xul.dll txMozillaXSLTProcessor::TransformToDoc content/xslt/src/xslt/txMozillaXSLTProcessor.cpp:683
Status: UNCONFIRMED → NEW
Component: General → XSLT
Ever confirmed: true
Keywords: crash
Product: Firefox → Core
QA Contact: general → xslt
Summary: xslt number formatting function crashes on big numbers → xslt number formatting function crashes on big numbers [@ txRomanCounter::appendNumber(int, nsAString_internal&) ]
Version: unspecified → 1.9.2 Branch
Attachment #426745 - Attachment is obsolete: true
Attachment #426746 - Attachment is obsolete: true
Attached patch Proposed fixSplinter Review
Serg, thank you for the testcase and analysis!
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Attachment #427251 - Flags: review?(jonas)
Comment on attachment 427251 [details] [diff] [review] Proposed fix Sweet, thanks guys!
Attachment #427251 - Flags: review?(jonas) → review+
Keywords: testcase
Pushed as http://hg.mozilla.org/mozilla-central/rev/4c8923d18e2e I guess we should try to get this in on the branch too....
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Flags: in-testsuite+
Comment on attachment 427251 [details] [diff] [review] Proposed fix Requesting approval for this "don't try to read memory we haven't mapped" fix.
Attachment #427251 - Flags: approval1.9.2.2?
Comment on attachment 427251 [details] [diff] [review] Proposed fix Uhm, isn't that the very definition of a security bug?
Attachment #427251 - Flags: approval1.9.2.2? → approval1.9.2.3?
> Uhm, isn't that the very definition of a security bug? Well, it can be, yes.
blocking1.9.2: --- → ?
Attachment #427251 - Flags: approval1.9.2.4? → approval1.9.2.5?
Is the 1.9.1 branch affected as well?
blocking1.9.1: --- → ?
blocking1.9.2: ? → .5+
status1.9.1: --- → ?
status1.9.2: --- → wanted
Attachment #427251 - Flags: approval1.9.2.5? → approval1.9.2.5+
Comment on attachment 427251 [details] [diff] [review] Proposed fix Approved for 1.9.2.5, a=dveditz for release-drivers
blocking1.9.1: ? → .11+
blocking1.9.2: .5+ → .6+
status1.9.1: ?wanted
> Is the 1.9.1 branch affected as well? Yes.
Attachment #427251 - Flags: approval1.9.1.11?
Pushed http://hg.mozilla.org/releases/mozilla-1.9.2/rev/db34c710c17e Here's hoping I'm setting the status flag right... (i.e. NOT matching the approval flag).
status1.9.2: wanted.6-fixed
Comment on attachment 427251 [details] [diff] [review] Proposed fix You did that right, thanks. We're a little off-kilter due to the decision to split Fennec 1.1 off mid-release. Approved for 1.9.1.11, a=dveditz
Attachment #427251 - Flags: approval1.9.2.6+
Attachment #427251 - Flags: approval1.9.2.5+
Attachment #427251 - Flags: approval1.9.1.11?
Attachment #427251 - Flags: approval1.9.1.11+
Verified for 1.9.1.11 using testcase in comment 7 (which crashes 1.9.1.10): Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.11) Gecko/20100701 Firefox/3.5.11 (.NET CLR 3.5.30729). Verified for 1.9.2.7 the same way with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7 (.NET CLR 3.5.30729).
Keywords: verified1.9.1, verified1.9.2
Crash Signature: [@ txRomanCounter::appendNumber(int, nsAString_internal&) ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: