On Mac 3.5.11pre and 3.6.6pre it looks like a null-deref DoS 3.5: bp-2d7a4637-6ce5-47b0-867c-a41ca2100609 3.6: bp-c584be08-5186-402e-bee2-f6af42100609 I get a similar Mac trunk crash to Reed's Linux one above. bp-e901aaaf-6b71-4603-8d96-64f722100609 The code looks the same though, so I'd expect all versions to have the same issues as described in comment 0.
Created attachment 450359 [details] [diff] [review] simple version Make sure nsTreeRange is created in a proper way. Other cases when nsTreeRange is created manually without the macro are safe.
Comment on attachment 450359 [details] [diff] [review] simple version >+ PRInt32 start = macro_start; \ Not sure why you created a temporary for macro_start but still double-evaluated macro_end? >+ PRInt32 end = start < macro_end ? macro_end : start; \ Nit: start > macro_end is the (hopefully unlikely) bug case; start = macro_end and start < macro_end are equally likely, so this hurts branch prediction.
ok, I'll tweak the patch a bit.
I'll update the patch tomorrow.
Created attachment 451552 [details] [diff] [review] patch
Comment on attachment 451552 [details] [diff] [review] patch Approved for 18.104.22.168 and 22.214.171.124, a=dveditz for release-drivers
Verified for 126.96.36.199 using attached testcase and build 1 (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:188.8.131.52) Gecko/20100701 Firefox/3.5.11 (.NET CLR 3.5.30729)). Verified for 184.108.40.206 with its build 1 (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:220.127.116.11) Gecko/20100701 Firefox/3.6.7 (.NET CLR 3.5.30729)). Verified that 18.104.22.168 and 22.214.171.124 both crash with the testcase.
Comment on attachment 451552 [details] [diff] [review] patch Requesting approval1.9.0.next on this patch so that we can take it in upcoming Camino 2.0.x security and stability updates. If approved, I'll handle the checkins, unless the patch author requests otherwise.
Comment on attachment 451552 [details] [diff] [review] patch Approved for 126.96.36.199, a=dveditz
Checking in layout/xul/base/src/tree/src/nsTreeSelection.cpp; /cvsroot/mozilla/layout/xul/base/src/tree/src/nsTreeSelection.cpp,v <-- nsTreeSelection.cpp new revision: 1.63; previous revision: 1.62 done
We need an in-tree regression test for this.
making private again while we fix bug 585815