Closed
Bug 667092
Opened 14 years ago
Closed 14 years ago
Crash [@ DocumentViewerImpl::Print] with onbeforeprint
Categories
(Core :: Printing: Output, defect)
Tracking
()
VERIFIED
FIXED
mozilla7
| Tracking | Status | |
|---|---|---|
| firefox5 | --- | unaffected |
| firefox6 | + | fixed |
| firefox7 | + | fixed |
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: martijn.martijn, Assigned: smaug)
References
Details
(4 keywords, Whiteboard: [sg:critical?] [landed m-c 7/01] [dveditz nom'd] [qa!])
Attachments
(2 files)
|
279 bytes,
text/html
|
Details | |
|
941 bytes,
patch
|
jst
:
review+
johnath
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
See testcase, which crashes current trunk build. I guess a regression of bug 307258.
https://crash-stats.mozilla.com/report/index/bp-19109731-87bb-4b70-b586-98d902110624
0 xul.dll DocumentViewerImpl::Print layout/base/nsDocumentViewer.cpp:3694
1 xul.dll nsGlobalWindow::Print dom/base/nsGlobalWindow.cpp:5112
2 xul.dll nsGlobalWindow::Print dom/base/nsGlobalWindow.cpp:5077
3 xul.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
4 xul.dll XPC_WN_CallMethod js/src/xpconnect/src/xpcwrappednativejsops.cpp:1607
5 mozjs.dll js::Invoke js/src/jsinterp.cpp:656
6 mozjs.dll js::Interpret js/src/jsinterp.cpp:4550
7 mozjs.dll js::RunScript js/src/jsinterp.cpp:613
8 mozjs.dll js::Invoke js/src/jsinterp.cpp:686
9 mozjs.dll js::ExternalInvoke js/src/jsinterp.cpp:805
10 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5098
11 xul.dll nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:1900
12 xul.dll nsGlobalWindow::RunTimeout dom/base/nsGlobalWindow.cpp:9211
13 xul.dll nsGlobalWindow::TimerCallback dom/base/nsGlobalWindow.cpp:9552
14 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:424
15 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:520
16 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:618
17 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:110
18 xul.dll xul.dll@0xb6560f
etc..
The iframe content is this:
<script>
setTimeout(function() {window.print();}, 10);
</script>
<frameset onbeforeprint="window.frameElement.parentNode.removeChild(window.frameElement)"></frameset>"
|
Assignee | |
Updated•14 years ago
|
Group: core-security
|
|
Assignee | |
Updated•14 years ago
|
Assignee: nobody → Olli.Pettay
|
||
Comment 1•14 years ago
|
||
Going to assume Olli hid the bug because it looks exploitable. It's a near-null dereference, but hard to see how that works given the code flagged in the crash-stack, so it's hard to say if the bad value could end up being something else or used in a bad way.
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
status-firefox5:
--- → unaffected
status-firefox6:
--- → affected
status-firefox7:
--- → affected
tracking-firefox6:
--- → ?
tracking-firefox7:
--- → +
Keywords: regression
Whiteboard: [sg:critical?]
|
||
Updated•14 years ago
|
|
|
Assignee | |
Comment 2•14 years ago
|
||
This looks indeed a nullpointer crash.
Patch coming.
|
|
Assignee | |
Comment 3•14 years ago
|
||
If ::Destroy is called because of beforeprint, mDeviceContext becomes null.
Attachment #543243 -
Flags: review?(jst)
|
|
||
Updated•14 years ago
|
Attachment #543243 -
Flags: review?(jst) → review+
|
|
Assignee | |
Comment 4•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Comment 5•14 years ago
|
||
I made changes to my DOM fuzzer that should allow it to find bugs like this (but with very low probability, I think). 1a3951936f66, 3e91c7dcea51
|
|
||
Updated•14 years ago
|
Target Milestone: --- → mozilla7
|
|
||
Updated•14 years ago
|
Attachment #543243 -
Flags: approval-mozilla-beta?
|
||
Comment 6•14 years ago
|
||
We'll get to this approval requests on Monday's 2pm PT triage.
Whiteboard: [sg:critical?] → [sg:critical?] [landed m-c 7/01] [dveditz nom'd]
|
||
Comment 7•14 years ago
|
||
Comment on attachment 543243 [details] [diff] [review]
patch
Get it in quickly, please!
Attachment #543243 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
Assignee | |
Comment 8•14 years ago
|
||
qa+ for fix verification in Firefox 7
Whiteboard: [sg:critical?] [landed m-c 7/01] [dveditz nom'd] → [sg:critical?] [landed m-c 7/01] [dveditz nom'd] [qa+]
|
||
Comment 10•13 years ago
|
||
Verified that the testcase no longer crashes on Win7 with Firefox 7: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0) Gecko/20100101 Firefox/7.0
|
|
||
Comment 11•13 years ago
|
||
No crash on OS X 10.7 with Firefox 7 either: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:7.0) Gecko/20100101 Firefox/7.0
|
||
Comment 12•13 years ago
|
||
Verified fixed based on comment 10 and 11.
Status: RESOLVED → VERIFIED
Keywords: verified-beta
Whiteboard: [sg:critical?] [landed m-c 7/01] [dveditz nom'd] [qa+] → [sg:critical?] [landed m-c 7/01] [dveditz nom'd] [qa!]
|
|
||
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•