Closed
Bug 690055
Opened 13 years ago
Closed 13 years ago
Crafted HTML tables can cause print preview to crash Firefox 7.0
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 642088
People
(Reporter: hunter, Unassigned)
Details
Attachments
(1 file)
|
22.43 KB,
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0) Gecko/20100101 Firefox/7.0
Build ID: 20110922153450
Steps to reproduce:
I have discovered a bug that can crash Firefox 7.0 in print or print preview mode simply by crafting a small amount of HTML table code.
Details are below, proof of concept is included, crash report's in "What Happened." I'm putting this in the security section just to be on the safe side, since it allows the software to be crashed.
Here's what I've found out so far, but it's not fully narrowed down:
- There must be more than one <table> on the page.
- These tables must have a <caption> tag.
- There must be a heading in each table with a <thead> tag.
- These tables must span more than one page in print preview.
- There must be multiple <tfoot> tags.
- The <tfoot> tags should include a <td> tag spanning the entire column via the colspan attribute.
- <tbody> tags were omitted, but it seems to make no difference if they're added.
- It will still crash with a style="visibility: hidden;" attribute on the <table> tag.
- HTML 4.01 Strict Standards compliance mode rendering is enabled.
Other Notes:
- Firefox version was 7.0 on Win7 [Version 6.1.7601]
- Repeated it on a clean install of Windows Virtual PC - XP Mode with doPDF7 being used as a dummy printer.
- It happens in safe mode too.
If you need anything else, send me an e-mail. Thanks!
Actual results:
AdapterDeviceID: 7183
AdapterVendorID: 1002
AvailableVirtualMemory: 1903828992
BuildID: 20110922153450
CrashTime: 1317238744
EMCheckCompatibility: true
FramePoisonBase: 00000000f0de0000
FramePoisonSize: 65536
InstallTime: 1317224682
Notes: AdapterVendorID: 1002, AdapterDeviceID: 7183, AdapterDriverVersion: 8.56.1.16
ProductName: Firefox
ReleaseChannel: release
SecondsSinceLastCrash: 314
StartupTime: 1317238733
SystemMemoryUsePercentage: 36
Theme: classic/1.0
Throttleable: 1
TotalVirtualMemory: 2147352576
Vendor: Mozilla
Version: 7.0
Winsock_LSP: MSAFD Tcpip [TCP/IP] : 2 : 1 : %SystemRoot%\system32\mswsock.dll
MSAFD Tcpip [UDP/IP] : 2 : 2 :
MSAFD Tcpip [RAW/IP] : 2 : 3 : %SystemRoot%\system32\mswsock.dll
MSAFD Tcpip [TCP/IPv6] : 2 : 1 :
MSAFD Tcpip [UDP/IPv6] : 2 : 2 : %SystemRoot%\system32\mswsock.dll
MSAFD Tcpip [RAW/IPv6] : 2 : 3 :
RSVP TCPv6 Service Provider : 2 : 1 : %SystemRoot%\system32\mswsock.dll
RSVP TCP Service Provider : 2 : 1 :
RSVP UDPv6 Service Provider : 2 : 2 : %SystemRoot%\system32\mswsock.dll
RSVP UDP Service Provider : 2 : 2 :
VMCI sockets DGRAM : 0 : 2 :
VMCI sockets STREAM : 0 : 1 : C:\Program Files\VMware\VMware Server\vsocklib.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip_{A7100DB9-CDB8-4F02-8069-FB7EFF19A427}] SEQPACKET 1 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip_{A7100DB9-CDB8-4F02-8069-FB7EFF19A427}] DATAGRAM 1 : 2 : 2 :
MSAFD NetBIOS [\Device\NetBT_Tcpip_{DF41090A-05AB-4C5D-8F91-06B769A99CEB}] SEQPACKET 5 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip_{DF41090A-05AB-4C5D-8F91-06B769A99CEB}] DATAGRAM 5 : 2 : 2 :
MSAFD NetBIOS [\Device\NetBT_Tcpip_{513F0EE6-AF3E-4B0C-8C7F-52804CF7B3DC}] SEQPACKET 7 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip_{513F0EE6-AF3E-4B0C-8C7F-52804CF7B3DC}] DATAGRAM 7 : 2 : 2 :
MSAFD NetBIOS [\Device\NetBT_Tcpip6_{FCBA06C4-6077-4561-B88A-A28809627DEA}] SEQPACKET 11 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip6_{FCBA06C4-6077-4561-B88A-A28809627DEA}] DATAGRAM 11 : 2 : 2 :
MSAFD NetBIOS [\Device\NetBT_Tcpip6_{58E057F9-B1FE-4943-AC7A-69673F6C4659}] SEQPACKET 13 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip6_{58E057F9-B1FE-4943-AC7A-69673F6C4659}] DATAGRAM 13 : 2 : 2 :
MSAFD NetBIOS [\Device\NetBT_Tcpip6_{371D7A36-1198-490A-AD1C-2EF3414240EB}] SEQPACKET 9 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip6_{371D7A36-1198-490A-AD1C-2EF3414240EB}] DATAGRAM 9 : 2 : 2 :
MSAFD NetBIOS [\Device\NetBT_Tcpip6_{513F0EE6-AF3E-4B0C-8C7F-52804CF7B3DC}] SEQPACKET 8 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip6_{513F0EE6-AF3E-4B0C-8C7F-52804CF7B3DC}] DATAGRAM 8 : 2 : 2 :
MSAFD NetBIOS [\Device\NetBT_Tcpip6_{DF41090A-05AB-4C5D-8F91-06B769A99CEB}] SEQPACKET 6 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip6_{DF41090A-05AB-4C5D-8F91-06B769A99CEB}] DATAGRAM 6 : 2 : 2 :
MSAFD NetBIOS [\Device\NetBT_Tcpip6_{60B30853-F66E-44B8-902A-10206CF80915}] SEQPACKET 4 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip6_{60B30853-F66E-44B8-902A-10206CF80915}] DATAGRAM 4 : 2 : 2 :
MSAFD NetBIOS [\Device\NetBT_Tcpip6_{BD96CEC9-01D8-40A7-BAAD-061BACB5A7A6}] SEQPACKET 3 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip6_{BD96CEC9-01D8-40A7-BAAD-061BACB5A7A6}] DATAGRAM 3 : 2 : 2 :
MSAFD NetBIOS [\Device\NetBT_Tcpip6_{6A66DE48-37BE-4792-99FA-8A035943F6B7}] SEQPACKET 0 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip6_{6A66DE48-37BE-4792-99FA-8A035943F6B7}] DATAGRAM 0 : 2 : 2 :
MSAFD NetBIOS [\Device\NetBT_Tcpip6_{A7100DB9-CDB8-4F02-8069-FB7EFF19A427}] SEQPACKET 2 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip6_{A7100DB9-CDB8-4F02-8069-FB7EFF19A427}] DATAGRAM 2 : 2 : 2 :
This report also contains technical information about the state of the application when it crashed.
Expected results:
HTML tables, no matter how bizarrely crafted, should have not crashed the software, I suppose.
|
||
Updated•13 years ago
|
Attachment #563149 -
Attachment mime type: text/plain → text/html
|
|
||
Comment 1•13 years ago
|
||
I couldn't reproduce with yesterday's nightly build, I was able to print-preview and print-to-XPS. Do you get a Firefox crash reporting dialog? If so can you check about:crashes and give us some crash report IDs?
Here's one from my Win7 system in Firefox safe mode: https://crash-stats.mozilla.com/report/index/c85349e3-91a9-4c55-b3d3-ad5bb2110928 Here's another from my WinXP Virtual PC: https://crash-stats.mozilla.com/report/index/a8d4caeb-bac5-4e97-b671-f24582110928
|
|
||
Comment 3•13 years ago
|
||
Excellent! Turns out this is a dup of bug 642088, which isn't exploitable.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•