Closed Bug 701806 Opened 13 years ago Closed 13 years ago

Crash [@0x0 | txStylesheetCompiler::flushCharacters]

Categories

(Core :: XSLT, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 702466

People

(Reporter: aki.helin, Unassigned)

References

()

Details

(Whiteboard: [sg:dupe 702466])

Attachments

(1 file)

Opening the attached SVG causes a crash with null IP. The SVG uses XSL transforms.

I'm reporting this as a potential security issue even though the crash is a null, because some common ways to get a null IP (e.g. stack buffer overflow) are more likely exploitable than run-of-the-mill null reads.

Crash traces (from 64-bit Debian 6.0.3):
 8.0 - https://crash-stats.mozilla.com/report/index/bp-c39ae37b-3dfe-4cf0-8f66-257cc2111111
 9.0 beta - https://crash-stats.mozilla.com/report/index/bp-ff091148-d992-4daa-a7d5-985e42111111
Added URL to the same testcase because loading the attached testcase gives "Error loading stylesheet: An unknown error has occurred (805303f4)". Works via the link here.
Don't like forward duping, but bug 702466 looks like the same thing and already has some developers and analysis on it.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 702466]
Ok. Main thing that it's being worked on.
Component: General → XSLT
Product: Firefox → Core
QA Contact: general → xslt
Version: 8 Branch → Trunk
This problem has been assigned CVE-2012-0449 (over in bug 702466, but since this was the first report wanted to make sure it was noted here, too).
Group: core-security
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.