browser crashes in JSDOM.DLL while opening document

VERIFIED FIXED in mozilla0.9

Status

()

--
critical
VERIFIED FIXED
18 years ago
18 years ago

People

(Reporter: vegaj, Assigned: jst)

Tracking

({crash})

Trunk
mozilla0.9
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [HAVE FIX], URL)

Attachments

(2 attachments)

(Reporter)

Description

18 years ago
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; 0.8.1) Gecko/20010316
BuildID:    2001031604

In Knoxville, TN, there's an ISP that uses router based url modification to
display advertisements to its subscribers, in return for lower rates.  They do
this by adding a JavaScript frame around the page requested.  (See
http://www.ntown.net)  Therefore, when displaying any otherwise valid webpage,
their javascript invokes : "MOZILLA caused an invalid page fault in module
JSDOM.DLL at 015f:60b80bd8."

Reproducible: Always
Steps to Reproduce:
Snip and attempt to open this document
===BEGIN ==============================
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!-- saved from url=(0045)http://webmail.utk.edu/MBX/alokey/ID=3AABA307 -->

<HTML><HEAD><TITLE>webmail.utk.edu/MBX/alokey/ID=3AABA307</TITLE>

<META http-equiv=Content-Type content="text/html; charset=windows-1252">

<SCRIPT language=JavaScript>

var a     = "";
var sURL  = "";
var g     = "";
var gtop  = "";
var s     = "";
var depth = "00";
var x     = "";

function ignoreError( err_msg, url, line )
{
  if( ( self.name != '_' ) && ( depth != "00" ) )
  {
    location.replace( g );
  }
  else
  {
    location.replace( gtop );
  }

  return true;
}

window.onerror = ignoreError;

function reload_top( err_msg, url, line )
{
  top.location = a;
  return true;
}
function def_url_vars()
{
  sURL = "http://webmail.utk.edu/MBX/alokey/ID=3AABA307";
  a    = sURL + location.hash;
x =
"http://commcenter.message-exchange.com/!~@/2/XPR.shtml?UserId=7506&AdServerIP=208.245.096.228&RefreshURL="+escape(a);
  g    = sURL + "&_wsgeturl3aa822162302c8a0_"+depth+location.hash;
  gtop = sURL + "&_wsgettop3aa822162302c8a0_"+depth+location.hash;
  s    =
"http://commcenter.message-exchange.com/!~@/2/bnr.html?UserID=7506&AdServerIP=208.245.096.228&GroupID=2&NtownDefaultIndex=0&ip=208.245.98.126&RefreshURL="
+ escape( a ) +"";

}

def_url_vars();

function setsrc_func()
{
  if( document.body.offsetWidth < 580 )
  {
    top.location.replace( g.substring( 0, g.lastIndexOf( '_' ) ) + "_ff" +
location.hash );
  }
  else
  {
    top._.location.replace( gtop );
    top._.focus();
  }
} // end setsrc_func()

var count_depth = 0;
var win_obj     = "parent";

while( eval(win_obj) != top )
{
  win_obj += ".parent";
  count_depth++;
}

if( count_depth < 10 )
{
  depth = "0" + count_depth;
}
else
{
  depth = count_depth;
}

if( ( self != top ) && ( top.frames.length != 2 ) )
{
  depth = "ff";
}

def_url_vars();

if( top.frames.length == 0 )
{
  document.open( "text/html", "replace" );
  document.write( "<FRAMESET ROWS='51,*' BORDER=0 FRAMEBORDER=0>");
  document.writeln( "<FRAME SRC='" + s + "' NAME='StreetFeed' NORESIZE
MARGINHEIGHT=0 SCROLLING=NO TABINDEX=-1>" );
  document.write( "<FRAME NAME='_' MARGINHEIGHT=0 " );
  document.writeln( "SRC=\"javascript:top.setsrc_func();\">" );
  document.writeln( "</FRAMESET>" );
  document.close();
}
else
{
  if( ( self.name != '_' ) && ( depth != "00" ) )
  {
    location.replace( g );
  }
  else
  {
    window.onerror=reload_top;
    top.StreetFeed.NFeedXPRFrame.location.replace( x );
    window.onerror=ignoreError;
    location.replace( gtop );
  }
}
</SCRIPT>

<NOSCRIPT>

<META content="MSHTML 5.50.4611.1300" name=GENERATOR></HEAD>

<BODY>

<CENTER><FONT color=#ff0000>In order to continue you need to enable JavaScript 

in your browser.</FONT><BR><FONT color=#ff0000>Please call Message Exchange 

Customer Support if you need assistance.</FONT> 

</CENTER></NOSCRIPT></BODY></HTML>
===END==============================

Actual Results:  Crash

Expected Results:  In this specific example, the url
"http://webmail.utk.edu/MBX/alokey/ID=3AABA307" should be opened (which will
just prompt for a password).  However, this is the standard template for any
otherwise valid webpage - the javascript provided frames any requested page.

MOZILLA caused an invalid page fault in
module JSDOM.DLL at 015f:60b80bd8.
Registers:
EAX=00000000 CS=015f EIP=60b80bd8 EFLGS=00010246
EBX=00000000 SS=0167 ESP=0068f4b8 EBP=0068f4dc
ECX=00000000 DS=0167 ESI=00000000 FS=20f7
EDX=0068f4b0 ES=0167 EDI=0068f5a0 GS=0000
Bytes at CS:EIP:
8b 01 ff 50 1c 89 07 8d 4d 08 e8 c1 33 03 00 5f 
Stack dump:
00000000 0f0000b0 00000000 60d59458 00000000 00000000 0f008ee4 00000000 0f008ee0
0068f58c 60b80adb 00000000 0068f5a0 80000000 0f00a5c0 60d5c4f4

Comment 1

18 years ago
This is not a Java API's DOM bug.
Changed Component to DOM level 0.
Component: Java APIs for DOM → DOM Level 0

Comment 2

18 years ago
reassign to owner of js dom
Assignee: akhil.arora → jst
QA Contact: rajendra.pallath → desale

Comment 3

18 years ago
Adding crash keyword.
Keywords: crash

Comment 4

18 years ago
Unable to reproduce this one on Windows 95 with either build 2001031604 or build
2001031904

The frame didnt load, but no crash.
(Assignee)

Comment 5

18 years ago
Please attach a (the) testcase.
(Reporter)

Comment 6

18 years ago
Created attachment 28375 [details]
JavaScript using page that crashes browser
(Reporter)

Comment 7

18 years ago
Here's a slightly different test case that still crashes Mozilla for me on
Win98. Build 2001031604

I've attached a picture of the IE5.5 behavior - expected.  Note the bar across
the top that the scroller doesn't extend into (this is where the advertisement
is usually loaded).  The "Page Note Found" message is because I opened the page
at the office, while not connected to the NTown ISP (home).  It looks like
without the router to demangle the page request, it can't find the wrapped page
either.

The important thing is that the frame construction using the javascript was
interpreted correctly in IE 5.5.  The matter of the page loading is secondary. 
I would expect Mozilla to behave similarly, or report some error condition, or
something other than a crash.
(Reporter)

Comment 8

18 years ago
Okay, I couldn't attach the image showing the IE5.5 behavior... buzilla seems to
hang. It doesn't matter much.  Save the attachment, open in IE 5.5...
(Assignee)

Comment 9

18 years ago
Created attachment 28455 [details] [diff] [review]
Proposed fix.
(Assignee)

Comment 10

18 years ago
Accpting, confirming, and whatnot. Thanks for the testcase, the fix is attached
and I'll try to check it in later today.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
OS: Windows 98 → All
Hardware: PC → All
Whiteboard: [HAVE FIX]
Target Milestone: --- → mozilla0.9
(Assignee)

Comment 11

18 years ago
Fix checked in.
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → FIXED

Comment 12

18 years ago
Verified with 2001-05-22-04.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.