embedding widget will crash with generated content, file:/// as base url and an <img> tag in the document

RESOLVED FIXED in mozilla0.9.1

Status

Core Graveyard
Embedding: GTK Widget
--
critical
RESOLVED FIXED
17 years ago
6 years ago

People

(Reporter: blizzard, Assigned: blizzard)

Tracking

({crash})

Trunk
mozilla0.9.1
x86
Linux
crash

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: critical for mozilla 0.9.1, a=chofmann)

(Assignee)

Description

17 years ago
This crash was reported to me out of band and I don't have an easy test case
that I can just put in the bug.

Anyway, if you use the streaming methods in the embedding widget to render
content that includes an image tag you would get a crash in the nsStdURL code. 
The problem is that the embedding code uses a Simple URI instead of a Standard
URI so when you try and resolve the relative image path against the base uri
handler the simple uri handler just dups the bad relative string instead of
re-resolving it.

You end up with a null scheme after the parse and in a comparison it falls over
because in nsStdURL::SchemeIs() mScheme is null and this code dereferences it:

    // mScheme is guaranteed to be lower case.
    if (*i_Scheme == *mScheme || *i_Scheme == (*mScheme - ('a' - 'A')) ) {
        *o_Equals = PL_strcasecmp(mScheme, i_Scheme) ? PR_FALSE : PR_TRUE;
    } else {
        *o_Equals = PR_FALSE;
    }

Anyway, the solution to the crash is simple.  Just use a standard URL instead of
a simple one.

Index: EmbedStream.cpp
===================================================================
RCS file: /cvsroot/mozilla/embedding/browser/gtk/src/EmbedStream.cpp,v
retrieving revision 1.5
diff -u -r1.5 EmbedStream.cpp
--- EmbedStream.cpp     2001/04/10 05:59:23     1.5
+++ EmbedStream.cpp     2001/06/01 21:56:24
@@ -37,8 +37,6 @@
 
 NS_IMPL_ISUPPORTS1(EmbedStream, nsIInputStream)
 
-static NS_DEFINE_CID(kSimpleURICID,            NS_SIMPLEURI_CID);
-
 EmbedStream::EmbedStream()
 {
   NS_INIT_REFCNT();
@@ -108,7 +106,7 @@
 
   // create a new uri object
   nsCOMPtr<nsIURI> uri;
-  uri = do_CreateInstance(kSimpleURICID, &rv);
+  uri = do_CreateInstance(NS_STANDARDURL_CONTRACTID, &rv);
   if (NS_FAILED(rv))
     return rv;
(Assignee)

Updated

17 years ago
Status: NEW → ASSIGNED
Whiteboard: critical for mozilla 0.9.1, waiting for r=, sr=, a=
Target Milestone: --- → mozilla0.9.1

Comment 1

17 years ago
r=valeski

Comment 2

17 years ago
sr=tor

Updated

17 years ago
Keywords: crash
(Assignee)

Updated

17 years ago
Whiteboard: critical for mozilla 0.9.1, waiting for r=, sr=, a= → critical for mozilla 0.9.1, waiting for a=

Comment 3

17 years ago
a=chofmann

Updated

17 years ago
Whiteboard: critical for mozilla 0.9.1, waiting for a= → critical for mozilla 0.9.1, a=chofmann
(Assignee)

Comment 4

17 years ago
Checked in on the branch and tip.  Thanks, guys.
Status: ASSIGNED → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED
Component: Embedding: GTK Widget → Embedding: GTK Widget
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.