Open Bug 937512 Opened 7 years ago Updated 2 years ago

xul!nsEditor::DeleteSelectionAndPrepareToCreateNode+0x170

Categories

(Core :: DOM: Editor, defect)

25 Branch
x86_64
Windows 7
defect
Not set
critical

Tracking

()

REOPENED
Tracking Status
firefox25 --- affected
firefox26 --- ?
firefox27 --- ?
firefox-esr17 --- affected
firefox-esr24 --- affected

People

(Reporter: 41.w4r10r, Unassigned)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

Attached file fuzz11301.html
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36

Steps to reproduce:

Load Attached File


Actual results:

Crashes FireFox 25.0 & ESR 17.0.10:
Stack Trace From ESR 17.0.10

(cc4.870): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=08c61700 ebx=0531a600 ecx=0029b478 edx=0531a600 esi=00000000 edi=80000000
eip=676ae173 esp=0029b49c ebp=0029b4c4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** WARNING: Unable to verify checksum for C:\Program Files\Mozilla Firefox\xul.dll
xul!nsEditor::DeleteSelectionAndPrepareToCreateNode+0x170:
676ae173 8b06            mov     eax,dword ptr [esi]  ds:0023:00000000=????????
0:000> ub
xul!nsEditor::DeleteSelectionAndPrepareToCreateNode+0x156 [e:\builds\moz2_slave\yyy\build\editor\libeditor\base\nseditor.cpp @ 4440]:
676ae159 740a            je      xul!nsEditor::DeleteSelectionAndPrepareToCreateNode+0x162 (676ae165)
676ae15b 8d4df8          lea     ecx,[ebp-8]
676ae15e e8ef1f98ff      call    xul!nsCOMPtr<nsISHEntry>::~nsCOMPtr<nsISHEntry> (67030152)
676ae163 eb88            jmp     xul!nsEditor::DeleteSelectionAndPrepareToCreateNode+0xea (676ae0ed)
676ae165 8d4508          lea     eax,[ebp+8]
676ae168 e8f0907aff      call    xul!nsCOMPtr<nsIBaseWindow>::operator-> (66e5725d)
676ae16d 8b7010          mov     esi,dword ptr [eax+10h]
676ae170 ff7508          push    dword ptr [ebp+8]
0:000> u
xul!nsEditor::DeleteSelectionAndPrepareToCreateNode+0x170 [e:\builds\moz2_slave\yyy\build\editor\libeditor\base\nseditor.cpp @ 4442]:
676ae173 8b06            mov     eax,dword ptr [esi]
676ae175 8bce            mov     ecx,esi
676ae177 ff5064          call    dword ptr [eax+64h]
676ae17a 8b4dfc          mov     ecx,dword ptr [ebp-4]
676ae17d 50              push    eax
676ae17e 56              push    esi
676ae17f e89c8085ff      call    xul!mozilla::Selection::Collapse (66f06220)
676ae184 8bf0            mov     esi,eax
0:000> kb
ChildEBP RetAddr  Args to Child              
0029b4c4 676b3358 08c61700 0531a6c4 00000000 xul!nsEditor::DeleteSelectionAndPrepareToCreateNode+0x170 [e:\builds\moz2_slave\yyy\build\editor\libeditor\base\nseditor.cpp @ 4442]
0029b544 674169e7 0531a6c4 06472780 00000001 xul!nsHTMLEditor::InsertElementAtSelection+0x183 [e:\builds\moz2_slave\yyy\build\editor\libeditor\html\nshtmleditor.cpp @ 1529]
0029b570 6776abb3 06472780 0029b680 0531a6c4 xul!nsInsertTagCommand::DoCommand+0x65 [e:\builds\moz2_slave\yyy\build\editor\composer\src\nscomposercommands.cpp @ 1395]
0029b58c 6738aa3e 0609e240 0029b680 0531a600 xul!nsControllerCommandTable::DoCommand+0x42 [e:\builds\moz2_slave\yyy\build\embedding\components\commandhandler\src\nscontrollercommandtable.cpp @ 158]
0029b5b0 6771d6b4 0531a600 0029b680 80000000 xul!nsBaseCommandController::DoCommand+0x5b [e:\builds\moz2_slave\yyy\build\embedding\components\commandhandler\src\nsbasecommandcontroller.cpp @ 137]
0029b5cc 677355a3 085ba200 0029b680 00000000 xul!nsCommandManager::DoCommand+0x6e [e:\builds\moz2_slave\yyy\build\embedding\components\commandhandler\src\nscommandmanager.cpp @ 237]
0029b6c4 67133860 08ad1f64 0029b9b8 0029b900 xul!nsHTMLDocument::ExecCommand+0x191 [e:\builds\moz2_slave\yyy\build\content\html\document\src\nshtmldocument.cpp @ 3216]
0029b6f0 66f6f238 08ad1f64 0000007d 00000004 xul!NS_InvokeByIndex_P+0x27 [e:\builds\moz2_slave\yyy\build\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp @ 71]
0029b92c 66f7129b 00000000 0029ba34 66f711c0 xul!XPCWrappedNative::CallMethod+0x338 [e:\builds\moz2_slave\yyy\build\js\xpconnect\src\xpcwrappednative.cpp @ 2374]
*** WARNING: Unable to verify checksum for C:\Program Files\Mozilla Firefox\mozjs.dll
0029b9f4 69e96a49 0804f040 00000003 03ca0118 xul!XPC_WN_CallMethod+0xdb [e:\builds\moz2_slave\yyy\build\js\xpconnect\src\xpcwrappednativejsops.cpp @ 1478]
0029ba68 69e98579 0804f040 00000000 03ca0128 mozjs!js::InvokeKernel+0x59 [e:\builds\moz2_slave\yyy\build\js\src\jsinterp.cpp @ 352]
0029c374 69e96ffa 0804f040 03ca0028 00000000 mozjs!js::Interpret+0x959 [e:\builds\moz2_slave\yyy\build\js\src\jsinterp.cpp @ 2414]
0029c3e8 69ea66a9 0804f040 00000000 03ca0020 mozjs!js::InvokeKernel+0x60a [e:\builds\moz2_slave\yyy\build\js\src\jsinterp.cpp @ 363]
0029c438 69eb4551 0804f040 0029c460 0029c47c mozjs!js::Invoke+0x209 [e:\builds\moz2_slave\yyy\build\js\src\jsinterp.cpp @ 396]
0029c46c 66f22daa 0804f040 09c32040 09c403e0 mozjs!JS_CallFunctionValue+0x41 [e:\builds\moz2_slave\yyy\build\js\src\jsapi.cpp @ 5853]
0029c5c0 66ee05df 0708b300 09c32040 09c403e0 xul!nsJSContext::CallEventHandler+0x44a [e:\builds\moz2_slave\yyy\build\dom\base\nsjsenvironment.cpp @ 1931]
0029c6b0 66f67c3a 08b1a980 09d69580 0029c798 xul!nsJSEventListener::HandleEvent+0x10f [e:\builds\moz2_slave\yyy\build\dom\src\events\nsjseventlistener.cpp @ 188]
0029c6fc 66f75392 08ae59c0 08ad2c00 0029c7a0 xul!nsEventListenerManager::HandleEventInternal+0x18a [e:\builds\moz2_slave\yyy\build\content\events\src\nseventlistenermanager.cpp @ 886]
0029c744 66f6ac3b 01257204 00000006 00000000 xul!nsEventTargetChainItem::HandleEventTargetChain+0x6b2 [e:\builds\moz2_slave\yyy\build\content\events\src\nseventdispatcher.cpp @ 317]
0029c7dc 66ed9256 0708b0e0 08ad2c00 0029c820 xul!nsEventDispatcher::Dispatch+0x23b [e:\builds\moz2_slave\yyy\build\content\events\src\nseventdispatcher.cpp @ 644]



Expected results:

Run File Perfectly
Component: Untriaged → Editor
Product: Firefox → Core
Why is this marked as security sensitive?
bp-40f5e70d-2603-478e-8224-415882131120

The crashes I get appear to be null derefs (in nightly). What were you seeing that looked exploitable?

Definitely a stability issue though.
Status: UNCONFIRMED → NEW
Crash Signature: [@ mozilla::plugins::PPluginInstanceChild::DeallocSubtree() ]
Ever confirmed: true
Flags: needinfo?(41.w4r10r)
Keywords: crash, testcase
Group: core-security
Severity: normal → critical
Crash Signature: [@ mozilla::plugins::PPluginInstanceChild::DeallocSubtree() ] → [@ mozilla::plugins::PPluginInstanceChild::DeallocSubtree() ] [@ mozilla::plugins::PPluginInstanceChild::DeallocSubtree ]
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
Closing because no crash reported since 12 weeks.
Reopening because crash bugs **with testcases** should not be resolved **as WONTFIX** based on queries of crash-stats.  Other resolutions may be appropriate for other reasons.

(Crash signatures are not the same as bug identity; they're merely a search aid to find and group similar crashes.  The bug may still be present, but the signature may have changed slightly, or the bug may even still be present with the same signature but there are simply no recent reports of crashes in that function.)
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Original case's crash is nsEditor::DeleteSelectionAndPrepareToCreateNode (mozilla::EditorBase::DeleteSelectionAndPrepareToCreateNode).  But crash signature of this issue is [@ mozilla::plugins::PPluginInstanceChild::DeallocSubtree ] by comment #2.  Why?
You need to log in before you can comment on or make changes to this bug.