Closed Bug 988028 Opened 11 years ago Closed 10 years ago

NULL deref @ nsNavBookmarks::OnVisit

Categories

(Toolkit :: Places, defect)

Product:
Toolkit
Component:
Places
Version:
31 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: tsmith, Unassigned)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

testcase.html
407 bytes, text/html
Details
Attached file testcase.html
Found by the BlackBerry Security Automated Analysis Team's fuzzing framework ALF. The testcase may take a few reloads before it repros. ==29198==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f916051d38c sp 0x7fffa8fe3a80 bp 0x7fffa8fe3dc0 T0) AddressSanitizer can not provide additional info. #0 0x7f916051d38b (libxul.so!nsNavBookmarks::OnVisit(nsIURI*, long, long, long, long, unsigned int, nsACString_internal const&, bool)+0x38b) Line 2794 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/components/places/nsNavBookmarks.cpp" #1 0x7f916051e37e (libxul.so!non-virtual thunk to nsNavBookmarks::OnVisit(nsIURI*, long, long, long, long, unsigned int, nsACString_internal const&, bool)+0x1e) Line 2804 of "Unified_cpp_toolkit_components_places0.cpp" #2 0x7f9160526327 (libxul.so!nsNavHistory::NotifyOnVisit(nsIURI*, long, long, long, int, nsACString_internal const&, bool)+0x3a7) Line 522 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/components/places/nsNavHistory.cpp" #3 0x7f91605b7572 (libxul.so!mozilla::places::(anonymous namespace)::NotifyVisitObservers::Run()+0x352) Line 595 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/components/places/History.cpp" #4 0x7f915a8b482c (libxul.so!nsThread::ProcessNextEvent(bool, bool*)+0xb2c) Line 694 of "/builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/threads/nsThread.cpp" #5 0x7f915a77e4f1 (libxul.so!NS_ProcessNextEvent(nsIThread*, bool)+0xb1) Line 263 of "/builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/glue/nsThreadUtils.cpp" #6 0x7f915b135ed1 (libxul.so!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)+0x311) Line 95 of "/builds/slave/m-in-l64-asan-0000000000000000/build/ipc/glue/MessagePump.cpp" #7 0x7f915b0a7b23 (libxul.so!MessageLoop::Run()+0x1c3) Line 226 of "/builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc" #8 0x7f915d53aa71 (libxul.so!nsBaseAppShell::Run()+0x61) Line 164 of "/builds/slave/m-in-l64-asan-0000000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp" #9 0x7f916040b26f (libxul.so!nsAppStartup::Run()+0xcf) Line 276 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/components/startup/nsAppStartup.cpp" #10 0x7f9160215941 (libxul.so!XREMain::XRE_mainRun()+0x1f31) Line 4008 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp" #11 0x7f91602168df (libxul.so!XREMain::XRE_main(int, char**, nsXREAppData const*)+0x4ff) Line 4077 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp" #12 0x7f916021767b (libxul.so!XRE_main+0x3ab) Line 4289 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp" #13 0x459dcd (firefox-bin!main+0x94d) Line 282 of "/builds/slave/m-in-l64-asan-0000000000000000/build/browser/app/nsBrowserApp.cpp" #14 0x7f916b75376c (libc.so.6!__libc_start_main+0xec) Line 226 of "libc-start.c" #15 0x45934c (firefox-bin!_start+0x28)
Keywords: crash, testcase
since the only other deref there is from a new, that is infallible, I suppose the problem is aURI. we indeed don't error check NS_NewURI in some points in History.cpp, mostly because we pass it a spec we already got from an nsIURI, so we don't expect it to fail, but sounds like it may.
Component: Document Navigation → Places
Product: Core → Toolkit
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: