Closed
Bug 434458
Opened 16 years ago
Closed 16 years ago
Crash [@ nsINode::GetCurrentDoc] with showPopup on popup removed from document
Categories
(Core :: XUL, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: martijn.martijn, Assigned: enndeakin)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:dos] null deref)
Crash Data
Attachments
(5 files)
(deleted),
application/vnd.mozilla.xul+xml
|
Details | |
(deleted),
application/vnd.mozilla.xul+xml
|
Details | |
(deleted),
application/vnd.mozilla.xul+xml
|
Details | |
(deleted),
application/vnd.mozilla.xul+xml
|
Details | |
(deleted),
patch
|
smaug
:
review+
dbaron
:
superreview+
|
Details | Diff | Splinter Review |
See testcase, which crashes current trunk build after 100ms. This regressed when the patch for bug 279703 landed. http://crash-stats.mozilla.com/report/index/be52d180-2584-11dd-b103-0013211cbf8a?p=1 0 xul.dll nsINode::GetCurrentDoc nsINode.h:275 1 xul.dll nsXULPopupManager::GetFrameOfTypeForContent mozilla/layout/xul/base/src/nsXULPopupManager.cpp:260 2 xul.dll nsXULPopupManager::GetPopupFrameForContent mozilla/layout/xul/base/src/nsXULPopupManager.cpp:288 3 xul.dll nsPopupBoxObject::ShowPopup mozilla/layout/xul/base/src/nsPopupBoxObject.cpp:116 4 xul.dll XPCConvert::JSData2Native mozilla/js/src/xpconnect/src/xpcconvert.cpp:848
Reporter | ||
Comment 1•16 years ago
|
||
Reporter | ||
Comment 2•16 years ago
|
||
Also happens with openPopup.
Reporter | ||
Comment 3•16 years ago
|
||
And with openPopupAtScreen.
Reporter | ||
Comment 4•16 years ago
|
||
A similar crash happens also with sizeTo: http://crash-stats.mozilla.com/report/index/d1ac78a3-258a-11dd-8220-0013211cbf8a?p=1 0 xul.dll nsIContent::SetAttr nsIContent.h:254 1 xul.dll nsPopupBoxObject::SizeTo mozilla/layout/xul/base/src/nsPopupBoxObject.cpp:167 2 xul.dll NS_InvokeByIndex_P mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101 3 xul.dll XPCWrappedNative::CallMethod mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2388
Assignee | ||
Comment 5•16 years ago
|
||
Looks like nsPopupBoxObject just needs some nullchecks for mContent in its methods.
Component: XP Toolkit/Widgets: Menus → XUL
QA Contact: xptoolkit.menus → xptoolkit.widgets
Assignee | ||
Comment 6•16 years ago
|
||
Assignee: nobody → enndeakin
Status: NEW → ASSIGNED
Attachment #333439 -
Flags: superreview?
Attachment #333439 -
Flags: review?(Olli.Pettay)
Assignee | ||
Updated•16 years ago
|
Attachment #333439 -
Flags: superreview? → superreview?(dbaron)
Updated•16 years ago
|
Attachment #333439 -
Flags: review?(Olli.Pettay) → review+
Comment 7•16 years ago
|
||
Comment on attachment 333439 [details] [diff] [review] add some null-checks, also fixes bug 434456 >\ No newline at end of file Have a newline, please. sr=dbaron
Attachment #333439 -
Flags: superreview?(dbaron) → superreview+
Assignee | ||
Updated•16 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 8•15 years ago
|
||
the test was checked in and is public. 1.9.0 !exploitable report, I didn't see a crash on 1.9.1 winxp. PROBABLY_EXPLOITABLE: Probably Exploitable - Data from Faulting Address controls Code Flow starting at gklayout!nsPopupBoxObject::EnableKeyboardNavigator
Flags: in-testsuite+
Flags: blocking1.9.0.11?
Comment 9•15 years ago
|
||
We could take this on the 1.9.0 branch, but it's not exploitable.
Group: core-security
Flags: blocking1.9.0.11? → wanted1.9.0.x+
Whiteboard: [sg:dos] null deref
Updated•13 years ago
|
Crash Signature: [@ nsINode::GetCurrentDoc]
You need to log in
before you can comment on or make changes to this bug.
Description
•