Closed Bug 497448 Opened 15 years ago Closed 15 years ago

Crash [@ CallQueryInterface<nsIContent,nsIDOMElement>] with bindings, script, observes, etc and content policy installed

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
status1.9.1 --- unaffected

People

(Reporter: martijn.martijn, Unassigned)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(2 files)

testcase
(deleted), application/vnd.mozilla.xul+xml
Details
testcase2
(deleted), application/vnd.mozilla.xul+xml
Details
Attached file testcase (deleted) —
See testcase, which usually crashes within 20 seconds or so, when you hava a content policy installed in your profile. You have a content policy installed when you have Adblock Plus installed: https://addons.mozilla.org/en-US/firefox/addon/1865 You can also follow the directions in bug 439316: - copy the file in that bug in the Components directory of where Firefox is installed. - Create a file .autoreg file (an empty file) in your profile (use bash mv command to rename under windows) http://crash-stats.mozilla.com/report/index/86df7519-0594-449e-bcbc-2f6052090610?p=1 0 ntdll.dll ntdll.dll@0xe514 1 kernel32.dll kernel32.dll@0x2541 2 xul.dll google_breakpad::ExceptionHandler::WriteMinidumpOnHandlerThread toolkit/crashreporter/google-breakpad/src/client/windows/handler/exception_handler.cc:562 3 xul.dll google_breakpad::ExceptionHandler::HandlePureVirtualCall toolkit/crashreporter/google-breakpad/src/client/windows/handler/exception_handler.cc:506 4 mozcrt19.dll _purecall obj-firefox/memory/jemalloc/crtsrc/purevirt.c:47 5 xul.dll CallQueryInterface<nsIContent,nsIDOMElement> obj-firefox/dist/include/nsISupportsUtils.h:203 6 xul.dll xul.dll@0x8f2197 7 @0x2 8 @0x62 This regressed between 2008-06-22 and 2008-06-23: http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2008-06-22+05%3A00%3A00&enddate=2008-06-23+08%3A00%3A00 I think a regression from bug 344258.
Attached file testcase2 (deleted) —
Ok, this is a testcase that also crashes with this same stacktrace after 10s or so, but doesn't seem to have the need for a content policy, so it crashes directly, without the need for the Adblock Plus extension.
The !exploitable tool says this: Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at gklayout!CallQueryInterface<nsIContent,nsIDOMElement>+0x0000000000000067 (Hash=0x7b706479.0x53120335) So marking security sensitive for now.
Group: core-security
Blocks: 498639
Martijn, can you retest to see if this crash is still reproducible. I wasn't able to see the crash on trunk or a 1.9.2 build.
Whiteboard: [sg:needinfo]
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Thanks for confirming. I did reproduce the crash, by the way, in Firefox 3.5 but not in 3.5.7.
status1.9.1: --- → unaffected
Whiteboard: [sg:needinfo]
Crash Signature: [@ CallQueryInterface<nsIContent,nsIDOMElement>]
Group: core-security → core-security-release
Group: core-security-release
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: