User Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0) Gecko/20100101 Firefox/7.0 Build ID: 20110922153450 Steps to reproduce: I have discovered a bug that can crash Firefox 7.0 in print or print preview mode simply by crafting a small amount of HTML table code. Details are below, proof of concept is included, crash report's in "What Happened." I'm putting this in the security section just to be on the safe side, since it allows the software to be crashed. Here's what I've found out so far, but it's not fully narrowed down: - There must be more than one <table> on the page. - These tables must have a <caption> tag. - There must be a heading in each table with a <thead> tag. - These tables must span more than one page in print preview. - There must be multiple <tfoot> tags. - The <tfoot> tags should include a <td> tag spanning the entire column via the colspan attribute. - <tbody> tags were omitted, but it seems to make no difference if they're added. - It will still crash with a style="visibility: hidden;" attribute on the <table> tag. - HTML 4.01 Strict Standards compliance mode rendering is enabled. Other Notes: - Firefox version was 7.0 on Win7 [Version 6.1.7601] - Repeated it on a clean install of Windows Virtual PC - XP Mode with doPDF7 being used as a dummy printer. - It happens in safe mode too. If you need anything else, send me an e-mail. Thanks! Actual results: AdapterDeviceID: 7183 AdapterVendorID: 1002 AvailableVirtualMemory: 1903828992 BuildID: 20110922153450 CrashTime: 1317238744 EMCheckCompatibility: true FramePoisonBase: 00000000f0de0000 FramePoisonSize: 65536 InstallTime: 1317224682 Notes: AdapterVendorID: 1002, AdapterDeviceID: 7183, AdapterDriverVersion: 8.56.1.16 ProductName: Firefox ReleaseChannel: release SecondsSinceLastCrash: 314 StartupTime: 1317238733 SystemMemoryUsePercentage: 36 Theme: classic/1.0 Throttleable: 1 TotalVirtualMemory: 2147352576 Vendor: Mozilla Version: 7.0 Winsock_LSP: MSAFD Tcpip [TCP/IP] : 2 : 1 : %SystemRoot%\system32\mswsock.dll MSAFD Tcpip [UDP/IP] : 2 : 2 : MSAFD Tcpip [RAW/IP] : 2 : 3 : %SystemRoot%\system32\mswsock.dll MSAFD Tcpip [TCP/IPv6] : 2 : 1 : MSAFD Tcpip [UDP/IPv6] : 2 : 2 : %SystemRoot%\system32\mswsock.dll MSAFD Tcpip [RAW/IPv6] : 2 : 3 : RSVP TCPv6 Service Provider : 2 : 1 : %SystemRoot%\system32\mswsock.dll RSVP TCP Service Provider : 2 : 1 : RSVP UDPv6 Service Provider : 2 : 2 : %SystemRoot%\system32\mswsock.dll RSVP UDP Service Provider : 2 : 2 : VMCI sockets DGRAM : 0 : 2 : VMCI sockets STREAM : 0 : 1 : C:\Program Files\VMware\VMware Server\vsocklib.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{A7100DB9-CDB8-4F02-8069-FB7EFF19A427}] SEQPACKET 1 : 2 : 5 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{A7100DB9-CDB8-4F02-8069-FB7EFF19A427}] DATAGRAM 1 : 2 : 2 : MSAFD NetBIOS [\Device\NetBT_Tcpip_{DF41090A-05AB-4C5D-8F91-06B769A99CEB}] SEQPACKET 5 : 2 : 5 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{DF41090A-05AB-4C5D-8F91-06B769A99CEB}] DATAGRAM 5 : 2 : 2 : MSAFD NetBIOS [\Device\NetBT_Tcpip_{513F0EE6-AF3E-4B0C-8C7F-52804CF7B3DC}] SEQPACKET 7 : 2 : 5 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{513F0EE6-AF3E-4B0C-8C7F-52804CF7B3DC}] DATAGRAM 7 : 2 : 2 : MSAFD NetBIOS [\Device\NetBT_Tcpip6_{FCBA06C4-6077-4561-B88A-A28809627DEA}] SEQPACKET 11 : 2 : 5 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip6_{FCBA06C4-6077-4561-B88A-A28809627DEA}] DATAGRAM 11 : 2 : 2 : MSAFD NetBIOS [\Device\NetBT_Tcpip6_{58E057F9-B1FE-4943-AC7A-69673F6C4659}] SEQPACKET 13 : 2 : 5 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip6_{58E057F9-B1FE-4943-AC7A-69673F6C4659}] DATAGRAM 13 : 2 : 2 : MSAFD NetBIOS [\Device\NetBT_Tcpip6_{371D7A36-1198-490A-AD1C-2EF3414240EB}] SEQPACKET 9 : 2 : 5 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip6_{371D7A36-1198-490A-AD1C-2EF3414240EB}] DATAGRAM 9 : 2 : 2 : MSAFD NetBIOS [\Device\NetBT_Tcpip6_{513F0EE6-AF3E-4B0C-8C7F-52804CF7B3DC}] SEQPACKET 8 : 2 : 5 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip6_{513F0EE6-AF3E-4B0C-8C7F-52804CF7B3DC}] DATAGRAM 8 : 2 : 2 : MSAFD NetBIOS [\Device\NetBT_Tcpip6_{DF41090A-05AB-4C5D-8F91-06B769A99CEB}] SEQPACKET 6 : 2 : 5 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip6_{DF41090A-05AB-4C5D-8F91-06B769A99CEB}] DATAGRAM 6 : 2 : 2 : MSAFD NetBIOS [\Device\NetBT_Tcpip6_{60B30853-F66E-44B8-902A-10206CF80915}] SEQPACKET 4 : 2 : 5 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip6_{60B30853-F66E-44B8-902A-10206CF80915}] DATAGRAM 4 : 2 : 2 : MSAFD NetBIOS [\Device\NetBT_Tcpip6_{BD96CEC9-01D8-40A7-BAAD-061BACB5A7A6}] SEQPACKET 3 : 2 : 5 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip6_{BD96CEC9-01D8-40A7-BAAD-061BACB5A7A6}] DATAGRAM 3 : 2 : 2 : MSAFD NetBIOS [\Device\NetBT_Tcpip6_{6A66DE48-37BE-4792-99FA-8A035943F6B7}] SEQPACKET 0 : 2 : 5 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip6_{6A66DE48-37BE-4792-99FA-8A035943F6B7}] DATAGRAM 0 : 2 : 2 : MSAFD NetBIOS [\Device\NetBT_Tcpip6_{A7100DB9-CDB8-4F02-8069-FB7EFF19A427}] SEQPACKET 2 : 2 : 5 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip6_{A7100DB9-CDB8-4F02-8069-FB7EFF19A427}] DATAGRAM 2 : 2 : 2 : This report also contains technical information about the state of the application when it crashed. Expected results: HTML tables, no matter how bizarrely crafted, should have not crashed the software, I suppose.

I couldn't reproduce with yesterday's nightly build, I was able to print-preview and print-to-XPS. Do you get a Firefox crash reporting dialog? If so can you check about:crashes and give us some crash report IDs?

Here's one from my Win7 system in Firefox safe mode: https://crash-stats.mozilla.com/report/index/c85349e3-91a9-4c55-b3d3-ad5bb2110928 Here's another from my WinXP Virtual PC: https://crash-stats.mozilla.com/report/index/a8d4caeb-bac5-4e97-b671-f24582110928

Excellent! Turns out this is a dup of bug 642088, which isn't exploitable.