Closed
Bug 6168
Opened 26 years ago
Closed 26 years ago
[CRASH, BLOCK] Submitting a form crashes browser
Categories
(Core :: Layout, defect, P3)
Tracking
()
VERIFIED
FIXED
M6
People
(Reporter: morse, Assigned: morse)
References
()
Details
Go to the indicated URL. Press the "save" button at the bottom of the form. Browser crashes with the stack trace shown below. Note: with the debugger I determined that the value of the encoder argument is bad. In fact, this sequence of routines is called many times prior to the crash, each time with the same value for encoder. When the call is made that crashes, the value of encoder is suddenly a different value. This form is the interview form used by wallet. So this crash is now blocking wallet development. UnicodeToNewBytes(unsigned short * 0x028d8c70, unsigned int 28, nsIUnicodeEncoder * 0x025f1860) line 610 + 9 bytes URLEncode(nsString & {...}, nsIUnicodeEncoder * 0x025f1860) line 640 + 29 bytes nsFormFrame::ProcessAsURLEncoded(int 1, nsString & {...}, nsIFormControlFrame * 0x0271c940) line 876 + 30 bytes nsFormFrame::OnSubmit(nsFormFrame * const 0x01339ed0, nsIPresContext * 0x026ad9c0, nsIFrame * 0x0271c910) line 459 nsButtonControlFrame::MouseClicked(nsIPresContext * 0x026ad9c0) line 345 nsButtonControlFrame::HandleEvent(nsButtonControlFrame * const 0x0271c910, nsIPresContext & {...}, nsGUIEvent * 0x0012fccc, nsEventStatus & nsEventStatus_eIgnore) line 529 PresShell::HandleEvent(PresShell * const 0x01305924, nsIView * 0x0271da20, nsGUIEvent * 0x0012fccc, nsEventStatus & nsEventStatus_eIgnore) line 2008 + 38 bytes nsView::HandleEvent(nsView * const 0x0271da20, nsGUIEvent * 0x0012fccc, unsigned int 28, nsEventStatus & nsEventStatus_eIgnore) line 831 nsViewManager::DispatchEvent(nsViewManager * const 0x01304ac0, nsGUIEvent * 0x0012fccc, nsEventStatus & nsEventStatus_eIgnore) line 1726 HandleEvent(nsGUIEvent * 0x0012fccc) line 67 nsWindow::DispatchEvent(nsWindow * const 0x0271daf4, nsGUIEvent * 0x0012fccc, nsEventStatus & nsEventStatus_eIgnore) line 410 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fccc) line 431 nsWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line 2880 + 15 bytes nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 720911, long * 0x0012fe48) line 2242 + 24 bytes nsWindow::WindowProc(void * 0x0001053c, unsigned int 514, unsigned int 0, long 720911) line 474 + 27 bytes USER32! 77e71250()
Assignee | ||
Comment 1•26 years ago
|
||
Here's a clue. The last field on the form that is processed correctly is "department" under "your business address." The crash occurs on the very next field, namely "address line 1". If I remove that field from the form, the crash then occurs on the very next field. No matter how many field I remove following "company name", the crash always occurs on the next following field. If all fields after the "department" field are removed from the form, the crash does not occur. Well, there's my work-around. Until this bug is fixed, I'll be forced to use an abreviated version of this form that stops after the "department" field.
Updated•26 years ago
|
Assignee: karnaze → ftang
Severity: normal → critical
Summary: Submitting a form crashes browser → [CRASH, BLOCK] Submitting a form crashes browser
Target Milestone: M6
Comment 2•26 years ago
|
||
This looks a problem with the recent unicode additions to nsString. To get this to fail on the 5/13 build, I had to do the following (1) use version 1.68 of layout/html/forms/nsFormControlFrame.cpp because version 1.69 breaks form submission and (2) fix a bug in extensions/wallet which I just checked in. Reassinging to Frank, adding [CRASH, BLOCK] to summary, marking critical and moving to M6.
Updated•26 years ago
|
Status: NEW → ASSIGNED
Comment 3•26 years ago
|
||
It sound some code trash the value of encoder. I will take a look at it.
Updated•26 years ago
|
Assignee: ftang → morse
Status: ASSIGNED → NEW
Comment 4•26 years ago
|
||
It crash because the value "encoder" which on stack is trashed by the following code, 862 #ifdef SingleSignon 863 if ((type == NS_FORM_INPUT_PASSWORD) || (type == NS_FORM_INPUT_TEXT)) { 864 if (type == NS_FORM_INPUT_PASSWORD) { 865 type_array[value_cnt] = FORM_TYPE_PASSWORD; 866 } else { 867 type_array[value_cnt] = FORM_TYPE_TEXT; 868 } 869 value_array[value_cnt] = 870 values[0].ToNewCString(); 871 name_array[value_cnt] = 872 names[0].ToNewCString(); 873 value_cnt++; 874 } 875 #endif It trash the auto variable "encoder" when value_cnt is 51. Why ? The following code- 795 #ifdef SingleSignon 796 #define MAX_ARRAY_SIZE 50 797 char* name_array[MAX_ARRAY_SIZE]; 798 char* value_array[MAX_ARRAY_SIZE]; 799 uint8 type_array[MAX_ARRAY_SIZE]; 800 PRInt32 value_cnt = 0; 801 #endif 802 I cannot believe we have such hard code size of array withotu boundary checking in our code. What a traditional security hole. Reassing this back to. I suggest you review all your code and make sure there are no hard coded limitation of array in your code without boundary checking. We are luck that it trash a object pointer here , if it trash some data, it could be difficult to find.
Assignee | ||
Updated•26 years ago
|
Status: NEW → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 5•26 years ago
|
||
What can I say -- I have egg all over my face. Yes, I forgot to do an array boundary check. So I introduced my own blocking bug! All this array stuff will go away anyhow once single singon is separated from layout. But in the meantime I have added the bounds check. File involved is nsFormFrame.cpp. It's checked in now
Updated•26 years ago
|
Status: RESOLVED → VERIFIED
Comment 6•26 years ago
|
||
Fixed in 5/17 Biuld.
You need to log in
before you can comment on or make changes to this bug.
Description
•