Bug 489322
Description From mgueury@skynet.be 2009-04-21 05:11:06 PDT
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.9.0.10pre) Gecko/2009042005 GranParadiso/3.0.10pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.9.0.10pre) Gecko/2009042005 GranParadiso/3.0.10pre
On Windows, I got reports from 2 users using the HTML Validator extension with
the 3.0.10pre. With this version, and it seems with 3.0.8 pre and 3.0.9 pre,
Firefox crashes when viewing the pages source.
I am the extension author.
Such problem does not happen with production builds (yet).
Reproducible: Always
Steps to Reproduce:
1. Download
ftp://ftp.mozilla.org/pub/firefox/nightly/latest-mozilla1.9.0/firefox-3.0.10pre.en-US.win32.zip
and unzip the file.
2. Start Firefox
3. Install the HTML validator (the version is not really important) 0.855 here
http://users.skynet.be/mgueury/mozilla/download.html
4. restart Firefox
5. Go to www.google.com
6; View Source -> crash
Actual Results:
Crash
Expected Results:
No crash
It is happening only in pre build ?
After debugging the tidySource.js file.
I found that it crashes when putting a color on the lines of the HTML source
where there is a HTML error.
The procedure is called - colorizeLines.
The way this procedure works is that it changes the DOM of the HTML source of
the HTML...
Workaround
----------
There is an option in the HTML validator to disable it :
- Options
- Hightlight lines with errors.
When uncheked it works again, meaning that the problem is well in the DOM
javascript API used by colorizeLines
Bug 489647
Description From Daniel Veditz 2009-04-22 13:06:09 PDT
Firefox 3.0.9 has exposed a new topcrash @nsTextFrame::ClearTextRun(). Oneinstance is bug 489322, involving the HTML Validator addon. We'll see soon ifthat's the only case because the author of that addon is about to release anupdate with a workaround (disables the crashing feature).Filing separate to track as a security bug.Crashes:http://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A3.0.9 &query_search=signature&query_type=exact&query=&date=&range_value=1&range_unit=week s&do_query=1&signature=nsTextFrame%3A%3AClearTextRun()This appears to be exploitable given random addresses at the top of the stackbp-e5e76111-98f2-4785-9fe6-ba0582090421bp-49a91d2b-b49c-4316-957e-d2c9b2090421bp-87a98e87-4982-488f-8c11-6a2c72090421bp-043a79b6-250a-4d52-8862-ef1d72090421etc.Here's one with a comment that does NOT mention view source -- this one saysthey did a ctrl-f (find) and clicked the "Highlight All" button.bp-d31d7a90-09b4-4cf5-9baf-7b1952090422