Closed Bug 827468 Opened 12 years ago Closed 12 years ago

Calling CharacterData method on an Element causes "Assertion failure: !objRef.ptr"

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla21
Tracking Flags:
Tracking Status
firefox19 --- unaffected
firefox20 + fixed
firefox21 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: jruderman, Unassigned)

References

Details

(4 keywords, Whiteboard: fixed by bug 826703 [adv-main20-])

Attachments

(2 files)

testcase
197 bytes, text/html
Details
stack
9.05 KB, text/plain
Details
Attached file testcase 
Assertion failure: !objRef.ptr, at OBJDIR/dom/bindings/CharacterDataBinding.cpp:315
Attached file stack 

    
    

    
  
The generated code is from:

changeset:   41b8acc38356
user:        Boris Zbarsky
date:        Tue Aug 28 13:10:09 2012 -0400
summary:     Bug 774970.  Add the ability to generate code for dealing with an XPConnect 'this' object in some cases.  r=peterv

This WebIDL binding was added in:

changeset:   71b8063ba668
user:        Boris Zbarsky
date:        Fri Jan 04 12:02:14 2013 -0500
summary:     Bug 824823 part 7.  Implement WebIDL CharacterData API on nsGenericDOMDataNode.  r=peterv

    
    

    
  
So the generated code looks like this:

           nsresult rv = xpc_qsUnwrapArg<nsGenericDOMDataNode>(cx, val, &objPtr, &objRef.ptr, &val);

Which lands us at:

   xpc_qsUnwrapArg<nsGenericDOMDataNode, nsISupports>

where the first templare arg is the "interface" and the second is the "strong ref type".  So we end up doing NS_GET_TEMPLATE_IID(nsGenericDOMDataNode) which returns the nsIContent IID.  Then of course the thing we have is an nsIContent, so it happily unwraps to that...

I just checked the other things we have that have hasXPConnectImpls.  Those are: Document, Element, EventTarget, HTMLDocument, HTMLElement, Node, SVGElement, SVGGraphicsElement, SVGLocatableElement, SVGTransformableElement.

Of these, Document, Element, EventTarget, HTMLDocument, HTMLElement, Node, SVGElement have DOMCI_CASTABLE_INTERFACE stuff, so I believe those are safe.

SVGGraphicsElement, SVGTransformableElement, SVGLocatableElement have IIDs of their own.

So I think the only unsafe thing is the CharacterData.

I can add a DOMCI_CASTABLE thing, or we can fix bug 826703 (which we want to do on 20 anyway because otherwise we need to make Text have hasXPConnectImpls).  I'd vastly prefer the latter.  ;)  Verifying now that that patch fixes this bug.
Depends on: 826703

    
    

    
  
Yeah, the patches in bug 826703 fix this.

          tracking-firefox20:
          --- → ?

    
    

    
  
With ASan, I found an exploitable case (involving appendData).
Group: core-security
Keywords: sec-critical

    
    

    
  
Fixed by bug 826703.
Target Milestone: --- → mozilla21
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Keywords: regression
Whiteboard: fixed by bug 826703

    
    

    
  
Checked that this bug and its dups are all fixed on Aurora now.

          status-firefox20:
          affectedfixed
Whiteboard: fixed by bug 826703 → fixed by bug 826703 [adv-main20-]
Group: core-security
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: