Closed
Bug 827468
Opened 12 years ago
Closed 12 years ago
Calling CharacterData method on an Element causes "Assertion failure: !objRef.ptr"
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla21
Tracking | Status | |
---|---|---|
firefox19 | --- | unaffected |
firefox20 | + | fixed |
firefox21 | + | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: jruderman, Unassigned)
References
Details
(4 keywords, Whiteboard: fixed by bug 826703 [adv-main20-])
Attachments
(2 files)
Assertion failure: !objRef.ptr, at OBJDIR/dom/bindings/CharacterDataBinding.cpp:315
Reporter | ||
Comment 1•12 years ago
|
||
Reporter | ||
Comment 2•12 years ago
|
||
The generated code is from: changeset: 41b8acc38356 user: Boris Zbarsky date: Tue Aug 28 13:10:09 2012 -0400 summary: Bug 774970. Add the ability to generate code for dealing with an XPConnect 'this' object in some cases. r=peterv This WebIDL binding was added in: changeset: 71b8063ba668 user: Boris Zbarsky date: Fri Jan 04 12:02:14 2013 -0500 summary: Bug 824823 part 7. Implement WebIDL CharacterData API on nsGenericDOMDataNode. r=peterv
Comment 3•12 years ago
|
||
So the generated code looks like this: nsresult rv = xpc_qsUnwrapArg<nsGenericDOMDataNode>(cx, val, &objPtr, &objRef.ptr, &val); Which lands us at: xpc_qsUnwrapArg<nsGenericDOMDataNode, nsISupports> where the first templare arg is the "interface" and the second is the "strong ref type". So we end up doing NS_GET_TEMPLATE_IID(nsGenericDOMDataNode) which returns the nsIContent IID. Then of course the thing we have is an nsIContent, so it happily unwraps to that... I just checked the other things we have that have hasXPConnectImpls. Those are: Document, Element, EventTarget, HTMLDocument, HTMLElement, Node, SVGElement, SVGGraphicsElement, SVGLocatableElement, SVGTransformableElement. Of these, Document, Element, EventTarget, HTMLDocument, HTMLElement, Node, SVGElement have DOMCI_CASTABLE_INTERFACE stuff, so I believe those are safe. SVGGraphicsElement, SVGTransformableElement, SVGLocatableElement have IIDs of their own. So I think the only unsafe thing is the CharacterData. I can add a DOMCI_CASTABLE thing, or we can fix bug 826703 (which we want to do on 20 anyway because otherwise we need to make Text have hasXPConnectImpls). I'd vastly prefer the latter. ;) Verifying now that that patch fixes this bug.
Depends on: 826703
Updated•12 years ago
|
status-firefox20:
--- → affected
Reporter | ||
Comment 5•12 years ago
|
||
With ASan, I found an exploitable case (involving appendData).
Group: core-security
Keywords: sec-critical
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
status-b2g18:
--- → unaffected
status-firefox19:
--- → unaffected
status-firefox21:
--- → fixed
status-firefox-esr17:
--- → unaffected
tracking-firefox21:
--- → +
Updated•12 years ago
|
Keywords: regression
Whiteboard: fixed by bug 826703
Comment 9•12 years ago
|
||
Checked that this bug and its dups are all fixed on Aurora now.
Updated•11 years ago
|
Whiteboard: fixed by bug 826703 → fixed by bug 826703 [adv-main20-]
Updated•11 years ago
|
Group: core-security
Assignee | ||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•