Closed
Bug 1025170
Opened 10 years ago
Closed 10 years ago
Selection::Modify fails to return with unimplemented cases
Categories
(Core :: DOM: Selection, defect)
Core
DOM: Selection
Tracking
()
RESOLVED
FIXED
mozilla33
| Tracking | Status | |
|---|---|---|
| firefox30 | --- | affected |
| firefox31 | --- | affected |
| firefox32 | --- | affected |
| firefox33 | --- | affected |
| firefox-esr24 | --- | unaffected |
People
(Reporter: mccr8, Assigned: mccr8)
References
(Blocks 1 open bug)
Details
(Keywords: coverity, csectype-uninitialized, Whiteboard: [CID 1221242][CID 1221243])
Attachments
(1 file)
|
1.08 KB,
patch
|
ehsan.akhgari
:
review+
|
Details | Diff | Splinter Review |
This method does an aRv.Throw(NS_ERROR_NOT_IMPLEMENTED), but then does not return. Coverity points out that this means that |amount| and |keycode| are used uninitialized, but presumably all sorts of other badness might be in play here. regression from bug 949445: 1.1702 - return NS_ERROR_NOT_IMPLEMENTED; 1.1703 + aRv.Throw(NS_ERROR_NOT_IMPLEMENTED); 1.1704 }
|
Assignee | |
Updated•10 years ago
|
status-firefox30:
--- → affected
status-firefox31:
--- → affected
status-firefox32:
--- → affected
status-firefox33:
--- → affected
status-firefox-esr24:
--- → unaffected
|
|
Assignee | |
Updated•10 years ago
|
Whiteboard: [CID 1221242] → [CID 1221242][CID 1221243]
|
|
Assignee | |
Updated•10 years ago
|
Flags: needinfo?(ehsan)
|
|
Assignee | |
Comment 1•10 years ago
|
||
Well, I can just fix this silly thing. But if you have an opinion of what sec rating this should get, it would be appreciated.
Assignee: nobody → continuation
Flags: needinfo?(ehsan)
|
|
Assignee | |
Comment 2•10 years ago
|
||
try run: https://tbpl.mozilla.org/?tree=Try&rev=9958f982be3e
Attachment #8440146 -
Flags: review?(bzbarsky)
|
||
Updated•10 years ago
|
Attachment #8440146 -
Flags: review?(bzbarsky) → review+
|
|
||
Comment 3•10 years ago
|
||
Looking at nsFrameSelection::MoveCaret, it seems like an uninitialized aKeycode should cause us to return here <http://mxr.mozilla.org/mozilla-central/source/layout/generic/nsSelection.cpp#895> and aAmount is used after this point, so I don't think this is security sensitive at all.
|
||
Comment 4•10 years ago
|
||
Comment on attachment 8440146 [details] [diff] [review] Selection::Modify should return on failure. r=me, fwiw
|
|
Assignee | |
Comment 5•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/82418d47c497
Group: core-security
|
|
Assignee | |
Comment 6•10 years ago
|
||
It sounds like this isn't really worth backporting then.
|
||
Comment 7•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/82418d47c497
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
|
||
Updated•6 years ago
|
Blocks: coverity-analysis
You need to log in
before you can comment on or make changes to this bug.
Description
•