Closed
Bug 1025170
Opened 11 years ago
Closed 11 years ago
Selection::Modify fails to return with unimplemented cases
Categories
(Core :: DOM: Selection, defect)
Core
DOM: Selection
Tracking
()
RESOLVED
FIXED
mozilla33
| Tracking | Status | |
|---|---|---|
| firefox30 | --- | affected |
| firefox31 | --- | affected |
| firefox32 | --- | affected |
| firefox33 | --- | affected |
| firefox-esr24 | --- | unaffected |
People
(Reporter: mccr8, Assigned: mccr8)
References
(Blocks 1 open bug)
Details
(Keywords: coverity, csectype-uninitialized, Whiteboard: [CID 1221242][CID 1221243])
Attachments
(1 file)
|
1.08 KB,
patch
|
ehsan.akhgari
:
review+
|
Details | Diff | Splinter Review |
This method does an aRv.Throw(NS_ERROR_NOT_IMPLEMENTED), but then does not return. Coverity points out that this means that |amount| and |keycode| are used uninitialized, but presumably all sorts of other badness might be in play here.
regression from bug 949445:
1.1702 - return NS_ERROR_NOT_IMPLEMENTED;
1.1703 + aRv.Throw(NS_ERROR_NOT_IMPLEMENTED);
1.1704 }
|
Assignee | |
Updated•11 years ago
|
status-firefox30:
--- → affected
status-firefox31:
--- → affected
status-firefox32:
--- → affected
status-firefox33:
--- → affected
status-firefox-esr24:
--- → unaffected
|
|
Assignee | |
Updated•11 years ago
|
Whiteboard: [CID 1221242] → [CID 1221242][CID 1221243]
|
|
Assignee | |
Updated•11 years ago
|
Flags: needinfo?(ehsan)
|
|
Assignee | |
Comment 1•11 years ago
|
||
Well, I can just fix this silly thing. But if you have an opinion of what sec rating this should get, it would be appreciated.
Assignee: nobody → continuation
Flags: needinfo?(ehsan)
|
|
Assignee | |
Comment 2•11 years ago
|
||
Attachment #8440146 -
Flags: review?(bzbarsky)
|
||
Updated•11 years ago
|
Attachment #8440146 -
Flags: review?(bzbarsky) → review+
|
|
||
Comment 3•11 years ago
|
||
Looking at nsFrameSelection::MoveCaret, it seems like an uninitialized aKeycode should cause us to return here <http://mxr.mozilla.org/mozilla-central/source/layout/generic/nsSelection.cpp#895> and aAmount is used after this point, so I don't think this is security sensitive at all.
|
||
Comment 4•11 years ago
|
||
Comment on attachment 8440146 [details] [diff] [review]
Selection::Modify should return on failure.
r=me, fwiw
|
|
Assignee | |
Comment 5•11 years ago
|
||
Group: core-security
|
|
Assignee | |
Comment 6•11 years ago
|
||
It sounds like this isn't really worth backporting then.
|
||
Comment 7•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
|
||
Updated•7 years ago
|
Blocks: coverity-analysis
You need to log in
before you can comment on or make changes to this bug.
Description
•