Closed
Bug 1231309
Opened 9 years ago
Closed 9 years ago
[Static Analysis][Dereference before null check] In function XPCThrower::ThrowBadParam from XPCThrower.cpp
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
mozilla45
Tracking | Status | |
---|---|---|
firefox45 | --- | fixed |
People
(Reporter: andi, Assigned: andi)
References
(Blocks 1 open bug)
Details
(Keywords: coverity, Whiteboard: CID 1327949, CID 1327948, CID 1327947)
Attachments
(1 file, 4 obsolete files)
1.71 KB,
patch
|
Details | Diff | Splinter Review |
The Static Analysis tool Coverity added that sz can be null since when it is dereferenced a null pointere dereference it will happen. It is allocated bellow: >> sz = JS_smprintf("%s arg %d", format, paramNum); >> if (sz && sVerbose) >> Verbosify(ccx, &sz, true); And dereferenced: >> dom::Throw(ccx, rv, nsDependentCString(sz)); nsDependentCString translates to: >>explicit >>nsTDependentString_CharT(const char_type* aData) >> : string_type(const_cast<char_type*>(aData), >> uint32_t(char_traits::length(aData)), F_TERMINATED) >> { >> AssertValidDependentString(); >> } We should add an assert between allocation and dereference, on debug we can catch when nullptr is passed and maybe fix the effective problem, if there is any.
Assignee | ||
Comment 1•9 years ago
|
||
Hello Bobby, Can you please take a look other this patch? THX
Attachment #8696938 -
Flags: review?(bobbyholley)
Assignee | ||
Updated•9 years ago
|
Whiteboard: CID 1327949 → CID 1327949, CID 1327948, CID 1327947
Assignee | ||
Comment 2•9 years ago
|
||
Same issue occurs in function XPCThrower::ThrowBadResult for sz
Attachment #8696940 -
Flags: review?(bobbyholley)
Assignee | ||
Comment 3•9 years ago
|
||
Also same issue in XPCThrower::Throw
Attachment #8696943 -
Flags: review?(bobbyholley)
Comment 4•9 years ago
|
||
Ah, good catch. This is a regression from bug 1213289. sz will only be null on OOM here, of course. But we should still handle it.
Comment 5•9 years ago
|
||
Comment on attachment 8696938 [details] [diff] [review] Bug 1231309.diff Review of attachment 8696938 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/xpconnect/src/XPCThrower.cpp @@ +144,5 @@ > if (sz && sVerbose) > Verbosify(ccx, &sz, true); > > + MOZ_ASSERT(sz, "sz should be a valid pointer!"); > + This isn't right. If sz is null, we need to handle it immediately after it was assigned - probably by doing NS_ENSURE_TRUE(sz) after the JS_smprintf call.
Attachment #8696938 -
Flags: review?(bobbyholley) → review-
Comment 6•9 years ago
|
||
Comment on attachment 8696940 [details] [diff] [review] Bug 1231309 - CID 1327948.diff Review of attachment 8696940 [details] [diff] [review]: ----------------------------------------------------------------- Nit - please fold all of these into the same patch.
Attachment #8696940 -
Flags: review?(bobbyholley)
Updated•9 years ago
|
Attachment #8696943 -
Flags: review?(bobbyholley)
Assignee | ||
Comment 7•9 years ago
|
||
Did you this had in mind?
Attachment #8696938 -
Attachment is obsolete: true
Attachment #8696940 -
Attachment is obsolete: true
Attachment #8696943 -
Attachment is obsolete: true
Attachment #8697226 -
Flags: review?(bobbyholley)
Comment 8•9 years ago
|
||
Comment on attachment 8697226 [details] [diff] [review] Bug 1231309.diff Review of attachment 8697226 [details] [diff] [review]: ----------------------------------------------------------------- r=me with that. ::: js/xpconnect/src/XPCThrower.cpp @@ +78,5 @@ > format = ""; > > sz = (char*) format; > > + NS_ENSURE_TRUE_VOID(sz); Please remove the empty line between |sz = ...| and |NS_ENSURE_TRUE_VOID(sz);|. @@ +121,5 @@ > sz = JS_smprintf("%s 0x%x (%s)", format, result, name); > else > sz = JS_smprintf("%s 0x%x", format, result); > > + NS_ENSURE_TRUE_VOID(sz); Same here. @@ +144,5 @@ > format = ""; > > sz = JS_smprintf("%s arg %d", format, paramNum); > > + NS_ENSURE_TRUE_VOID(sz); Same here.
Attachment #8697226 -
Flags: review?(bobbyholley) → review+
Assignee | ||
Comment 9•9 years ago
|
||
Attachment #8697226 -
Attachment is obsolete: true
Assignee | ||
Updated•9 years ago
|
Keywords: checkin-needed
Comment 10•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/8dfb9aeac3af
Keywords: checkin-needed
Comment 11•9 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/8dfb9aeac3af
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
You need to log in
before you can comment on or make changes to this bug.
Description
•