Closed Bug 1472676 Opened Last year Closed Last year

[Static Analysis] Possible null-dereference in dom/ipc/ContentChild.cpp

Categories

(Core :: DOM: Core & HTML, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla63
Tracking Status
firefox63 --- fixed

People

(Reporter: rbartlensky, Assigned: rbartlensky)

References

Details

Attachments

(2 files)

infer reports the following errors:

dom/ipc/ContentChild.cpp:2263: error: NULL_DEREFERENCE
  pointer `chromeRegistry` last assigned on line 2261 could be null and is dereferenced at line 2263, column 3.
  2261.     nsChromeRegistryContent* chromeRegistry =
  2262.       static_cast<nsChromeRegistryContent*>(registrySvc.get());
  2263. >   chromeRegistry->RegisterRemoteChrome(packages, resources, overrides,
  2264.                                          locale, reset);
  2265.     static bool preloadDone = false;

dom/ipc/ContentChild.cpp:2281: error: NULL_DEREFERENCE
  pointer `chromeRegistry` last assigned on line 2277 could be null and is dereferenced at line 2281, column 7.
  2279.     switch (item.type()) {
  2280.       case ChromeRegistryItem::TChromePackage:
  2281. >       chromeRegistry->RegisterPackage(item.get_ChromePackage());
  2282.         break;
  2283.

dom/ipc/ContentChild.cpp:2285: error: NULL_DEREFERENCE
  pointer `chromeRegistry` last assigned on line 2277 could be null and is dereferenced at line 2285, column 7.
  2283.
  2284.       case ChromeRegistryItem::TOverrideMapping:
  2285. >       chromeRegistry->RegisterOverride(item.get_OverrideMapping());
  2286.         break;
  2287.

dom/ipc/ContentChild.cpp:2289: error: NULL_DEREFERENCE
  pointer `chromeRegistry` last assigned on line 2277 could be null and is dereferenced at line 2289, column 7.
  2287.
  2288.       case ChromeRegistryItem::TSubstitutionMapping:
  2289. >       chromeRegistry->RegisterSubstitution(item.get_SubstitutionMapping());
  2290.         break;
  2291.

These are all related to the fact that `nsChromeRegistry::GetService()` in all cases can return a `already_AddRefed<nsIChromeRegistry>` object whose member is nullptr. It seems that in all cases there are no null checks after extracting the pointer. Is it possible for the code to not return a nullptr, even though here (https://dxr.mozilla.org/mozilla-central/source/chrome/nsChromeRegistry.cpp?q=%2Bfunction%3AnsChromeRegistry%3A%3AGetService%28%29&redirect_type=single#135) there is a branch for that?
infer also reports:

dom/ipc/ContentChild.cpp:778: error: NULL_DEREFERENCE
  pointer `*aTriggeringPrincipal` last assigned on line 778 could be null and is dereferenced at line 778, column 5.
  776.     if (!opener) {
  777.       nsCOMPtr<nsIPrincipal> nullPrincipal = NullPrincipal::CreateWithoutOriginAttributes();
  778. >     NS_ADDREF(*aTriggeringPrincipal = nullPrincipal);
  779.       return NS_OK;
  780.     }
can we add a patch fixing these issues?
Assignee: nobody → rbartlensky
Comment on attachment 8989769 [details]
Bug 1472676: Fix NULL_DEREFERENCE errors

https://reviewboard.mozilla.org/r/254760/#review261658

::: dom/ipc/ContentChild.cpp:2269
(Diff revision 1)
>                                   const bool& reset)
>  {
>    nsCOMPtr<nsIChromeRegistry> registrySvc = nsChromeRegistry::GetService();
>    nsChromeRegistryContent* chromeRegistry =
>      static_cast<nsChromeRegistryContent*>(registrySvc.get());
> +  if (!chromeRegistry)

if () {
  ..
}

::: dom/ipc/ContentChild.cpp:2282
(Diff revision 1)
>  ContentChild::RecvRegisterChromeItem(const ChromeRegistryItem& item)
>  {
>    nsCOMPtr<nsIChromeRegistry> registrySvc = nsChromeRegistry::GetService();
>    nsChromeRegistryContent* chromeRegistry =
>      static_cast<nsChromeRegistryContent*>(registrySvc.get());
> +  if (!chromeRegistry)

here as well.
Attachment #8989769 - Flags: review?(amarchesini) → review+
Comment on attachment 8989788 [details]
Bug 1472676: Add curly brackets.

https://reviewboard.mozilla.org/r/254762/#review261666
Attachment #8989788 - Flags: review?(amarchesini) → review+
https://hg.mozilla.org/mozilla-central/rev/9bd41553f056
https://hg.mozilla.org/mozilla-central/rev/61a41d0a2f7c
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.