Closed Bug 210298 Opened 21 years ago Closed 21 years ago

Malformed XBL methods cause crash

Categories

(Core :: XBL, defect)

Product:
Core
Component:
XBL
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: enndeakin, Assigned: hyatt)

Details

Attachments

(1 file, 1 obsolete file)

patch with above issues fixed
1.68 KB, patch
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4a) Gecko/20030401
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4a) Gecko/20030401

An xbl method without a name and/or body causes a crash. The following are examples:

<method>
  dump('crash\n");
</method>

<method name="fred1">
   dump('crash\n");
</method>

<method name="fred2"><parameter name="bob"/></method>


Reproducible: Always

Steps to Reproduce:




I have a patch.
Attached patch Fix crashes (obsolete) — Splinter Review 

    
    

    
  
Comment on attachment 126248 [details] [diff] [review]
Fix crashes

>-  else {
>+  else if (mUncompiledMethod) {
>     delete mUncompiledMethod;

This change should not be needed -- delete is null-safe.

sr=me otherwise.

        Attachment #126248 -
        Flags: superreview+

        Attachment #126248 -
        Flags: review?(bryner)

    
    

    
  
Comment on attachment 126248 [details] [diff] [review]
Fix crashes

>     else if (mSecondaryState == eXBL_InBody) {
>       // Get the text and add it to the method
>-      mMethod->AppendBodyText(text);
>+      if (mMethod) mMethod->AppendBodyText(text);

|if| body on the next line, please.

>Index: content/xbl/src/nsXBLProtoImplMethod.cpp
>===================================================================
>RCS file: /cvsroot/mozilla/content/xbl/src/nsXBLProtoImplMethod.cpp,v
>retrieving revision 1.4
>diff -u -r1.4 nsXBLProtoImplMethod.cpp
>--- content/xbl/src/nsXBLProtoImplMethod.cpp    28 Feb 2003 01:04:37 -0000      1.4
>+++ content/xbl/src/nsXBLProtoImplMethod.cpp    22 Jun 2003 20:05:17 -0000
>@@ -119,7 +119,7 @@
>       RemoveJSGCRoot(&mJSMethodObject);
>     mJSMethodObject = nsnull;
>   }
>-  else {
>+  else if (mUncompiledMethod) {
>     delete mUncompiledMethod;
>     mUncompiledMethod = nsnull;
>   }

|delete| is null-safe; this change shouldn't really be needed.

r=bryner with those changes.

        Attachment #126248 -
        Flags: review?(bryner) → review+

    
    

    
  


  

        Attachment #126248 -
        Attachment is obsolete: true

    
    

    
  
Patch updated a tad and checked in (on the assumption that Neil does not have
CVS access).  Neil, next time please mail me if you need something to check in,
so it doesn't get lost....
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: