Closed Bug 225578 Opened 21 years ago Closed 14 years ago

crash [@ nsAbView::GetSelectedAddresses(nsIArray**)] does not check for NULL pointer

Categories

(MailNews Core :: Address Book, defect)

Product:
MailNews Core
Component:
Address Book
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(thunderbird3.1 beta1-fixed)

Status:
RESOLVED FIXED
Milestone:
Thunderbird 3.1b1
Tracking Flags:
Tracking Status
thunderbird3.1 --- beta1-fixed

People

(Reporter: stevie-bugzilla, Assigned: standard8)

References

Details

(Keywords: crash, Whiteboard: Firedrill bug)

Crash Data

Attachments

(1 file, 3 obsolete files)

The fix
3.79 KB, patch
Bienvenu
: review+
Bienvenu
: superreview+
Details | Diff | Splinter Review 
User-Agent:       Opera/7.20 (Windows NT 5.0; U)  [en]
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007

nsAbView::GetSelectedAddresses calls GetSelectedCards() to get a list of the 
selected address cards.  However, if none are selected, GetSelectedCards() 
returns a NULL pointer while reporting success. GetSelectedAddresses then tries 
to dereference selectedCards at nsAbView.cpp:1300, without first ensuring that 
selectedCards is not NULL:

selectedCards->Count(&count);


Reproducible: Always

Steps to Reproduce:
1. Open the Address Book.
Make sure you don't have a broken install -- you should have at least two books 
(Personal Address Book and Collected Addresses).
2. Click on one of the address books.
3. Open Venkman.
3a. If necessary, uncheck 'Exclude Browser Files' and check 'Show/Hide>Loaded 
Scripts".
4. Go to the SetStatusText function in addressbook.js (easily accessed via the 
Loaded Scripts pane)
5. Place a breakpoint on the first statement in that function (it's an "if" 
statement).
6. Go back to the Address Books window and click on a different address book.  
Venkman should pop up, halted at the line breakpointed in step #5.
7. In the 'Interactive Session' pane at the bottom, simply type 'gAbView' and 
press Enter.

Actual Results:  
Mozilla crashed with a NULL-pointer dereference.

Expected Results:  
I did not know what to expect (I was experimenting).  I can assure you that I 
was not expecting Mozilla to crash.
gah. OK, that's enough revisions.

This version adds a bugfix timeless asked for (it checks for failure to
allocate the 'addresses' object).
Attachment #135406 - Attachment is obsolete: true
Severity: normal → critical
Keywords: crash
Summary: nsAbView::GetSelectedAddresses does not check for NULL pointer → [fix] nsAbView::GetSelectedAddresses does not check for NULL pointer
confirming crash
Status: UNCONFIRMED → NEW
Ever confirmed: true
Product: Browser → Seamonkey
Assignee: sspitzer → mail
Assignee: mail → nobody
Component: Address Book → MailNews: Address Book
Product: Mozilla Application Suite → Core
QA Contact: nbaca → addressbook
patch going on 5yr old and never reviewed - obsolete?
(In reply to comment #5)
> patch going on 5yr old and never reviewed - obsolete?
> 
The bug is still valid, though the patch obsolete. I've a feeling we don't actually hit this code (currently), which is why we never have a problem with crashes.
Product: Core → MailNews Core
assuming nsAbView::GetSelectedAddresses(nsIArray**) is the same, rare = 8 crashes in 10 months for 3.0x.  various OS, so at least 3-4 people

3.0b4 variation
bp-c2ccfadc-1195-4e3d-925b-2c7712091018
Frame	Module	Signature [Expand]	Source
0	thunderbird.exe	nsAbView::GetSelectedAddresses	mailnews/addrbook/src/nsAbView.cpp:1314
1	xpcom_core.dll	NS_InvokeByIndex_P	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101
2	xpcom_core.dll	xptiInterfaceInfo::GetMethodInfo	xpcom/reflect/xptinfo/src/xptiprivate.h:706
Summary: [fix] nsAbView::GetSelectedAddresses does not check for NULL pointer → crash [@ nsAbView::GetSelectedAddresses(nsIArray**) does not check for NULL pointer
add missing ] so bug# shows in crash-stats
Summary: crash [@ nsAbView::GetSelectedAddresses(nsIArray**) does not check for NULL pointer → crash [@ nsAbView::GetSelectedAddresses(nsIArray**)] does not check for NULL pointer
Whiteboard: Firedrill bug
Blocks: 530791
Assignee: nobody → bugzilla
Attached patch The fixSplinter Review 
Proposed fix - as GetSelectedAddresses is an internal function, make the argument an nsCOMPtr<nsIMutableArray> and pass that directly. This skips the need for pointers.

As a result had to change one function to bail out early if there's nothing selected. Tested various functions including selecting ABs, composing emails with addresses selected and such.

Venkman is failing in debug mode, so I'm currently doing a release build to fully verify the fix.
Attachment #135425 - Attachment is obsolete: true
Attachment #428727 - Flags: superreview?(bienvenu)
Attachment #428727 - Flags: review?(bienvenu)
Comment on attachment 428727 [details] [diff] [review]
The fix

seems fine...tested on a windows debug build.
Attachment #428727 - Flags: superreview?(bienvenu)
Attachment #428727 - Flags: superreview+
Attachment #428727 - Flags: review?(bienvenu)
Attachment #428727 - Flags: review+
Checked in: http://hg.mozilla.org/comm-central/rev/aeb07d0521aa

and to the 3.1a1 branch for purposes of the test firedrill: http://hg.mozilla.org/comm-central/rev/c1bb767189c1
Status: NEW → RESOLVED
Closed: 14 years ago
status-thunderbird3.1: --- → beta1-fixed
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 3.1b1
Crash Signature: [@ nsAbView::GetSelectedAddresses(nsIArray**)]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: