Closed Bug 257607 Opened 20 years ago Closed 20 years ago

nsScrollBoxObject::::EnsureElementIsVisible dereferences a null pointer if element is not a nsIDOMXULElement

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: justin, Assigned: justin)

Details

(Keywords: fixed-aviary1.0, fixed1.7.5)

Attachments

(2 files, 7 obsolete files)

changed docNs to nsDoc on trunk patch
3.92 KB, patch
Details | Diff | Splinter Review
changed docNs to nsDoc on 1.7 branch patch
4.23 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
asa
: approval-aviary+
asa
: approval1.7.5+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040619 Firefox/0.9
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040619 Firefox/0.9

The nsIScrollBoxObject interface constrains the parameter to a nsIDOMElement. In
the funtion body, a QueryInterface is done without a check to determine if it
was successful. After a failed QI a dereference of a null nsCOMPtr<> is performed.

lxr url where the dereference of a null pointer happens:
http://lxr.mozilla.org/seamonkey/source/layout/xul/base/src/nsScrollBoxObject.cpp#320



Reproducible: Always
Steps to Reproduce:
Attached patch Patch to fix for 1.7 branch (obsolete) — Splinter Review 
Fixes null deref by checking for QI success/failure (see comments in patch)
I don't think this is the right fix (as in, it does fix the crash, but I don't
think it does it the right way).  It would be preferable to use GetBoxObjectFor
on the document's nsIDOMNSDocument interface (which is what
nsXULElement::GetBoxObject ends up doing anyway), and then bail (with error, or
without) if the box object is null.

Note also that both callers of GetBoxObject in this code leak the box object by
not using an nsCOMPtr... Fixing that while fixing the call that gets the box
object would be nice.

Justin, do you feel up to making those changes?
Basically, what should be happening is replacing all raw pointer with nsCOMPtr<>
and using a QI on the nsIDOMDocument from child parameter. 

Will give it a spin.

I am using the 1.7 branch though.  Will try to get a patch for trunk too
Moved almost all the raw pointers to nsCOMPtr. nsIFrame can't be moved,
Release() is private. On a quick glance around, a lot of code needs this work
done on it.

I am still hunting for a way to get to nsIDOMNSDocument without going through
nsIDOMXULElement. Though returning on QI failure and catching the exception in
JS allows me to move forward for now.
Comment on attachment 157586 [details] [diff] [review]
using nsCOMPtr instead of raw pointers

please do NOT store views and frames in comptrs. they are not refcounted. views
will "soon" not have addref/release anymore.

+    nsCOMPtr<nsIScrollableView> scrollableView(GetScrollableView());
+    nsCOMPtr<nsIBox> box(do_QueryInterface(frame));


+    nsresult childQiRv=NS_OK;

any raeson not to name this rv?
Attachment #157586 - Flags: review-
> I am still hunting for a way to get to nsIDOMNSDocument

You have an nsIDOMElement, no?  You get its ownerDocument and then QI that.

Also, nsIBox is not refcounted (just like nsIFrame and nsIView).
- Removed frivolous nsCOMPtr's on boxes, frames and views.
- Performing lots of failure checks, maybe too many
- Finally using nsIDOMNSDocument to get box (forgot the include earlier)

If there are no issues with this patch, I will go ahead and do the same to
nsScrollBoxObject::ScrollToElement
Attachment #157562 - Attachment is obsolete: true
Attachment #157586 - Attachment is obsolete: true
Comment on attachment 157635 [details] [diff] [review]
using nsIDOMNSDocument to get box

>Index: nsScrollBoxObject.cpp

>+  //yes, I like my javascript calls to continue functioning
>+    NS_ASSERTION(child,"null child parameter value");
>+    if(!child)
>+      return NS_ERROR_NULL_POINTER;

No need to assert, and just use:

  NS_ENSURE_ARG_POINTER(child);

>-       return NS_ERROR_FAILURE;
>+      return NS_ERROR_FAILURE;

Don't change the file's indentation, please (and follow the 4-space indentation
in the code you add).

>+    rv = mPresShell->GetPresContext(getter_AddRefs(context));

No need to check rv here.  In fact, on trunk the method just returns a
prescontext, not an nsresult.

>-    nsIFrame* frame = GetFrame();
>-    nsIBox* box;
>-    CallQueryInterface(frame, &box);
>+    nsIFrame *frame = GetFrame();

Why change the code that was already there (moved the space)?

>+    nsIBox *box=0;
>+    rv = CallQueryInterface(frame, &box);

I believe the frame for a nsScrollBoxObject will always be a boxframe.	It may
be worth asserting success here, but it's not worth checking for it.

>+    nsIBox *scrolledBox;

Why change the code that was already there (moved the space)?

>+    nsCOMPtr<nsIDOMDocument> doc;
>+    nsIDOMNSDocument *docNs=0;
>+    
>+    rv = child->GetOwnerDocument(getter_AddRefs(doc));
>+    if(NS_FAILED(rv) || !doc)

You can just check for !doc and return NS_ERROR_UNEXPECTED when that happens. 
But see below.

>+    rv = CallQueryInterface(doc,&docNs);

You're leaking docNs.  Use an nsCOMPtr and do_QueryInterface.  Since that's
null-safe, skip checking for !doc and just check for !docNs.

>+    nsIBoxObject * childBoxObject=0;

And you're _still_ leaking the box object.  Wasn't not leaking this the reason
for all the nsCOMPtr changes?
Attachment #157635 - Flags: review-
Attached patch fixed from comments (obsolete) — Splinter Review 
Ok, I think this one is a winner. 
Implemented all the changes (and yes that wonderful oversight). Thnx for having
patience with me on this.

If this one is good, then I will do the samething to the other function.
Attachment #157635 - Attachment is obsolete: true
Yeah, that looks good (if you remove the random empty line you added and add
spaces after commas in argument lists in both the assert and the
GetBoxObjectFor() call).
Fixed whitespace and commas
Added same fixes to nsScrollBoxObject::ScrollToElement as well
Attachment #157673 - Attachment is obsolete: true
Justin, in general you need to set review requests on patches if you want
someone to review them. I've been keeping track of this one, but it's easy for
normal bugmail to get lost in the shuffle....
Assignee: nobody → justin
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment on attachment 157684 [details] [diff] [review]
Fixed whitespace, added fix to ScrollToElement

Please use "cvs diff -pu6" as a good starting point for diffs (more context,
and better labeling of where each hunk applies).  It makes diffs easier to
review.

>Index: nsScrollBoxObject.cpp

> #include "nsIDOMXULElement.h"

Is that include still needed?  I don't think it is...

> NS_IMETHODIMP nsScrollBoxObject::ScrollToElement(nsIDOMElement *child)
> {
>+    NS_ENSURE_ARG(child);

NS_ENSURE_ARG_POINTER.

With those two issues fixed, r+sr=bzbarsky; please attach a patch with those
changes and look for someone to check this in on irc?
Attachment #157684 - Flags: superreview+
Attachment #157684 - Flags: review+
Fixed the two remaining issues. Will now look at trunk and add a patch for
that. Does the trunk patch require a separate bug?
Attachment #157684 - Attachment is obsolete: true
No.  In fact, the trunk patch is what should be going into the tree.... once
that's tested, you can ask for branch approval.
Attached patch fixes applied to trunk (obsolete) — Splinter Review 
This is essentially the same fix, but applied to trunk instead of the 1.7
branch.
Random comment: I would have used nsDoc rather than docNs

        Attachment #158505 -
        Attachment is obsolete: true

    
    

    
  


  

        Attachment #158025 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 158524 [details] [diff] [review]
changed docNs to nsDoc on 1.7 branch patch

r+sr=bzbarsky.	I think it's worth taking this on branches... it fixes a crash
and a leak and is very low-risk (the only behavior change for the cases that
didn't crash, is that they no longer leak).

        Attachment #158524 -
        Flags: superreview+

        Attachment #158524 -
        Flags: review+

        Attachment #158524 -
        Flags: approval1.7.x?

        Attachment #158524 -
        Flags: approval-aviary?

    
    

    
  
Checked in for 1.8a4.  Marking fixed (I'll land this on branches if/when it gets
approved).
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED

    
    

    
  
lets take this on the aviary branch after we open up from the PR freexe next
week some time.
Flags: blocking1.7.x+
Flags: blocking-aviary1.0+

    
    

    
  
Comment on attachment 158524 [details] [diff] [review]
changed docNs to nsDoc on 1.7 branch patch

a=asa (on behalf of the aviary team and drivers) for checkin to the aviary
branch and the 1.7 branch.

        Attachment #158524 -
        Flags: approval1.7.x?

        Attachment #158524 -
        Flags: approval1.7.x+

        Attachment #158524 -
        Flags: approval-aviary?

        Attachment #158524 -
        Flags: approval-aviary+

    
    

    
  
Fixed on branches.
Keywords: fixed-aviary1.0, 
          
            fixed1.7.x

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: