segfault when <getter> directly inside <implementation>

VERIFIED DUPLICATE of bug 279697

Status

()

Core
XBL
--
critical
VERIFIED DUPLICATE of bug 279697
13 years ago
13 years ago

People

(Reporter: John Lenz, Unassigned)

Tracking

1.7 Branch
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.5) Gecko/20050106 Galeon/1.3.19 (Debian package 1.3.19-4)
Build Identifier: Firefox 1.0.1

Something like the following will crash firefox.  Potentially serious because it
could be located on a remote site.

<?xml version="1.0"?>
<bindings xmlns="http://www.mozilla.org/xbl"
xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
  <binding id="crash">
    <content>
      <xul:textbox/>
    </content>
    
    <implementation>
      <getter>Crash me</getter>
    </implementation>
  </binding>
</bindings>

The problem is in content/xbl/src/nsXBLContentSink.cpp line 153.  Since the
getter tag is not inside a <property> tag, mProperty is null so calling
mProperty->AppendGetterText is crashing.  I fixed the problem by just sticking
an "if (mProperty)" around those two calls.

Reproducible: Always

Steps to Reproduce:
(Reporter)

Comment 1

13 years ago
Created attachment 177451 [details] [diff] [review]
fixes the crash
John, thank you for the patch suggestion.  As it happens, this has been fixed
since late January on trunk (in a slightly different way that reports an error
about the malformed XBL to the JS console).

*** This bug has been marked as a duplicate of 279697 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE

Updated

13 years ago
Status: RESOLVED → VERIFIED
Version: Trunk → 1.7 Branch
You need to log in before you can comment on or make changes to this bug.