Closed
Bug 286181
Opened 20 years ago
Closed 20 years ago
segfault when <getter> directly inside <implementation>
Categories
(Core :: XBL, defect)
Tracking
()
VERIFIED
DUPLICATE
of bug 279697
People
(Reporter: lenz, Unassigned)
Details
Attachments
(1 file)
|
817 bytes,
patch
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.5) Gecko/20050106 Galeon/1.3.19 (Debian package 1.3.19-4) Build Identifier: Firefox 1.0.1 Something like the following will crash firefox. Potentially serious because it could be located on a remote site. <?xml version="1.0"?> <bindings xmlns="http://www.mozilla.org/xbl" xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"> <binding id="crash"> <content> <xul:textbox/> </content> <implementation> <getter>Crash me</getter> </implementation> </binding> </bindings> The problem is in content/xbl/src/nsXBLContentSink.cpp line 153. Since the getter tag is not inside a <property> tag, mProperty is null so calling mProperty->AppendGetterText is crashing. I fixed the problem by just sticking an "if (mProperty)" around those two calls. Reproducible: Always Steps to Reproduce:
|
||
Comment 2•20 years ago
|
||
John, thank you for the patch suggestion. As it happens, this has been fixed since late January on trunk (in a slightly different way that reports an error about the malformed XBL to the JS console). *** This bug has been marked as a duplicate of 279697 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•