Closed Bug 303654 Opened 19 years ago Closed 19 years ago

InstallTrigger.install(null) crashes [@ JS_Enumerate]

Categories

(Core Graveyard :: Installer: XPInstall Engine, defect)

Product:
Core Graveyard
Component:
Installer: XPInstall Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: sync2d, Assigned: dveditz)

Details

(Keywords: crash, verified1.8, Whiteboard: [ETA as soon as approved])

Crash Data

Attachments

(1 file)

check for NULL
1.91 KB, patch
dveditz
: review+
dveditz
: superreview+
asa
: approval1.8b4+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b4) Gecko/20050805 Firefox/1.0+

Since InstallTriggerGlobalInstall()'s argument validation is not enough,
InstallTrigger.install(null) dereferences NULL pointer and crashes.


Reproducible: Always

Steps to Reproduce:
1. navigate to: https://addons.mozilla.org/
2. navigate to: javascript: InstallTrigger.install(null);



http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=8130374

Stack Signature JS_Enumerate 4e0ca17c 
Product ID FirefoxTrunk 
Build ID 2005080506 
Trigger Time 2005-08-06 00:18:16.0 
Platform Win32 
Operating System Windows 98 4.10 build 67766222 
Module JS3250.DLL + (0000417a) 
URL visited javascript: InstallTrigger.install(null); 
User Comments  
Since Last Crash 65 sec 
Total Uptime 65 sec 
Trigger Reason Access violation 
Source File, Line No. c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 3069 
Stack Trace  

JS_Enumerate  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 3069]
InstallTriggerGlobalInstall  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/xpinstall/src/nsJSInstallTriggerGlobal.cpp, line 394]
Attached patch check for NULLSplinter Review 
add checks for NULL
Confirming with build 2005-08-06-06, Windows XP SeaMonkey trunk.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
Comment on attachment 191788 [details] [diff] [review]
check for NULL

Thanks! I'd prefer checking !JSVAL_IS_NULL() for clarity, but it all works out
to the same thing in the end.

r/sr=dveditz
Attachment #191788 - Flags: superreview+
Attachment #191788 - Flags: review?(dveditz)
Attachment #191788 - Flags: review+
Attachment #191788 - Flags: approval1.8b4?
Assignee: xpi-engine → dveditz
Whiteboard: [ETA as soon as approved]
Attachment #191788 - Flags: approval1.8b4? → approval1.8b4+
This seems to have landed on the branch. Can the bug be resolved now?
Keywords: fixed1.8
verified on Deer Park Branch: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8b4) Gecko/20050901 Firefox/1.0+
Keywords: fixed1.8verified1.8
Marking as FIXED since already fixed on trunk.
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20050910 Firefox/1.6a1
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Verified with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1)
Gecko/20050915 Mozilla/1.0
Status: RESOLVED → VERIFIED
Crash Signature: [@ JS_Enumerate]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: