Closed
Bug 309574
Opened 20 years ago
Closed 19 years ago
[FIX]Invalid read in nsJSEventListener::HandleEvent
Categories
(Core :: DOM: Events, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla1.8.1alpha1
People
(Reporter: ajschult784, Assigned: bzbarsky)
Details
(Keywords: fixed1.8.0.4, fixed1.8.1)
Attachments
(3 files)
|
2.45 KB,
text/plain
|
Details | |
|
2.46 KB,
text/plain
|
Details | |
|
1.26 KB,
patch
|
jst
:
review+
jst
:
superreview+
jst
:
approval-branch-1.8.1+
dveditz
:
approval1.8.0.4+
|
Details | Diff | Splinter Review |
Following part of the steps frmo bug 309564, valgrind reports an invalid read in
nsJSEventListener::HandleEvent (of freed memory).
Steps to reproduce:
2. Visit the linked URL ( http://demo.planzo.com )
3. Click a box on the calendar and type a comment then press <ENTER>
4. Double-click the event you entered in Step 3.
The page is heavily DHTML and also does AJAX. I'll attach the info valgrind gives.
|
Reporter | |
Comment 1•20 years ago
|
||
|
Assignee | |
Comment 2•19 years ago
|
||
Andrew, do you still see this? I can't reproduce...
|
|
Reporter | |
Comment 3•19 years ago
|
||
worksforme with trunk although I still see it with a 1.8 branch build. Is there interest fixing this there?
Version: Trunk → 1.8 Branch
|
|
Assignee | |
Comment 4•19 years ago
|
||
Probably... if we could figure out when this got fixed on trunk (e.g. could we test with nightlies?), that would be a great start.
|
|
Reporter | |
Comment 5•19 years ago
|
||
a build from 2005120204 does
a build from 2005120305 does not have the bug
|
|
Assignee | |
Comment 6•19 years ago
|
||
Presumably when the JS event listener stuff got changed majorly in bug 241518...
Do we have any idea for the line number or anything like that? I mean on the branch?
|
|
Reporter | |
Comment 7•19 years ago
|
||
line numbers are only a bit off from before
|
|
Assignee | |
Comment 8•19 years ago
|
||
Does doing:
nsCOMPtr<nsIJSEventListener> kungFuDeathGrip(this);
At the top of HandleEvent help? It looks to me like we die in the event, then try to access our member...
|
|
Reporter | |
Comment 9•19 years ago
|
||
yes, the kungFuDeathGrip fixed the valgrind error
|
|
Assignee | |
Comment 10•19 years ago
|
||
OK, I see why bug 241518 helped. This patch should fix the valgrind warning too.
Drivers: This is a memory read of deleted memory. I _think_ it's not exploitable (it's just accessing a member variable). But it might make sense to fix this on the 1.8.0 branch anyway.
Attachment #218492 -
Flags: superreview?(jst)
Attachment #218492 -
Flags: review?(jst)
Attachment #218492 -
Flags: approval1.8.0.3?
Attachment #218492 -
Flags: approval-branch-1.8.1?(jst)
|
|
Assignee | |
Updated•19 years ago
|
Assignee: events → bzbarsky
Priority: -- → P1
Summary: Invalid read in nsJSEventListener::HandleEvent → [FIX]Invalid read in nsJSEventListener::HandleEvent
Target Milestone: --- → mozilla1.8.1alpha1
|
||
Comment 11•19 years ago
|
||
Comment on attachment 218492 [details] [diff] [review]
Patch
r+sr+a=jst
Attachment #218492 -
Flags: superreview?(jst)
Attachment #218492 -
Flags: superreview+
Attachment #218492 -
Flags: review?(jst)
Attachment #218492 -
Flags: review+
Attachment #218492 -
Flags: approval-branch-1.8.1?(jst)
Attachment #218492 -
Flags: approval-branch-1.8.1+
|
|
Assignee | |
Comment 12•19 years ago
|
||
Fixed on 1.8.1 branch.
|
||
Comment 13•19 years ago
|
||
Comment on attachment 218492 [details] [diff] [review]
Patch
approved for 1.8.0 branch, a=dveditz for drivers
Attachment #218492 -
Flags: approval1.8.0.3? → approval1.8.0.3+
You need to log in
before you can comment on or make changes to this bug.
Description
•