Closed Bug 327066 Opened 15 years ago Closed 15 years ago
.create Event('Text Event') crashes
Steps to reproduce (WARNING! This will crash your browser): 1. Click on above URL 2. Crash and burn TB IDs from a recent 1.8 nightly: TB15134809G, TB15134839Y, TB15134942E Also happens with FF 126.96.36.199.
This is a null pointer dereference in the event code, it's not exploitable, so clearing the security group flag. This is a regression from bug 238773. I have a fix.
This is a diff -w (to account for some whitespace inconsistancies below the patch). Presumably, the old code set aEvent early, whereas this moved code doesn't bother (and insteads sets mEvent). This patch simply uses mEvent, which is set to aEvent if that isn't null, and a new event otherwise.
Comment on attachment 211787 [details] [diff] [review] Fix r+sr=jst
For the record, this is what I just checked in.
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Comment on attachment 211787 [details] [diff] [review] Fix This is a pretty trivial null-defense fix...
Attachment #211787 - Flags: approval-branch-1.8.1?(jst) → approval-branch-1.8.1+
Comment on attachment 211787 [details] [diff] [review] Fix approved for 1.8.0 branch, a=dveditz
Attachment #211787 - Flags: approval188.8.131.52? → approval184.108.40.206+
Fix checked into the 1.8 branches, though I neglected to mention my a= in the checkin comment.
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:220.127.116.11) Gecko/20060302 Firefox/18.104.22.168, no crash with js event in URL bar.
You need to log in before you can comment on or make changes to this bug.