The default bug view has changed. See this FAQ.

[FIX]boxobj.setPropertyAsSupports(undefined, undefined) crashes [@ nsBoxObject::SetPropertyAsSupports]

VERIFIED FIXED in mozilla1.9alpha1

Status

()

Core
DOM
P3
critical
VERIFIED FIXED
11 years ago
4 years ago

People

(Reporter: Jesse Ruderman, Assigned: bz)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla1.9alpha1
crash, fixed1.8.1, testcase, verified1.8.0.2
Points:
---
Bug Flags:
blocking1.8.0.2 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [rft-dl], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

11 years ago
boxobj.setPropertyAsSupports(undefined, undefined) crashes.  Should this be fixed with a null check of some kind, or by denying content access to these objects or this function?

Marking security-sensitive because of a scary-sounding assertion in http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/xul/base/src/nsBoxObject.cpp&rev=1.53#405.  (I haven't tested whether the testcase triggers the assertion.)
(Reporter)

Comment 1

11 years ago
Created attachment 212362 [details]
testcase
(Reporter)

Updated

11 years ago
Summary: boxobj.setPropertyAsSupports(undefined, undefined) crashes → boxobj.setPropertyAsSupports(undefined, undefined) crashes [@ nsBoxObject::SetPropertyAsSupports]
Created attachment 212540 [details] [diff] [review]
Proposed fix
Assignee: general → bzbarsky
Status: NEW → ASSIGNED
Attachment #212540 - Flags: superreview?(bryner)
Attachment #212540 - Flags: review?(bryner)
This is a null-pointer dereference, basically.  Not related to the assertion from comment 0.  Not sure whether this should be security sensitive; I'd guess "no".
OS: MacOS X → All
Priority: -- → P3
Hardware: Macintosh → All
Summary: boxobj.setPropertyAsSupports(undefined, undefined) crashes [@ nsBoxObject::SetPropertyAsSupports] → [FIX]boxobj.setPropertyAsSupports(undefined, undefined) crashes [@ nsBoxObject::SetPropertyAsSupports]
Target Milestone: --- → mozilla1.9alpha
Attachment #212540 - Flags: approval-branch-1.8.1?(bryner)
Attachment #212540 - Flags: superreview?(bryner)
Attachment #212540 - Flags: superreview+
Attachment #212540 - Flags: review?(bryner)
Attachment #212540 - Flags: review+
Attachment #212540 - Flags: approval-branch-1.8.1?(bryner)
Attachment #212540 - Flags: approval-branch-1.8.1+
Comment on attachment 212540 [details] [diff] [review]
Proposed fix

I think we should take this on the 1.8.0 branch.  Simple null-check fix.
Attachment #212540 - Flags: approval1.8.0.2?
Fixed on trunk and 1.8.1 branch.  I still think this bug should be opened up.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
another possible fix would be to change that interface to use AString, then you can't pass null either but avoid the nullcheck (guess that wouldn't work for the branches though)
Group: security
Flags: blocking1.8.0.2+
Comment on attachment 212540 [details] [diff] [review]
Proposed fix

approved for 1.8.0 branch, a=dveditz
Attachment #212540 - Flags: approval1.8.0.2? → approval1.8.0.2+
Fixed for 1.8.0.2.
Keywords: fixed1.8.0.2
(Reporter)

Updated

11 years ago
Status: RESOLVED → VERIFIED

Updated

11 years ago
Whiteboard: [rft-dl]

Comment 9

11 years ago
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060306 Firefox/1.5.0.2, no crash with testcase, just an exception in jsc:

Error: [Exception... "Component returned failure code: 0x80070057 (NS_ERROR_ILLEGAL_VALUE) [nsIBoxObject.setPropertyAsSupports]"  nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)"  location: "JS frame :: https://bugzilla.mozilla.org/attachment.cgi?id=212362 :: init :: line 11"  data: no]
Source File: https://bugzilla.mozilla.org/attachment.cgi?id=212362
Line: 11
Keywords: fixed1.8.0.2 → verified1.8.0.2
(Reporter)

Comment 10

11 years ago
See also bug 346083, same thing for nsBoxObject::SetProperty.
(Reporter)

Comment 11

9 years ago
Crashtest checked in.
Flags: in-testsuite+
Crash Signature: [@ nsBoxObject::SetPropertyAsSupports]
Component: DOM: Mozilla Extensions → DOM
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.