boxobj.setPropertyAsSupports(undefined, undefined) crashes. Should this be fixed with a null check of some kind, or by denying content access to these objects or this function? Marking security-sensitive because of a scary-sounding assertion in http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/xul/base/src/nsBoxObject.cpp&rev=1.53#405. (I haven't tested whether the testcase triggers the assertion.)
Created attachment 212540 [details] [diff] [review] Proposed fix
This is a null-pointer dereference, basically. Not related to the assertion from comment 0. Not sure whether this should be security sensitive; I'd guess "no".
11 years ago
Comment on attachment 212540 [details] [diff] [review] Proposed fix I think we should take this on the 1.8.0 branch. Simple null-check fix.
Fixed on trunk and 1.8.1 branch. I still think this bug should be opened up.
another possible fix would be to change that interface to use AString, then you can't pass null either but avoid the nullcheck (guess that wouldn't work for the branches though)
Comment on attachment 212540 [details] [diff] [review] Proposed fix approved for 1.8.0 branch, a=dveditz
Fixed for 18.104.22.168.
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:22.214.171.124) Gecko/20060306 Firefox/126.96.36.199, no crash with testcase, just an exception in jsc: Error: [Exception... "Component returned failure code: 0x80070057 (NS_ERROR_ILLEGAL_VALUE) [nsIBoxObject.setPropertyAsSupports]" nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)" location: "JS frame :: https://bugzilla.mozilla.org/attachment.cgi?id=212362 :: init :: line 11" data: no] Source File: https://bugzilla.mozilla.org/attachment.cgi?id=212362 Line: 11
See also bug 346083, same thing for nsBoxObject::SetProperty.
Crashtest checked in.