Note: There are a few cases of duplicates in user autocompletion which are being worked on.

[FIX]boxobj.setPropertyAsSupports(undefined, undefined) crashes [@ nsBoxObject::SetPropertyAsSupports]

VERIFIED FIXED in mozilla1.9alpha1

Status

()

Core
DOM
P3
critical
VERIFIED FIXED
12 years ago
4 years ago

People

(Reporter: Jesse Ruderman, Assigned: bz)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla1.9alpha1
crash, fixed1.8.1, testcase, verified1.8.0.2
Points:
---
Bug Flags:
blocking1.8.0.2 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [rft-dl], crash signature)

Attachments

(2 attachments)

315 bytes, text/html
Details
1.44 KB, patch
Brian Ryner (not reading)
: review+
Brian Ryner (not reading)
: superreview+
Brian Ryner (not reading)
: approval-branch-1.8.1+
Details | Diff | Splinter Review
(Reporter)

Description

12 years ago
boxobj.setPropertyAsSupports(undefined, undefined) crashes.  Should this be fixed with a null check of some kind, or by denying content access to these objects or this function?

Marking security-sensitive because of a scary-sounding assertion in http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/xul/base/src/nsBoxObject.cpp&rev=1.53#405.  (I haven't tested whether the testcase triggers the assertion.)
(Reporter)

Comment 1

12 years ago
Created attachment 212362 [details]
testcase
(Reporter)

Updated

12 years ago
Summary: boxobj.setPropertyAsSupports(undefined, undefined) crashes → boxobj.setPropertyAsSupports(undefined, undefined) crashes [@ nsBoxObject::SetPropertyAsSupports]
(Assignee)

Comment 2

12 years ago
Created attachment 212540 [details] [diff] [review]
Proposed fix
Assignee: general → bzbarsky
Status: NEW → ASSIGNED
Attachment #212540 - Flags: superreview?(bryner)
Attachment #212540 - Flags: review?(bryner)
(Assignee)

Comment 3

12 years ago
This is a null-pointer dereference, basically.  Not related to the assertion from comment 0.  Not sure whether this should be security sensitive; I'd guess "no".
OS: MacOS X → All
Priority: -- → P3
Hardware: Macintosh → All
Summary: boxobj.setPropertyAsSupports(undefined, undefined) crashes [@ nsBoxObject::SetPropertyAsSupports] → [FIX]boxobj.setPropertyAsSupports(undefined, undefined) crashes [@ nsBoxObject::SetPropertyAsSupports]
Target Milestone: --- → mozilla1.9alpha
(Assignee)

Updated

12 years ago
Attachment #212540 - Flags: approval-branch-1.8.1?(bryner)
Attachment #212540 - Flags: superreview?(bryner)
Attachment #212540 - Flags: superreview+
Attachment #212540 - Flags: review?(bryner)
Attachment #212540 - Flags: review+
Attachment #212540 - Flags: approval-branch-1.8.1?(bryner)
Attachment #212540 - Flags: approval-branch-1.8.1+
(Assignee)

Comment 4

12 years ago
Comment on attachment 212540 [details] [diff] [review]
Proposed fix

I think we should take this on the 1.8.0 branch.  Simple null-check fix.
Attachment #212540 - Flags: approval1.8.0.2?
(Assignee)

Comment 5

12 years ago
Fixed on trunk and 1.8.1 branch.  I still think this bug should be opened up.
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
another possible fix would be to change that interface to use AString, then you can't pass null either but avoid the nullcheck (guess that wouldn't work for the branches though)
Group: security
Flags: blocking1.8.0.2+
Comment on attachment 212540 [details] [diff] [review]
Proposed fix

approved for 1.8.0 branch, a=dveditz
Attachment #212540 - Flags: approval1.8.0.2? → approval1.8.0.2+
(Assignee)

Comment 8

12 years ago
Fixed for 1.8.0.2.
Keywords: fixed1.8.0.2
(Reporter)

Updated

12 years ago
Status: RESOLVED → VERIFIED

Updated

12 years ago
Whiteboard: [rft-dl]

Comment 9

12 years ago
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060306 Firefox/1.5.0.2, no crash with testcase, just an exception in jsc:

Error: [Exception... "Component returned failure code: 0x80070057 (NS_ERROR_ILLEGAL_VALUE) [nsIBoxObject.setPropertyAsSupports]"  nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)"  location: "JS frame :: https://bugzilla.mozilla.org/attachment.cgi?id=212362 :: init :: line 11"  data: no]
Source File: https://bugzilla.mozilla.org/attachment.cgi?id=212362
Line: 11
Keywords: fixed1.8.0.2 → verified1.8.0.2
(Reporter)

Comment 10

11 years ago
See also bug 346083, same thing for nsBoxObject::SetProperty.
(Reporter)

Comment 11

10 years ago
Crashtest checked in.
Flags: in-testsuite+
Crash Signature: [@ nsBoxObject::SetPropertyAsSupports]
Component: DOM: Mozilla Extensions → DOM
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.