328023 - probably null dereference in xpconnect

Status: RESOLVED DUPLICATE of bug 327597

(Core :: Security, defect)

Description

[georgi - hopefully not receiving bugspam]

javascript:setTimeout.call({__proto__: Components},"alert('v')",0x909090,0x909090);
seems like a null dereference, but eventually may be worse.

this:
javascript:eval.call(null,"alert(__proto__)",{a: 2},0x90909090);
also seems somewhat suspicious.

stack of the first uri:
#6  0x080aba3b in ah_crap_handler (signum=11) at nsSigHandlers.cpp:132
#7  0x080ac1d1 in nsProfileLock::FatalSignalHandler (signo=11)
    at nsProfileLock.cpp:210
#8  <signal handler called>
#9  0x080d2c14 in nsCOMPtr<nsIClassInfo>::get (this=0x8) at nsCOMPtr.h:831
#10 0x080d2b94 in nsCOMPtr<nsIClassInfo>::operator nsDerivedSafe<nsIClassInfo>*
    (this=0x8) at nsCOMPtr.h:843
#11 0x080d2b7a in XPCWrappedNativeProto::GetClassInfo (this=0x0)
    at xpcprivate.h:1657
#12 0x080f7fb5 in XPCWrappedNative::GetWrappedNativeOfJSObject (cx=0x949cf08, 
    obj=0x947f138, funobj=0x947f140, pobj2=0xbfffa650, pTearOff=0xbfffa65c)
    at /opt/firefox-cvs/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:1211
#13 0x080d1a94 in XPCCallContext (this=0xbfffa618, callerLanguage=8, cx=0x8, 
    obj=0x947f138, funobj=0x947f140, name=0, argc=3, argv=0x961b038, 
    rval=0xbfffa758)
    at /opt/firefox-cvs/mozilla/js/src/xpconnect/src/xpccallcontext.cpp:142
#14 0x08101b7a in XPC_WN_CallMethod (cx=0x949cf08, obj=0x947f138, argc=3, 
---Type <return> to continue, or q <return> to quit---
    argv=0x961b038, vp=0xbfffa758)

Comment 1

[Daniel Veditz [:dveditz]]

Blake, Johnny: which of you claims this one?

Comment 2

[Blake Kaplan (:mrbkap) (inactive)]

The null dereference here is a duplicate of bug 327597. I'm not sure what the point of the second javascript: url is here. It is equivalent to: javascript:window.eval("alert(__proto__)", {a: 2}), which alert's the anonymous object's __proto__ which is an [object Object], per ECMA.

*** This bug has been marked as a duplicate of 327597 ***