Closed
Bug 334290
Opened 18 years ago
Closed 18 years ago
nsJSEventListener::HandleEvent inconsistently uses &stackPtr/stackPtr for JS_(Push|Pop)Arguments
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: timeless, Assigned: timeless)
References
(Blocks 1 open bug, )
Details
(Keywords: coverity, crash)
Attachments
(1 obsolete file)
i'm filing this is as a security bug because i'm not sure if content code could coerce us to take this path. i don't think anything bad will happen if we do happen to use it uninitialized, but i don't want to think about it either.
Attachment #218628 -
Flags: superreview?(jst)
Attachment #218628 -
Flags: review?(jst)
Comment 2•18 years ago
|
||
Comment on attachment 218628 [details] [diff] [review] pass pointer to pop r+sr=jst
Attachment #218628 -
Flags: superreview?(jst)
Attachment #218628 -
Flags: superreview+
Attachment #218628 -
Flags: review?(jst)
Attachment #218628 -
Flags: review+
Comment on attachment 218628 [details] [diff] [review] pass pointer to pop mozilla/dom/src/events/nsJSEventListener.cpp 1.52
Attachment #218628 -
Flags: approval1.8.0.5?
Attachment #218628 -
Flags: approval-branch-1.8.1?(jst)
Comment on attachment 218628 [details] [diff] [review] pass pointer to pop this is wrong. i think the prototype is bad.
Attachment #218628 -
Attachment is obsolete: true
Attachment #218628 -
Flags: superreview+
Attachment #218628 -
Flags: review-
Attachment #218628 -
Flags: review+
Attachment #218628 -
Flags: approval1.8.0.5?
Attachment #218628 -
Flags: approval-branch-1.8.1?(jst)
invalid. coverity took a path that doesn't make sense and i failed (again i believe!) to verify that the api really isn't this inconsistent, because had i checked, i'd have seen that it really is. the push uses an extra pointer so that it can out the value, and the pop doesn't need that extra pointer, so it doesn't use it. the result is ime lame experience as a terrible coder, that i screw this up fairly often and wish that the api had not been written this way. i'm very very very very sorry that i ever touch this api and wish i could make myself never see it again :(. i'd also almost like to make this bug permanently invisible if people don't mind, because i'm so embarassed by it. :( note that i fully expect everyone in the world to read this comment, such is the life of a public bugzilla.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → INVALID
Updated•18 years ago
|
Group: security
Updated•6 years ago
|
Blocks: coverity-analysis
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•