334290 - nsJSEventListener::HandleEvent inconsistently uses &stackPtr/stackPtr for JS_(Push|Pop)Arguments

Status: RESOLVED INVALID

(Core :: DOM: Core & HTML, defect)

Description

[timeless]

i'm filing this is as a security bug because i'm not sure if content code could coerce us to take this path.

i don't think anything bad will happen if we do happen to use it uninitialized, but i don't want to think about it either.

Comment 1

[timeless]

Attachment: pass pointer to pop

Comment 2

[Johnny Stenback (:jst)]

Comment on attachment 218628 [details] [diff] [review]
pass pointer to pop

r+sr=jst

Comment 3

[timeless]

Comment on attachment 218628 [details] [diff] [review]
pass pointer to pop

mozilla/dom/src/events/nsJSEventListener.cpp 	1.52

Comment 4

[timeless]

Comment on attachment 218628 [details] [diff] [review]
pass pointer to pop

this is wrong. i think the prototype is bad.

Comment 5

[timeless]

invalid. coverity took a path that doesn't make sense and i failed (again i believe!) to verify that the api really isn't this inconsistent, because had i checked, i'd have seen that it really is. the push uses an extra pointer so that it can out the value, and the pop doesn't need that extra pointer, so it doesn't use it. the result is ime lame experience as a terrible coder, that i screw this up fairly often and wish that the api had not been written this way.

i'm very very very very sorry that i ever touch this api and wish i could make myself never see it again :(.

i'd also almost like to make this bug permanently invisible if people don't mind, because i'm so embarassed by it. :(

note that i fully expect everyone in the world to read this comment, such is the life of a public bugzilla.