Closed Bug 334290 Opened 14 years ago Closed 14 years ago

nsJSEventListener::HandleEvent inconsistently uses &stackPtr/stackPtr for JS_(Push|Pop)Arguments

Categories

(Core :: DOM: Core & HTML, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED INVALID

People

(Reporter: timeless, Assigned: timeless)

References

(Blocks 1 open bug, )

Details

(Keywords: coverity, crash)

Attachments

(1 obsolete file)

i'm filing this is as a security bug because i'm not sure if content code could coerce us to take this path.

i don't think anything bad will happen if we do happen to use it uninitialized, but i don't want to think about it either.
Attached patch pass pointer to pop (obsolete) — Splinter Review
Attachment #218628 - Flags: superreview?(jst)
Attachment #218628 - Flags: review?(jst)
Comment on attachment 218628 [details] [diff] [review]
pass pointer to pop

r+sr=jst
Attachment #218628 - Flags: superreview?(jst)
Attachment #218628 - Flags: superreview+
Attachment #218628 - Flags: review?(jst)
Attachment #218628 - Flags: review+
Comment on attachment 218628 [details] [diff] [review]
pass pointer to pop

mozilla/dom/src/events/nsJSEventListener.cpp 	1.52
Attachment #218628 - Flags: approval1.8.0.5?
Attachment #218628 - Flags: approval-branch-1.8.1?(jst)
Comment on attachment 218628 [details] [diff] [review]
pass pointer to pop

this is wrong. i think the prototype is bad.
Attachment #218628 - Attachment is obsolete: true
Attachment #218628 - Flags: superreview+
Attachment #218628 - Flags: review-
Attachment #218628 - Flags: review+
Attachment #218628 - Flags: approval1.8.0.5?
Attachment #218628 - Flags: approval-branch-1.8.1?(jst)
invalid. coverity took a path that doesn't make sense and i failed (again i believe!) to verify that the api really isn't this inconsistent, because had i checked, i'd have seen that it really is. the push uses an extra pointer so that it can out the value, and the pop doesn't need that extra pointer, so it doesn't use it. the result is ime lame experience as a terrible coder, that i screw this up fairly often and wish that the api had not been written this way.

i'm very very very very sorry that i ever touch this api and wish i could make myself never see it again :(.

i'd also almost like to make this bug permanently invisible if people don't mind, because i'm so embarassed by it. :(

note that i fully expect everyone in the world to read this comment, such is the life of a public bugzilla.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
Group: security
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.