Closed
Bug 360866
Opened 19 years ago
Closed 19 years ago
ASSERTION: Calling SetPropertyAsSupports on a frame. Prepare to crash and be exploited any time some random website decides to exploit you: '!frame', file nsBoxObject.cpp, line 372
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: MatsPalmgren_bugz, Unassigned)
Details
(Keywords: assertion)
Attachments
(1 file)
|
7.15 KB,
text/plain
|
Details |
STEPS TO REPRODUCE
1. start a Firefox trunk debug build (a few hours old) on MacOSX
2. quit (Cmd+Q)
ACTUAL RESULT
###!!! ASSERTION: Calling SetPropertyAsSupports on a frame. Prepare to crash and be exploited any time some random website decides to exploit you: '!frame', file nsBoxObject.cpp, line 372
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/xul/base/src/nsBoxObject.cpp&rev=1.65&mark=369-372#361
The assertion does not occur in a Camino debug build on the same box.
|
Reporter | |
Comment 1•19 years ago
|
||
|
||
Comment 2•19 years ago
|
||
What's the javascript stack there? The is, which exact script is running (which exact binding destructor)?
|
|
Reporter | |
Comment 3•19 years ago
|
||
I'll let you know if you teach me how to find out such things...
|
|
||
Comment 4•19 years ago
|
||
To get the JS stack, make sure the xpconnect library is loaded, then, do:
call DumpJSStack()
in gdb.
That should tell us what we want. If it doesn't work for some reason, then in frame #11 of your stack you could look up the mBindingURI of that binding... That might be a start.
|
|
Reporter | |
Comment 5•19 years ago
|
||
(gdb) call DumpJSStack()
0 [native frame]
1 () ["chrome://global/content/bindings/textbox.xml":126]
this = [object XULElement @ 0x2f248a10 (native @ 0x2f23df40)]
2 [native frame]
|
|
Reporter | |
Comment 6•19 years ago
|
||
|
|
||
Comment 7•19 years ago
|
||
Wait. Is this trunk from today? If so, this looks like bug 360836 -- CallQI not nulling out the out param. Update nsISupportsImpl.cpp?
That said, I just realized that this code leaks in debug builds if aValue is an honest refcounted object... :(
|
|
Reporter | |
Comment 8•19 years ago
|
||
This build is from today, just before bug 360836:
# cvs stat xpcom/glue/nsISupportsImpl.cpp
===================================================================
File: nsISupportsImpl.cpp Status: Needs Patch
Working revision: 3.1
Repository revision: 3.2 /cvsroot/mozilla/xpcom/glue/nsISupportsImpl.cpp,v
Sticky Tag: (none)
Sticky Date: (none)
Sticky Options: (none)
I will update and rebuild...
|
|
Reporter | |
Comment 9•19 years ago
|
||
Updating nsISupportsImpl.cpp fixed it.
I filed bug 360873 on the potential leak.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
|
||
Comment 10•19 years ago
|
||
is this bug security sensitive?
|
|
Reporter | |
Comment 11•19 years ago
|
||
I don't think so. It was trunk-only and it was fixed by bug 360836.
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•