Closed
Bug 373072
Opened 18 years ago
Closed 18 years ago
XML.prototype.namespace() does not check for xml list
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
People
(Reporter: igor, Assigned: igor)
References
Details
(Keywords: crash, verified1.8.0.12, verified1.8.1.4)
Attachments
(1 file)
|
836 bytes,
patch
|
brendan
:
review+
dveditz
:
approval1.8.1.4+
dveditz
:
approval1.8.0.12+
|
Details | Diff | Splinter Review |
xml_namespcae() from jsxml.c implementing XML.prototype.namespace() assumes that this obj can not be XMLList leading to NULL dereference in GetNamespace as the following js shell session demonstrates:
js> XML.prototype.function::namespace.call(new XMLList());
XML.prototype.function::namespace.call(new XMLList());
Segmentation fault
Flags: blocking1.8.1.3?
Flags: blocking1.8.0.11?
|
Assignee | |
Comment 1•18 years ago
|
||
This is a minimal fix that just makes sure that the code does not crash with xml-list argument and instead returns something. A fix with proper logic would be done in bug 373082.
Attachment #257754 -
Flags: review?(brendan)
|
|
Assignee | |
Updated•18 years ago
|
Attachment #257754 -
Flags: approval1.8.1.3?
Attachment #257754 -
Flags: approval1.8.0.11?
|
||
Comment 2•18 years ago
|
||
Comment on attachment 257754 [details] [diff] [review]
Minimal fix v1
Yeah, that's what I meant to write -- at some point I ordered xml_class values such that JSXML_HAS_NAME worked, but I must have missed this open-coded test.
Thanks for fixing,
/be
Attachment #257754 -
Flags: review?(brendan) → review+
|
|
Assignee | |
Comment 3•18 years ago
|
||
I committed the patch from comment 1 to the trunk:
Checking in jsxml.c;
/cvsroot/mozilla/js/src/jsxml.c,v <-- jsxml.c
new revision: 3.145; previous revision: 3.144
done
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
||
Comment 4•18 years ago
|
||
Too late for 1.8.1.3/1.8.0.11 for this type of fix, moving nom out to 1.8.1.4/1.8.0.12
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.3?
Flags: blocking1.8.1.3-
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.11?
Flags: blocking1.8.0.11-
|
||
Updated•18 years ago
|
Attachment #257754 -
Flags: approval1.8.1.4?
Attachment #257754 -
Flags: approval1.8.1.3?
Attachment #257754 -
Flags: approval1.8.0.12?
Attachment #257754 -
Flags: approval1.8.0.11?
|
|
||
Updated•18 years ago
|
Severity: normal → critical
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Keywords: crash
|
|
||
Comment 5•18 years ago
|
||
Comment on attachment 257754 [details] [diff] [review]
Minimal fix v1
approved for 1.8/1.8.0 branches, a=dveditz for drivers
Attachment #257754 -
Flags: approval1.8.1.4?
Attachment #257754 -
Flags: approval1.8.1.4+
Attachment #257754 -
Flags: approval1.8.0.12?
Attachment #257754 -
Flags: approval1.8.0.12+
|
||
Comment 6•18 years ago
|
||
/cvsroot/mozilla/js/tests/e4x/XMLList/regress-373072.js,v <-- regress-373072.js
initial revision: 1.1
Flags: in-testsuite+
|
|
Assignee | |
Comment 8•18 years ago
|
||
I committed the patch from comment 1 to MOZILLA_1_8_BRANCH:
Checking in jsxml.c;
/cvsroot/mozilla/js/src/jsxml.c,v <-- jsxml.c
new revision: 3.50.2.61; previous revision: 3.50.2.60
done
Keywords: fixed1.8.1.4
|
|
Assignee | |
Comment 9•18 years ago
|
||
I committed the patch from comment 1 to MOZILLA_1_8_0_BRANCH:
Checking in jsxml.c;
/cvsroot/mozilla/js/src/jsxml.c,v <-- jsxml.c
new revision: 3.50.2.15.2.31; previous revision: 3.50.2.15.2.30
done
Keywords: fixed1.8.0.12
|
|
||
Comment 10•18 years ago
|
||
update test to reflect new error message from bug 373082.
/cvsroot/mozilla/js/tests/e4x/XMLList/regress-373072.js,v <-- regress-373072.js
new revision: 1.2; previous revision: 1.1
verified fixed (no crash) 1.8.0, 1.8.1 linux, windows, mac shell 20070406
You need to log in
before you can comment on or make changes to this bug.
Description
•