Closed Bug 376976 Opened 18 years ago Closed 18 years ago

Crash [@ nsGlobalHistory::IsURLInHistory] null pointer dereference

Categories

(Core Graveyard :: History: Global, defect)

Product:
Core Graveyard
Component:
History: Global
Type:
defect
Priority:
Not set
Severity:
trivial

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla1.9beta2

People

(Reporter: Mook, Assigned: Mook)

References

(
URL
)

Details

(Keywords: fixed-seamonkey1.1.8, fixed1.8.1.12)

Attachments

(2 files)

null check before calling (trivial one line patch)
1.23 KB, patch
neil
: review+
Biesinger
: superreview+
Details | Diff | Splinter Review
toolkit version
1.08 KB, patch
neil
: review+
Biesinger
: superreview+
dveditz
: approval1.8.1.12+
damons
: approval1.9+
Details | Diff | Splinter Review
(see URL) If somebody passing a nsIRDFNode that is not a nsIRDFResource to nsGlobalHistory::GetSource, QI fails and null is passed to IsURLInHistory leading to null pointer dereference. This was actually found via poking the Firefox 2.0.0.x history (in #extdev), but I'm assuming nobody would want to review non-Places history backend there. So I checked the suite version manually - note though, I haven't actually attempted to reproduce this. -- Code used to trigger: (from johnm on IRC) var RDF = Components.classes["@mozilla.org/rdf/rdf-service;1"] .getService(Components.interfaces.nsIRDFService); var HDS = RDF.GetDataSource("rdf:history"); var urlArc = RDF.GetResource("http://home.netscape.com/NC-rdf#URL"); /* note that urltomatch should have been a resource, not a literal */ var urltomatch = RDF.GetLiteral("http://www.google.com"); /* crashes on the next line */ var subject = HDS.GetSource(urlArc, urltomatch, true); Will attach patch, but I haven't actually tried to reproduce on suite yet... :) Hmm, should I check in the caller, or callee? All other callers do the check...
Attachment #261093 - Flags: superreview?(cbiesinger)
Attachment #261093 - Flags: review?(neil)
Summary: [crash] @ nsGlobalHistory::IsURLInHistory null pointer dereference → Crash [@ nsGlobalHistory::IsURLInHistory] null pointer dereference
Attachment #261093 - Flags: superreview?(cbiesinger) → superreview+
Comment on attachment 261093 [details] [diff] [review] null check before calling (trivial one line patch) Sorry for the delay, the bugmail for this request must have got lost.
Attachment #261093 - Flags: review?(neil) → review+
Patch has r/sr, apparently Seamonkey-only doesn't need a+ yet. (This is in xpfe, and besides Firefox is using Places)
Keywords: checkin-needed
Assignee: nobody → mook.moz+mozbz
Uh, what about mailnews? Doesn't it use nsGlobalHistory still? Until toolkit/components/history/src/nsGlobalHistory.cpp is cvs removed for non-use, I think you should patch it, too.
Note that branch still takes crash fixes, too, so you could probably get it on 1.8 branch as a stability fix.
(In reply to comment #3) > Uh, what about mailnews? Doesn't it use nsGlobalHistory still? Ignore this... however, the issue still stands. Let's fix toolkit, too.
Attached patch toolkit versionSplinter Review
Fix toolkit's version, too. This will be for branch, too.
Attachment #290353 - Flags: superreview?(cbiesinger)
Attachment #290353 - Flags: review?(neil)
Checking in xpfe/components/history/src/nsGlobalHistory.cpp; /cvsroot/mozilla/xpfe/components/history/src/nsGlobalHistory.cpp,v <-- nsGlobalHistory.cpp new revision: 1.229; previous revision: 1.228 done
Keywords: checkin-needed
OS: Windows XP → All
Hardware: PC → All
Attachment #290353 - Flags: review?(neil) → review+
Attachment #290353 - Flags: superreview?(cbiesinger) → superreview+
Comment on attachment 290353 [details] [diff] [review] toolkit version Simple patch to fix null pointer dereference.
Attachment #290353 - Flags: approval1.9?
Attachment #290353 - Flags: approval1.8.1.12?
Attachment #290353 - Flags: approval1.9? → approval1.9+
Keywords: checkin-needed
Checking in toolkit/components/history/src/nsGlobalHistory.cpp; /cvsroot/mozilla/toolkit/components/history/src/nsGlobalHistory.cpp,v <-- nsGlobalHistory.cpp new revision: 1.86; previous revision: 1.85 done
Status: NEW → RESOLVED
Closed: 18 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9 M10
Comment on attachment 290353 [details] [diff] [review] toolkit version approved for 1.8.1.12, a=dveditz for release-drivers Won't SeaMonkey want the xpfe version on the branch?
Attachment #290353 - Flags: approval1.8.1.12? → approval1.8.1.12+
Keywords: checkin-needed
KaiRo / CTho: I can't request approval for the seamonkey branch directly on this patch. Can I get a verbal approval?
I'm not on the council any more.
Checking in toolkit/components/history/src/nsGlobalHistory.cpp; /cvsroot/mozilla/toolkit/components/history/src/nsGlobalHistory.cpp,v <-- nsGlobalHistory.cpp new revision: 1.58.2.9; previous revision: 1.58.2.8 done
Keywords: checkin-neededfixed1.8.1.12
Comment on attachment 261093 [details] [diff] [review] null check before calling (trivial one line patch) a=me for SeaMonkey 1.1.8
Checking in xpfe/components/history/src/nsGlobalHistory.cpp; /cvsroot/mozilla/xpfe/components/history/src/nsGlobalHistory.cpp,v <-- nsGlobalHistory.cpp new revision: 1.211.2.4; previous revision: 1.211.2.3 done
Keywords: fixed-seamonkey1.1.8
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: