Closed Bug 384870 Opened 18 years ago Closed 17 years ago

Raw nsIContent* used in nsXBLAttributeEntry

Tracking

()

Status:

RESOLVED INVALID

People

(Reporter: smaug, Assigned: sicking)

Details

(Whiteboard: [sg:investigate] no known vuln but asking for trouble)

Olli Pettay [:smaug][bugs@pettay.fi]

Reporter

Description

•

18 years ago

nsXBLAttributeEntry has a raw pointer to nsIContent. That might cause crashes if nsIContent gets deleted. I don't have a testcase yet.

Daniel Veditz [:dveditz]

Updated

•

18 years ago

Assignee: nobody → jonas

Whiteboard: [sg:investigate] no known vuln but asking for trouble

Olli Pettay [:smaug][bugs@pettay.fi]

Reporter

Comment 1

•

17 years ago

Martijn made some testcases to try to crash and because there weren't any crashes, I looked at the code and realized that nsXBLAttributeEntry has pointers only to the xbl document's nsIContent objects, and that document is loaded as data and not accessible from the main (bound element's ownerDoc) document, so scripts can't modify it. (This applies also to inline xbl.) So as far as I see, this bug is invalid.

Status: NEW → RESOLVED

Closed: 17 years ago

Resolution: --- → INVALID

Olli Pettay [:smaug][bugs@pettay.fi]

Reporter

Comment 2

•

17 years ago

Or wontfix. whatever :)

Daniel Veditz [:dveditz]

Updated

•

17 years ago

Group: security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Raw nsIContent* used in nsXBLAttributeEntry

Categories

(Core :: XBL, defect)

Tracking

()

People

(Reporter: smaug, Assigned: sicking)

References

Details

(Whiteboard: [sg:investigate] no known vuln but asking for trouble)

Crash Data

Security

(public)

User Story

Description

Updated

Comment 1

Comment 2

Updated