Closed Bug 39693 Opened 24 years ago Closed 24 years ago

Setting menulist.selectedItem to an integer crashes

Categories

(Core :: XUL, defect, P3)

Product:
Core
Component:
XUL
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: sfraser_bugs, Assigned: jst)

Details

(Keywords: crash, Whiteboard: security hole [nsbeta2+][HAVE FIX])

Attachments

(1 file)

Propesed fix
1.33 KB, patch
Details | Diff | Splinter Review 
This JS crashes in nsXULMenuListElement::SetSelectedItem(), because I'm 
mistakenly setting the selected item to an integer, not a DOM element.

    var menuPopup = document.getElementById("ParagraphPopup");
    var menuItems = menuPopup.childNodes;
    for (i=0; i < menuItems.length; i++)
    {
      var menuItem = menuItems.item(i);
      if (menuItem.data == state)
      {
        menuList.selectedItem = i;			// BOOM!
        break;
      }
    }
  }
Wow. The DOM glue lets integers through as pointers? That seems bad. brendan, 
jst: comments?
cc'ing mstoltz as this would be a pretty significant security hole...
kicking to jst, who owns the DOM glue. Mark nsbeta2 and note security hole in 
status. add vidur to cc list.
Assignee: waterson → jst
Keywords: nsbeta2
Whiteboard: security hole
Severity: normal → critical
The problem is in IDLC, the code it generates looks something like this:

          nsIDOMElement* prop;
          if (PR_FALSE == nsJSUtils::nsConvertJSValToObject(...)) {
            rv = NS_ERROR_DOM_NOT_OBJECT_ERR;
          }
      
          rv = a->SetSelectedItem(prop);
          NS_IF_RELEASE(prop);

It does realize that the value it gets is not an object, and it sets rv to
NS_ERROR_DOM_NOT_OBJECT_ERR, but it still gladly contiunes on and calls
a->SetSelectedIndex()! Fantastic!

I have a patch that fixes the immediate problems found here and also some other
similar cases that were obvious from looking at the IDLC source. The patch adds
a "break;" after setting the return value, I haven't done any serious tests
with the patch but from looking at the generated code it does the right thing.
Status: NEW → ASSIGNED
OS: Mac System 8.5 → All
Attached patch Propesed fixSplinter Review 

    
    

    
  
If someone would care to review the attached patch, and if this bug would be
marked nsbeta2+ I could regenerate all the glue code in mozilla and check that
in along with this (after some more testing). (or should I regenerate all the
gluecode and attach a diff for all the gluecode for review?)


    
    

    
  
I would've put the other code in an "else" block rather than using a "break", 
but otherwise, this seems like the right thing to do.

    
    

    
  
Adding crash keyword
Keywords: crash

    
    

    
  
This is needed for beta2, given the crash and security issue; giving PDT 
approval.
Whiteboard: security hole → security hole [nsbeta2+]

    
  
Whiteboard: security hole [nsbeta2+] → security hole [nsbeta2+][HAVE FIX]

    
    

    
  
This is now fixed, IDLC is updated and all the gluecode is regenerated and
checked in.

Marking FIXED.

Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED

    
    

    
  
verified fixed mac/linux/win32 20000531nn comm. builds -- dom glue now bails 
out when passed an int for an object.
Status: RESOLVED → VERIFIED

    
  
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: jrgmorrison → xptoolkit.widgets

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: