Closed Bug 43351 Opened 24 years ago Closed 24 years ago

Potential null ptr deref in nsNativeComponentLoader.cpp

Categories

(Core :: XPCOM, defect, P3)

Product:
Core
Component:
XPCOM
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: madams, Assigned: rayw)

References

Details

(Whiteboard: [nsbeta3+]) 

If the Unload() function of nsNativeComponentLoader is called when Init() hasn't
been (eg, if startup fails for some reason), this will crash due to mDllStore
being NULL.

Patch:
----------------------------------------
Index: nsNativeComponentLoader.cpp
===================================================================
RCS file: /cvsroot/mozilla/xpcom/components/nsNativeComponentLoader.cpp,v
retrieving revision 1.45
diff -u -r1.45 nsNativeComponentLoader.cpp
--- nsNativeComponentLoader.cpp 2000/06/03 09:45:55     1.45
+++ nsNativeComponentLoader.cpp 2000/06/21 20:25:04
@@ -982,7 +982,9 @@
     callData.when = aWhen;

     // Cycle through the dlls checking to see if they want to be unloaded
-    mDllStore->Enumerate(nsFreeLibraryEnum, &callData);
+    if( mDllStore ) {
+        mDllStore->Enumerate(nsFreeLibraryEnum, &callData);
+    }
     return NS_OK;
 }
Status: UNCONFIRMED → NEW
Ever confirmed: true
Please explain why it is proper to call Unload without calling Init, and why it 
would be bad for this to raise an exception.
This is hit if nsComponentManagerImpl::init() fails when called from
NS_InitXPCOM(). Here's the call sequence:

NS_InitXPCOM()
- compMgr = new nsComponentManagerImpl();
- rv = compMgr->Init();
- if (NS_FAILED(rv)) NS_RELEASE(compMgr);
  - nsComponentManagerImpl())::~nsComponentManagerImpl()
    - nsComponentManagerImpl()::Shutdown()
      - nsComponentManagerImpl()::UnloadLibraries()
        - nsNativeComponentLoader::UnloadAll()
          - crash since nsNativeComponentLoader() never had Init() called, which
is normally called at the end of nsComponentManagerImpl::PlatformInit() (through
nsComponentManager::Init()) if everything succeeds

This was exposed by checking the return value of
nsComponentManagerImpl()::PlatformInit(). However, it would have happened later
anyways, just not as obviously.

Thanks for the clarification that Unload was not being externally called, but 
only internally by the destructor.

I think this suggested change should be applied fairly soon.  It apparently does 
not prevent mozilla from executing correctly, but it creates a messy-looking 
crash in a case where it would have failed anyway.
is the crash that occurs when the component registry is not writeable.
Target Milestone: --- → M18
Status: NEW → ASSIGNED
Depends on: 46768
Keywords: nsbeta3, patch
Whiteboard: [nsbeta3+]
Applied the patch, exactly as given.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
please verify
Mark, please mark verified if all is well.  Fixed for you?
QA Contact: leger → madams
You need to log in before you can comment on or make changes to this bug.