Closed
Bug 482439
Opened 15 years ago
Closed 15 years ago
potential null-pointer dereference in nsDocument::ElementFromPointHelper
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla1.9.2a1
People
(Reporter: jfkthame, Assigned: jfkthame)
Details
Attachments
(1 file)
1.06 KB,
patch
|
smaug
:
review+
smaug
:
superreview+
|
Details | Diff | Splinter Review |
This function includes the fragment: while (ptContent && !ptContent->IsNodeOfType(nsINode::eELEMENT) || ptContent->IsInAnonymousSubtree()) { // XXXldb: Faster to jump to GetBindingParent if non-null? ptContent = ptContent->GetParent(); } (see http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsDocument.cpp#2674). This code is incorrect because && has higher precedence than ||, and therefore if ptContent ever becomes NULL during this loop, it will still attempt to call IsInAnonymousSubtree(). It seems clear that the intention was to check for non-NULL ptContent before calling either of the Is... methods. I don't have an actual test-case that encounters this situation; perhaps it cannot arise in actual practice. However, the fact that the code tests for non-NULL ptContent at all (both here, and before calling CallQueryInterface in the next couple of lines of code) implies that it is considered possible. Either these tests are completely redundant, or the while() code is unsafe. The attached patch fixes the unsafe test by simply adding parens around the || alternatives, providing the semantics that were presumably intended all along.
Attachment #366537 -
Flags: review?
Comment 1•15 years ago
|
||
Comment on attachment 366537 [details] [diff] [review] fix while() condition to avoid possible null-deref I guess you were going to ask review from someone.
Attachment #366537 -
Flags: superreview+
Attachment #366537 -
Flags: review?
Attachment #366537 -
Flags: review+
Assignee | ||
Comment 2•15 years ago
|
||
Uhhhh.... yeah! Thanks.
Comment 3•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/cf256da7436b
Status: NEW → RESOLVED
Closed: 15 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Whiteboard: [needs landing]
Target Milestone: --- → mozilla1.9.2a1
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•