Closed Bug 527207 Opened 15 years ago Closed 13 years ago

NPE in XMLObject::XMLObject - missing guard(s)

Categories

(Tamarin Graveyard :: Virtual Machine, defect, P2)

x86
macOS
defect

Tracking

(Not tracked)

RESOLVED FIXED
Q1 12 - Brannan

People

(Reporter: lhansen, Assigned: rulohani)

Details

(Whiteboard: has-patch, loose-end)

Attachments

(1 file)

Attaching message from Dave Horton below. Could look like the XMLObject::XMLObject code has several unguarded uses of a possibly-NULL 'p' value, depending a little on how the XML parser is supposed to work. There aren't any obvious preconditions on when this constructor is called. ---- On 11/6/09 2:37 AM, "Dave Horton" <beachdog@me.com> wrote: Slight clarification...it actually segfaults a couple lines below where I indicated, where it tries to call a method on the null pointer p..the last line below: if ( p != m_node && ! m_status ) { Multiname m; p->getQName(core, &m); On Nov 5, 2009, at 8:20 PM, Dave Horton wrote: > I've noticed what seems to be a bug in the version of the > constructor for XMLObject that takes a Stringp: > > // This is considered the "toXML function" > XMLObject::XMLObject(XMLClass *type, Stringp str, Namespace > *defaultNamespace) > : ScriptObject(type->ivtable(), type->prototype) > > If I pass a string containing only a single "empty" element then it > seg faults on this line near the bottom of the method: > > if ( p != m_node && ! m_status ) > > > For instance, if I feed it the string... <child name="Joe"/> > > it will bomb out, because in the parser a single tag is returned, > which is empty, and therefore the local var E4XNode* p is never > updated. > > Am I misunderstanding how this function can be used? The example > xml snippet above is valid XML and seems like it should be able to > be parsed....
Werner, can you investigate this issue?
Assignee: nobody → wsharp
Status: NEW → ASSIGNED
Flags: flashplayer-qrb+
Priority: -- → P2
Target Milestone: --- → flash10.1
There are two places in Tamarin/Flash that we call this XMLObject constructor and in both places we pass in a defaultNamespace value. If we don't pass in a value and a simple XML string, we would get into this code with a null "p" value. The simple fix would just be a check for a null 'p': if ( p && p != m_node && ! m_status ) This is not important for the 10.1 release.
Target Milestone: flash10.1 → flash10.2
Attached patch null ptr checkSplinter Review
Attachment #448567 - Flags: superreview?(edwsmith)
Attachment #448567 - Flags: review?(stejohns)
Attachment #448567 - Flags: review?(stejohns) → review+
Attachment #448567 - Flags: superreview?(edwsmith) → superreview+
Assignee: wsharp → nobody
Flags: flashplayer-bug+
Whiteboard: has-patch, must–fix-candidate
Whiteboard: has-patch, must–fix-candidate → has-patch, must-fix-candidate
Assigning to Steven for landing.
Assignee: nobody → stejohns
Flags: flashplayer-injection-
Target Milestone: Q3 11 - Serrano → Q4 11 - Anza
Ruchi, land this in TR in i9.
Assignee: stejohns → rulohani
Flags: flashplayer-needsversioning-
Whiteboard: has-patch, must-fix-candidate → has-patch, loose-end
Target Milestone: Q4 11 - Anza → Q1 12 - Brannan
This has already landed in TR as 4759:5c7c8ae01f34 by Werner.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: