Closed
Bug 620947
Opened 14 years ago
Closed 14 years ago
nsHTMLDocumentSH::DocumentAllGetProperty uses result and cache uninitalized if JSID_IS_INT(id) && JSID_TO_INT(id) < 0
Categories
(Core :: DOM: Core & HTML, defect, P1)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla2.0b9
Tracking | Status | |
---|---|---|
blocking2.0 | --- | final+ |
People
(Reporter: timeless, Assigned: bzbarsky)
References
(Blocks 1 open bug)
Details
(Keywords: coverity)
Attachments
(1 file)
2.52 KB,
patch
|
jst
:
review+
|
Details | Diff | Splinter Review |
8652 nsHTMLDocumentSH::DocumentAllGetProperty(JSContext *cx, JSObject *obj,
8653 jsid id, jsval *vp)
8654 {
8674 nsISupports *result;
* let JSID_IS_STRING(id) be false:
8678 if (JSID_IS_STRING(id)) {
8679 if (id == sLength_id) {
8686 return JS_FALSE;
8695 return JS_FALSE;
8700 return JS_TRUE;
8701 } else if (id != sTags_id) {
8706 result = doc->GetDocumentAllResult(str, &cache, &rv);
8713 }
8714 else {
8715 result = nsnull;
8716 }
* let JSID_IS_INT(id) be true
* let JSID_TO_INT(id) be < 0
8717 } else if (JSID_IS_INT(id) && JSID_TO_INT(id) >= 0) {
skip this:
8728 result = node;
8730 }
result is unintialized:
8732 if (result) {
8733 rv = WrapNative(cx, JS_GetGlobalForScopeChain(cx), result, cache, PR_TRUE, vp);
Summary: nsHTMLDocumentSH::DocumentAllGetProperty uses result uninitalized if JSID_IS_INT(id) && JSID_TO_INT(id) < 0 → nsHTMLDocumentSH::DocumentAllGetProperty uses result and cache uninitalized if JSID_IS_INT(id) && JSID_TO_INT(id) < 0
Assignee | ||
Comment 1•14 years ago
|
||
Attachment #499339 -
Flags: review?(jst)
Assignee | ||
Comment 2•14 years ago
|
||
I did verify that the mochitest asserts like crazy and then crashes without the patch.
This isn't a problem on branches, because |result| is an nsCOMPtr there. On trunk, this regressed with bug 564266.
Assignee: nobody → bzbarsky
Blocks: 564266
blocking2.0: --- → ?
Priority: -- → P1
Whiteboard: [need review]
Updated•14 years ago
|
Attachment #499339 -
Flags: review?(jst) → review+
Updated•14 years ago
|
blocking2.0: ? → final+
Assignee | ||
Updated•14 years ago
|
Whiteboard: [need review] → [need landing]
Assignee | ||
Comment 3•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [need landing]
Target Milestone: --- → mozilla2.0b9
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
Updated•6 years ago
|
Blocks: coverity-analysis
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•