Bug 623441

JSCompartment::wrap missing oom check

RESOLVED FIXED

Get help with this page

Status

()

Product:

Component:

Type:

defect

Status:

RESOLVED FIXED

Opened:

9 years ago

Updated:

9 years ago

People

(Reporter: luke, Assigned: luke)

Tracking

Version:

unspecified

Target:

---

Points:

---

Blocks:

605290

Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 .x+)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 attachment)

check for null in JSCompartment::wrap 9 years ago Luke Wagner [:luke] 2.19 KB, patch	gal : review+	Details \| Diff \| Splinter Review

Luke Wagner [:luke]

Assignee

Description

•

9 years ago

Namely:
 JetpackChild.cpp : ReportError
 Handle.h : GetParent, CreateHandle
 xpcconvert.cpp: NativeInterface2JSObject/CreateHolderIfNeeded
 xpccomponents.cpp : CallOrConstruct, GetGlobalForObject
 nsNPAPIPluggin.cpp: _evaluate
 ObjectWrapperParent.cpp : jsval_from_PObjectWrapperParent
 nsJSEnvironment.cpp : nsJSContext::SetProperty
 nsDOMClassInfo.cpp : nsWindowSH::GetProperty
 nsScriptableRegion.cpp : GetRects

dmandelin and I found these while investigating bug 605290: several of these flow into 'jsval' IDL outparams which would then explode in JSCompartment::wrap when it was called by GatherAndConvertOutparams in XPCNW::CallMethod fixing this will fix that bug.

Luke Wagner [:luke]

Assignee

Comment 1

•

9 years ago

Oh duh, I just remembered while putting Scott to sleep that

  JSVAL_IS_OBJECT === js::Value::isObjectOrNull
  OBJECT_TO_JSVAL === js::Value::setObjectOrNull

so all the above cases aren't actually bugs.  (For fatvals, I didn't want to change the semantics of these public API functions since that would effectively force embeddings (incl. mozilla) to do a whole-program data-flow analysis.)

So it looks like, for bug 605190, the princess is in another castle.

Status: ASSIGNED → RESOLVED

Closed: 9 years ago

Resolution: --- → INVALID

Luke Wagner [:luke]

Assignee

Updated

•

9 years ago

Status: RESOLVED → REOPENED

Resolution: INVALID → ---

Luke Wagner [:luke]

Assignee

Comment 2

•

9 years ago

Posted patch check for null in JSCompartment::wrap — Details — Splinter Review

Well, the bug isn't totally invalid; there is one pretty central site using the internal API which doesn't check for null.

Attachment #501760 - Flags: review?(gal)

Luke Wagner [:luke]

Assignee

Updated

•

9 years ago

Summary: there are a bunch of places NULL can flow into OBJECT_TO_JSVAL → JSCompartment::wrap missing oom check

David Mandelin [:dmandelin]

Updated

•

9 years ago

blocking2.0: --- → .x

Andreas Gal :gal

Updated

•

9 years ago

Attachment #501760 - Flags: review?(gal) → review+

Luke Wagner [:luke]

Assignee

Comment 3

•

9 years ago

http://hg.mozilla.org/tracemonkey/rev/8a1715b0aeae

Whiteboard: fixed-in-tracemonkey

Chris Leary [:cdleary] (not checking bugmail)

Comment 4

•

9 years ago

http://hg.mozilla.org/mozilla-central/rev/8a1715b0aeae

Status: REOPENED → RESOLVED

Closed: 9 years ago → 9 years ago

Resolution: --- → FIXED

You need to log in before you can comment on or make changes to this bug.

Bugzilla

JSCompartment::wrap missing oom check

Status

()

People

(Reporter: luke, Assigned: luke)

Tracking

Firefox Tracking Flags

(blocking2.0 .x+)

Details

(Whiteboard: fixed-in-tracemonkey)

Security

(public)

User Story

Attachments

(1 attachment)

Description

Comment 1

Updated

Comment 2

Updated

Updated

Updated

Comment 3

Comment 4