Closed
Bug 627302
Opened 13 years ago
Closed 13 years ago
UMR [@ nsSVGMarkerElement::SetOrientToAngle] with InstallTrigger
Categories
(Core :: SVG, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: mrbkap)
References
Details
(Keywords: testcase, valgrind, Whiteboard: [sg:low] fixed-in-tracemonkey)
Attachments
(3 files, 1 obsolete file)
|
15.18 KB,
text/plain
|
Details | |
|
145 bytes,
text/html
|
Details | |
|
998 bytes,
patch
|
jst
:
review+
jst
:
approval2.0+
|
Details | Diff | Splinter Review |
document.createElementNS("http://www.w3.org/2000/svg", "marker")
.setOrientToAngle(InstallTrigger)
triggers a UMR in nsSVGMarkerElement::SetOrientToAngle.
I suspect this is XPConnect's fault for letting something that isn't (and doesn't even claim to be!?) an nsIDOMSVGAngle into nsSVGMarkerElement::SetOrientToAngle (cf bug 503926).
For comparison,
.setOrientToAngle({}) --> NS_ERROR_DOM_SVG_WRONG_TYPE_ERR
.setOrientToAngle(document) --> NS_ERROR_XPC_BAD_CONVERT_JS
.setOrientToAngle(InstallTrigger) --> goes through, causes trouble
|
Reporter | |
Comment 1•13 years ago
|
||
|
|
Reporter | |
Updated•13 years ago
|
Summary: UMR [@ nsSVGMarkerElement::SetOrientToAngle] → UMR [@ nsSVGMarkerElement::SetOrientToAngle] with InstallTrigger
|
|
Reporter | |
Comment 2•13 years ago
|
||
InstallTrigger isn't special because it's a chrome object. It's special because it has a list of exposed properties, causing other gets to throw (which becomes a non-NS_OK rv). Here's a saner testcase.
Attachment #505363 -
Attachment is obsolete: true
|
Assignee | |
Comment 3•13 years ago
|
||
The trick is that InstallTrigger throws when you try to access value on it. |{ get value() { throw 42 } }| would also cause the UMR.
The fix is to check the return value of GetValue() and not access the out parameter if we throw. Also note bug 543613 which would allow us to assume more about the implementation of the nsIDOMSVGAngle that's being passed in to us.Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Component: XPConnect → SVG
QA Contact: xpconnect → general
|
|
Assignee | |
Comment 4•13 years ago
|
||
Attachment #505606 -
Flags: review?
|
||
Updated•13 years ago
|
Attachment #505606 -
Flags: review? → review+
|
|
||
Comment 5•13 years ago
|
||
Opening this bug up as this is not a security bug, we're simply just using an uninitialized float as the value for the angle here, which can cause wrong rendering, but nothing worse than that.
Group: core-security
|
|
||
Comment 6•13 years ago
|
||
Comment on attachment 505606 [details] [diff] [review] Proposed fix And we might as well take this fix, there's really not much of a risk involved here, and we have a patch as a result of investigating the severity here...
Attachment #505606 -
Flags: approval2.0+
|
|
Reporter | |
Comment 7•13 years ago
|
||
I think the uninitialized value can make be seen by script, so it's potential information disclosure, slightly worse than just wrong rendering.
Whiteboard: [sg:low]
|
|
Assignee | |
Comment 8•13 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/68931522981d
Whiteboard: [sg:low] → [sg:low] fixed-in-tracemonkey
|
||
Comment 9•13 years ago
|
||
cdleary-bot mozilla-central merge info: http://hg.mozilla.org/mozilla-central/rev/68931522981d
|
|
||
Updated•13 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•