Closed Bug 663922 Opened 13 years ago Closed 13 years ago

Unsafe uses of GetTransactionAtIndex in nsSHistory.cpp

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jdm, Assigned: jdm)

Details

Attachments

(1 file)

Prevent null dereference of history transactions.
1.83 KB, patch
smaug
: review+
Details | Diff | Splinter Review 
Many callers of GetTransactionAtIndex check the return value and null-ness of the outptr. Other callers don't do either. The latter ones cause crashes.

http://mxr.mozilla.org/mozilla-central/source/docshell/shistory/src/nsSHistory.cpp#888
888   GetTransactionAtIndex(0, getter_AddRefs(trans));
889 
890   // Walk the full session history and check that entries outside the window
891   // around aFromIndex have no content viewers
892   for (PRInt32 i = 0; i < mLength; ++i) {
893     if (i < aFromIndex - gHistoryMaxViewers || 
894         i > aFromIndex + gHistoryMaxViewers) {
895       nsCOMPtr<nsISHEntry> entry;
896       trans->GetSHEntry(getter_AddRefs(entry));
897       nsCOMPtr<nsIContentViewer> viewer;
898       nsCOMPtr<nsISHEntry> ownerEntry;
899       entry->GetAnyContentViewer(getter_AddRefs(ownerEntry),
900                                  getter_AddRefs(viewer));
901       NS_WARN_IF_FALSE(!viewer,
902                        "ContentViewer exists outside gHistoryMaxViewer range");
903     }
904 
905     nsISHTransaction *temp = trans;
906     temp->GetNext(getter_AddRefs(trans));
907   }

http://mxr.mozilla.org/mozilla-central/source/docshell/shistory/src/nsSHistory.cpp#1088
1088   GetTransactionAtIndex(startIndex, getter_AddRefs(trans));
1089 
1090   PRInt32 i;
1091   for (i = startIndex; i <= endIndex; ++i) {
1092     nsCOMPtr<nsISHEntry> entry;
1093     trans->GetSHEntry(getter_AddRefs(entry));
1094     if (entry == aEntry)
1095       break;
1096 
1097     nsISHTransaction *temp = trans;
1098     temp->GetNext(getter_AddRefs(trans));
1099   }
I think in each case we can add |&& trans| to the loop invariant.

        Attachment #541123 -
        Flags: review?(Olli.Pettay)

        Attachment #541123 -
        Flags: review?(Olli.Pettay) → review+

    
  
Keywords: checkin-needed

    
  
Assignee: nobody → josh

    
  
OS: Mac OS X → All
Hardware: x86 → All

    
    

    
  
Pushed to m-i: http://hg.mozilla.org/integration/mozilla-inbound/rev/49932c605933

(In reply to comment #0)
> Many callers of GetTransactionAtIndex check the return value and null-ness
> of the outptr. Other callers don't do either. The latter ones cause crashes.

Can we add a crashtest for this?
Flags: in-testsuite?
Keywords: checkin-needed
Whiteboard: [inbound]
Version: unspecified → Trunk

    
    

    
  
It would be nice, but I don't believe it's known how this arises. Olli, any ideas?

    
    

    
  
This was merged a while ago, but apparently wasn't marked.

http://hg.mozilla.org/mozilla-central/rev/831fabb406a1
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: [inbound]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: