Closed
Bug 663922
Opened 13 years ago
Closed 13 years ago
Unsafe uses of GetTransactionAtIndex in nsSHistory.cpp
Categories
(Core :: DOM: Navigation, defect)
Core
DOM: Navigation
Tracking
()
RESOLVED
FIXED
People
(Reporter: jdm, Assigned: jdm)
Details
Attachments
(1 file)
1.83 KB,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
Many callers of GetTransactionAtIndex check the return value and null-ness of the outptr. Other callers don't do either. The latter ones cause crashes. http://mxr.mozilla.org/mozilla-central/source/docshell/shistory/src/nsSHistory.cpp#888 888 GetTransactionAtIndex(0, getter_AddRefs(trans)); 889 890 // Walk the full session history and check that entries outside the window 891 // around aFromIndex have no content viewers 892 for (PRInt32 i = 0; i < mLength; ++i) { 893 if (i < aFromIndex - gHistoryMaxViewers || 894 i > aFromIndex + gHistoryMaxViewers) { 895 nsCOMPtr<nsISHEntry> entry; 896 trans->GetSHEntry(getter_AddRefs(entry)); 897 nsCOMPtr<nsIContentViewer> viewer; 898 nsCOMPtr<nsISHEntry> ownerEntry; 899 entry->GetAnyContentViewer(getter_AddRefs(ownerEntry), 900 getter_AddRefs(viewer)); 901 NS_WARN_IF_FALSE(!viewer, 902 "ContentViewer exists outside gHistoryMaxViewer range"); 903 } 904 905 nsISHTransaction *temp = trans; 906 temp->GetNext(getter_AddRefs(trans)); 907 } http://mxr.mozilla.org/mozilla-central/source/docshell/shistory/src/nsSHistory.cpp#1088 1088 GetTransactionAtIndex(startIndex, getter_AddRefs(trans)); 1089 1090 PRInt32 i; 1091 for (i = startIndex; i <= endIndex; ++i) { 1092 nsCOMPtr<nsISHEntry> entry; 1093 trans->GetSHEntry(getter_AddRefs(entry)); 1094 if (entry == aEntry) 1095 break; 1096 1097 nsISHTransaction *temp = trans; 1098 temp->GetNext(getter_AddRefs(trans)); 1099 }
Assignee | ||
Comment 1•13 years ago
|
||
I think in each case we can add |&& trans| to the loop invariant.
Assignee | ||
Comment 2•13 years ago
|
||
Attachment #541123 -
Flags: review?(Olli.Pettay)
Updated•13 years ago
|
Attachment #541123 -
Flags: review?(Olli.Pettay) → review+
Assignee | ||
Updated•13 years ago
|
Keywords: checkin-needed
Updated•13 years ago
|
Assignee: nobody → josh
Updated•13 years ago
|
OS: Mac OS X → All
Hardware: x86 → All
Comment 3•13 years ago
|
||
Pushed to m-i: http://hg.mozilla.org/integration/mozilla-inbound/rev/49932c605933 (In reply to comment #0) > Many callers of GetTransactionAtIndex check the return value and null-ness > of the outptr. Other callers don't do either. The latter ones cause crashes. Can we add a crashtest for this?
Assignee | ||
Comment 4•13 years ago
|
||
It would be nice, but I don't believe it's known how this arises. Olli, any ideas?
Assignee | ||
Comment 5•13 years ago
|
||
This was merged a while ago, but apparently wasn't marked. http://hg.mozilla.org/mozilla-central/rev/831fabb406a1
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: [inbound]
You need to log in
before you can comment on or make changes to this bug.
Description
•