Last Comment Bug 663922 - Unsafe uses of GetTransactionAtIndex in nsSHistory.cpp
: Unsafe uses of GetTransactionAtIndex in nsSHistory.cpp
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: Document Navigation (show other bugs)
: Trunk
: All All
: -- normal (vote)
: ---
Assigned To: Josh Matthews [:jdm]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-06-13 12:12 PDT by Josh Matthews [:jdm]
Modified: 2011-06-28 11:40 PDT (History)
5 users (show)
dholbert: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Prevent null dereference of history transactions. (1.83 KB, patch)
2011-06-22 11:19 PDT, Josh Matthews [:jdm]
bugs: review+
Details | Diff | Review

Description Josh Matthews [:jdm] 2011-06-13 12:12:33 PDT
Many callers of GetTransactionAtIndex check the return value and null-ness of the outptr. Other callers don't do either. The latter ones cause crashes.

http://mxr.mozilla.org/mozilla-central/source/docshell/shistory/src/nsSHistory.cpp#888
888   GetTransactionAtIndex(0, getter_AddRefs(trans));
889 
890   // Walk the full session history and check that entries outside the window
891   // around aFromIndex have no content viewers
892   for (PRInt32 i = 0; i < mLength; ++i) {
893     if (i < aFromIndex - gHistoryMaxViewers || 
894         i > aFromIndex + gHistoryMaxViewers) {
895       nsCOMPtr<nsISHEntry> entry;
896       trans->GetSHEntry(getter_AddRefs(entry));
897       nsCOMPtr<nsIContentViewer> viewer;
898       nsCOMPtr<nsISHEntry> ownerEntry;
899       entry->GetAnyContentViewer(getter_AddRefs(ownerEntry),
900                                  getter_AddRefs(viewer));
901       NS_WARN_IF_FALSE(!viewer,
902                        "ContentViewer exists outside gHistoryMaxViewer range");
903     }
904 
905     nsISHTransaction *temp = trans;
906     temp->GetNext(getter_AddRefs(trans));
907   }

http://mxr.mozilla.org/mozilla-central/source/docshell/shistory/src/nsSHistory.cpp#1088
1088   GetTransactionAtIndex(startIndex, getter_AddRefs(trans));
1089 
1090   PRInt32 i;
1091   for (i = startIndex; i <= endIndex; ++i) {
1092     nsCOMPtr<nsISHEntry> entry;
1093     trans->GetSHEntry(getter_AddRefs(entry));
1094     if (entry == aEntry)
1095       break;
1096 
1097     nsISHTransaction *temp = trans;
1098     temp->GetNext(getter_AddRefs(trans));
1099   }
Comment 1 Josh Matthews [:jdm] 2011-06-13 12:14:00 PDT
I think in each case we can add |&& trans| to the loop invariant.
Comment 2 Josh Matthews [:jdm] 2011-06-22 11:19:02 PDT
Created attachment 541123 [details] [diff] [review]
Prevent null dereference of history transactions.
Comment 3 Daniel Holbert [:dholbert] (largely AFK until June 28) 2011-06-22 22:26:20 PDT
Pushed to m-i: http://hg.mozilla.org/integration/mozilla-inbound/rev/49932c605933

(In reply to comment #0)
> Many callers of GetTransactionAtIndex check the return value and null-ness
> of the outptr. Other callers don't do either. The latter ones cause crashes.

Can we add a crashtest for this?
Comment 4 Josh Matthews [:jdm] 2011-06-22 22:31:11 PDT
It would be nice, but I don't believe it's known how this arises. Olli, any ideas?
Comment 5 Josh Matthews [:jdm] 2011-06-28 11:40:36 PDT
This was merged a while ago, but apparently wasn't marked.

http://hg.mozilla.org/mozilla-central/rev/831fabb406a1

Note You need to log in before you can comment on or make changes to this bug.