Unsafe uses of GetTransactionAtIndex in nsSHistory.cpp

RESOLVED FIXED

Status

()

Core
Document Navigation
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: jdm, Assigned: jdm)

Tracking

Trunk
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

6 years ago
Many callers of GetTransactionAtIndex check the return value and null-ness of the outptr. Other callers don't do either. The latter ones cause crashes.

http://mxr.mozilla.org/mozilla-central/source/docshell/shistory/src/nsSHistory.cpp#888
888   GetTransactionAtIndex(0, getter_AddRefs(trans));
889 
890   // Walk the full session history and check that entries outside the window
891   // around aFromIndex have no content viewers
892   for (PRInt32 i = 0; i < mLength; ++i) {
893     if (i < aFromIndex - gHistoryMaxViewers || 
894         i > aFromIndex + gHistoryMaxViewers) {
895       nsCOMPtr<nsISHEntry> entry;
896       trans->GetSHEntry(getter_AddRefs(entry));
897       nsCOMPtr<nsIContentViewer> viewer;
898       nsCOMPtr<nsISHEntry> ownerEntry;
899       entry->GetAnyContentViewer(getter_AddRefs(ownerEntry),
900                                  getter_AddRefs(viewer));
901       NS_WARN_IF_FALSE(!viewer,
902                        "ContentViewer exists outside gHistoryMaxViewer range");
903     }
904 
905     nsISHTransaction *temp = trans;
906     temp->GetNext(getter_AddRefs(trans));
907   }

http://mxr.mozilla.org/mozilla-central/source/docshell/shistory/src/nsSHistory.cpp#1088
1088   GetTransactionAtIndex(startIndex, getter_AddRefs(trans));
1089 
1090   PRInt32 i;
1091   for (i = startIndex; i <= endIndex; ++i) {
1092     nsCOMPtr<nsISHEntry> entry;
1093     trans->GetSHEntry(getter_AddRefs(entry));
1094     if (entry == aEntry)
1095       break;
1096 
1097     nsISHTransaction *temp = trans;
1098     temp->GetNext(getter_AddRefs(trans));
1099   }
(Assignee)

Comment 1

6 years ago
I think in each case we can add |&& trans| to the loop invariant.
(Assignee)

Comment 2

6 years ago
Created attachment 541123 [details] [diff] [review]
Prevent null dereference of history transactions.
Attachment #541123 - Flags: review?(Olli.Pettay)

Updated

6 years ago
Attachment #541123 - Flags: review?(Olli.Pettay) → review+
(Assignee)

Updated

6 years ago
Keywords: checkin-needed

Updated

6 years ago
Assignee: nobody → josh

Updated

6 years ago
OS: Mac OS X → All
Hardware: x86 → All
Pushed to m-i: http://hg.mozilla.org/integration/mozilla-inbound/rev/49932c605933

(In reply to comment #0)
> Many callers of GetTransactionAtIndex check the return value and null-ness
> of the outptr. Other callers don't do either. The latter ones cause crashes.

Can we add a crashtest for this?
Flags: in-testsuite?
Keywords: checkin-needed
Whiteboard: [inbound]
Version: unspecified → Trunk
(Assignee)

Comment 4

6 years ago
It would be nice, but I don't believe it's known how this arises. Olli, any ideas?
(Assignee)

Comment 5

6 years ago
This was merged a while ago, but apparently wasn't marked.

http://hg.mozilla.org/mozilla-central/rev/831fabb406a1
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Whiteboard: [inbound]
You need to log in before you can comment on or make changes to this bug.