This might not be security sensitive, but I think it's a bug that could be exploited in released versions. That said, it's only in XUL, which isn't really available to arbitrary content. Alex Miller points out that RemoveRow just indexes blindly into an array at http://mxr.mozilla.org/mozilla-central/source/layout/xul/base/src/tree/src/nsTreeContentView.cpp#1334 . If aIndex = 2^31, and the row being removed has a non-zero subtree size, this could wrap around and be dangerous.
Quick fix would probably be to use CheckedInt here.
Is there a machine alive that could handle that many rows without falling over? To exploit this (since it's in XUL) you'd have to find a place where content can add things to a tree-view we'd show in chrome. Do we have any of those? Or a popular add-on, I suppose. Real bug, for sure. Not convinced it's remotely exploitable.
Content can't use XUL, so shouldn't we just close this?
I don't think this is worth fixing, what with XUL not exposed to content.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.