Closed Bug 71773 Opened 23 years ago Closed 23 years ago

Crash when reading past the end of a CSSRuleList

Categories

(Core :: DOM: CSS Object Model, defect)

Product:
Core
Component:
DOM: CSS Object Model
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla0.9

People

(Reporter: ian, Assigned: jst)

References

(
URL
)

Details

(Keywords: crash, dom2, testcase, Whiteboard: [fix in hand])

Attachments

(2 files)

Patch: moves the NS_RELEASE(), and adds code to deal with the NS_ERROR_ILLEGAL_VALUE case
1.22 KB, patch
Details | Diff | Splinter Review
Patch: Switches to using nsCOMPtr instead of NS_RELEASE(), changes from QueryInterface to CallQueryInterface, and checks for |rule| instead of NS_OK.
1.31 KB, patch
Details | Diff | Splinter Review 
STEPS TO REPRODUCE
   1. <style type="text/css"></style>
   2. document.styleSheets[0].cssRules[0];

ACTUAL RESULTS
   KABOOM!

See http://www.damowmow.com/mozilla/crash/8.html
Keywords: crash, dom2, mozilla1.0, testcase
confirmed on mozilla0.8 windows95...
http://www.damowmow.com/mozilla/crash/9.html shows this problem too, but, I 
think, because another bug is causing the array to be smaller than expected.

In other words: This problem is causing other problems to be more serious! :-)
The patch moves the NS_RELEASE() to inside the |if (result == NS_OK)| block,
since |rule| will only be allocated if |result| is |NS_OK|. This fixes the 
crash. The patch also adds an |else if| for the NS_ERROR_ILLEGAL_VALUE case,
so that we follow the DOM spec, which says to return null in that case.

Test case:
   http://www.damowmow.com/mozilla/crash/8.html

Looking for r=, sr=, and someone to check it in...
Keywords: patch
Whiteboard: [fix in hand]
New patch, this time doing all the Right Things per jst. :-)

Once again looking for r=, sr=, and someone to check it in...
r=glazman ; tested on linux
Thank you Hixie for the fix (and Daniel for the review), I'll land this once the
tree opens, sr=jst
Status: NEW → ASSIGNED
OS: Windows 2000 → All
Hardware: PC → All
Whiteboard: [fix in hand] → [HAVE FIX]
Target Milestone: --- → mozilla0.9
Whiteboard: [HAVE FIX] → [fix in hand]
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
*** Bug 73274 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: