Closed Bug 783867 (CVE-2012-3989) Opened 11 years ago Closed 11 years ago
ASSERTION: This only works on ns
ISupports classes! and segfault
Running new Worker("http://base.com") instanceof Components.interfaces.nsIArray in a mochitest will hit NS_ASSERTION(mozilla::dom::DOMJSClass::FromJSClass( js::GetObjectJSClass(obj))->mDOMObjectIsISupports, "This only works on nsISupports classes!"); at <http://mxr.mozilla.org/mozilla-central/source/js/xpconnect/src/XPCJSID.cpp#484>. We then unwrap the object to nsISupports and try to call QueryInterface on it, and segfault in nsWrapperCache::WrapObject.
How dangerous is this?
This is reasonably bad. It's also a regression from the original landing in bug 740069. Probably too late to fix this on 15 now, but we should fix elsewhere. Also, not check in a test for this until after we ship the fix. :(
Attachment #654288 - Flags: review?(peterv) → review+
http://hg.mozilla.org/integration/mozilla-inbound/rev/2f60f3a4bdd7 No test landed yet; we should do that once we reopen it.
Whiteboard: [need review]
Target Milestone: --- → mozilla17
Comment on attachment 654288 [details] [diff] [review] Don't blindly assume IsDOMClass objects are nsISupports. [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 740069 User impact if declined: Possibly-exploitable crash Testing completed (on m-c, etc.): Tested on testcase in this bug Risk to taking this patch (and alternatives if risky): Very safe: just makes us return false in cases where it should be returned, instead of crashing exploitably. String or UUID changes made by this patch:
Attachment #654288 - Flags: approval-mozilla-aurora?
Apologies, had two security bugs open to mark, and pasted other s-g bug's cset in this one. The correct changeset is: https://hg.mozilla.org/mozilla-central/rev/2f60f3a4bdd7
Attachment #654288 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Can someone suggest a sec rating for this issue?
You need to log in before you can comment on or make changes to this bug.