Running new Worker("http://base.com") instanceof Components.interfaces.nsIArray in a mochitest will hit NS_ASSERTION(mozilla::dom::DOMJSClass::FromJSClass( js::GetObjectJSClass(obj))->mDOMObjectIsISupports, "This only works on nsISupports classes!"); at <http://mxr.mozilla.org/mozilla-central/source/js/xpconnect/src/XPCJSID.cpp#484>. We then unwrap the object to nsISupports and try to call QueryInterface on it, and segfault in nsWrapperCache::WrapObject.
How dangerous is this?
This is reasonably bad. It's also a regression from the original landing in bug 740069. Probably too late to fix this on 15 now, but we should fix elsewhere. Also, not check in a test for this until after we ship the fix. :(
Created attachment 654288 [details] [diff] [review] Don't blindly assume IsDOMClass objects are nsISupports.
http://hg.mozilla.org/integration/mozilla-inbound/rev/2f60f3a4bdd7 No test landed yet; we should do that once we reopen it.
Comment on attachment 654288 [details] [diff] [review] Don't blindly assume IsDOMClass objects are nsISupports. [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 740069 User impact if declined: Possibly-exploitable crash Testing completed (on m-c, etc.): Tested on testcase in this bug Risk to taking this patch (and alternatives if risky): Very safe: just makes us return false in cases where it should be returned, instead of crashing exploitably. String or UUID changes made by this patch:
Apologies, had two security bugs open to mark, and pasted other s-g bug's cset in this one. The correct changeset is: https://hg.mozilla.org/mozilla-central/rev/2f60f3a4bdd7
Can someone suggest a sec rating for this issue?