Closed
Bug 798011
Opened 11 years ago
Closed 11 years ago
mozMatchesSelectorStub crash with Proxy
Categories
(Core :: XPConnect, defect)
Tracking
()
VERIFIED
FIXED
mozilla18
| Tracking | Status | |
|---|---|---|
| firefox17 | + | verified |
| firefox18 | + | verified |
| firefox-esr10 | --- | unaffected |
People
(Reporter: jruderman, Assigned: bzbarsky)
References
Details
(4 keywords, Whiteboard: [adv-track-main17-])
Crash Data
Attachments
(3 files)
|
232 bytes,
text/html
|
Details | |
|
10.71 KB,
text/plain
|
Details | |
|
1.13 KB,
patch
|
gkrizsanits
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
|
Reporter | |
Comment 1•11 years ago
|
||
|
Assignee | |
Comment 2•11 years ago
|
||
Attachment #668710 -
Flags: review?(gkrizsanits)
|
|
Assignee | |
Comment 3•11 years ago
|
||
I believe this is a guaranteed null-deref, so not security-sensitive....
Assignee: nobody → bzbarsky
Whiteboard: [need review]
|
||
Updated•11 years ago
|
Keywords: csec-nullptr
|
||
Comment 4•11 years ago
|
||
Comment on attachment 668710 [details] [diff] [review] Deal with JS_ValueToString failing. Review of attachment 668710 [details] [diff] [review]: ----------------------------------------------------------------- Just one question. Wouldn't it make sense if an init method that can fail, handled the null case internally? Personally I would put the null check inside nsDependentJSString::init too just in case someone else does the same mistake as I did. Anyway, that being said r+ and thanks for fixing it.
Attachment #668710 -
Flags: review?(gkrizsanits) → review+
|
|
Assignee | |
Comment 5•11 years ago
|
||
We could do that, at the cost of an extra null-check for every single existing consumer...
|
|
Assignee | |
Updated•11 years ago
|
tracking-firefox17:
--- → ?
tracking-firefox18:
--- → ?
|
|
Assignee | |
Comment 6•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/c532f851ec57
Whiteboard: [need review]
Target Milestone: --- → mozilla18
|
|
Assignee | |
Comment 7•11 years ago
|
||
Comment on attachment 668710 [details] [diff] [review] Deal with JS_ValueToString failing. [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 763897 User impact if declined: Null-deref crashes that web pages can trigger Testing completed (on m-c, etc.): Tested on the attached testcase Risk to taking this patch (and alternatives if risky): Very low risk. Just adds a missing null-check and exception, instead of crash. String or UUID changes made by this patch: None.
Attachment #668710 -
Flags: approval-mozilla-aurora?
|
||
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
|
|
||
Comment 8•11 years ago
|
||
Comment on attachment 668710 [details] [diff] [review] Deal with JS_ValueToString failing. [Triage Comment] Reproducible crash regression with a very low risk fix - approving for Aurora 17. Please land early Monday to make the next merge.
Attachment #668710 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
Assignee | |
Comment 9•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/21cc2ed4690c
status-firefox17:
--- → fixed
|
|
||
Updated•11 years ago
|
status-firefox-esr10:
--- → unaffected
|
||
Updated•11 years ago
|
status-firefox18:
--- → fixed
Keywords: csec-dos
|
||
Updated•11 years ago
|
Whiteboard: [adv-track-main17-]
|
||
Comment 10•11 years ago
|
||
Confirmed crash on 2012-10-4 Verified fixed on build 2012-11-13, 17.0b6 Verified fixed on build 2012-11-19, 17.0esr Verified fixed on build 2012-11-19, 18.0a2 Aurora
|
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•