Closed Bug 827468 Opened 12 years ago Closed 12 years ago

Calling CharacterData method on an Element causes "Assertion failure: !objRef.ptr"

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla21
Tracking Flags:
Tracking Status
firefox19 --- unaffected
firefox20 + fixed
firefox21 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: jruderman, Unassigned)

References

Details

(4 keywords, Whiteboard: fixed by bug 826703 [adv-main20-])

Attachments

(2 files)

testcase
197 bytes, text/html
Details
stack
9.05 KB, text/plain
Details
Attached file testcase
Assertion failure: !objRef.ptr, at OBJDIR/dom/bindings/CharacterDataBinding.cpp:315
Attached file stack
The generated code is from: changeset: 41b8acc38356 user: Boris Zbarsky date: Tue Aug 28 13:10:09 2012 -0400 summary: Bug 774970. Add the ability to generate code for dealing with an XPConnect 'this' object in some cases. r=peterv This WebIDL binding was added in: changeset: 71b8063ba668 user: Boris Zbarsky date: Fri Jan 04 12:02:14 2013 -0500 summary: Bug 824823 part 7. Implement WebIDL CharacterData API on nsGenericDOMDataNode. r=peterv
So the generated code looks like this: nsresult rv = xpc_qsUnwrapArg<nsGenericDOMDataNode>(cx, val, &objPtr, &objRef.ptr, &val); Which lands us at: xpc_qsUnwrapArg<nsGenericDOMDataNode, nsISupports> where the first templare arg is the "interface" and the second is the "strong ref type". So we end up doing NS_GET_TEMPLATE_IID(nsGenericDOMDataNode) which returns the nsIContent IID. Then of course the thing we have is an nsIContent, so it happily unwraps to that... I just checked the other things we have that have hasXPConnectImpls. Those are: Document, Element, EventTarget, HTMLDocument, HTMLElement, Node, SVGElement, SVGGraphicsElement, SVGLocatableElement, SVGTransformableElement. Of these, Document, Element, EventTarget, HTMLDocument, HTMLElement, Node, SVGElement have DOMCI_CASTABLE_INTERFACE stuff, so I believe those are safe. SVGGraphicsElement, SVGTransformableElement, SVGLocatableElement have IIDs of their own. So I think the only unsafe thing is the CharacterData. I can add a DOMCI_CASTABLE thing, or we can fix bug 826703 (which we want to do on 20 anyway because otherwise we need to make Text have hasXPConnectImpls). I'd vastly prefer the latter. ;) Verifying now that that patch fixes this bug.
Depends on: 826703
Yeah, the patches in bug 826703 fix this.
tracking-firefox20: --- → ?
With ASan, I found an exploitable case (involving appendData).
Group: core-security
Keywords: sec-critical
Fixed by bug 826703.
Target Milestone: --- → mozilla21
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Keywords: regression
Whiteboard: fixed by bug 826703
Checked that this bug and its dups are all fixed on Aurora now.
status-firefox20: affectedfixed
Whiteboard: fixed by bug 826703 → fixed by bug 826703 [adv-main20-]
Group: core-security
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: