Closed Bug 868266 Opened 7 years ago Closed 7 years ago

Root the arguments array in nsObjectLoadingContent::LegacyCall

Categories

(Core :: DOM: Core & HTML, defect)

x86
macOS
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla23
Tracking Status
firefox21 --- unaffected
firefox22 + fixed
firefox23 --- fixed

People

(Reporter: bzbarsky, Assigned: bzbarsky)

References

Details

Attachments

(1 file)

Spinning this off into a separate bug, because I think we want it on Aurora: it's a GC hazard even with our current GC setup.
Attachment #744950 - Flags: review?(terrence) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/c2b32320a79f
Flags: in-testsuite-
Whiteboard: [need review]
Target Milestone: --- → mozilla23
Comment on attachment 744950 [details] [diff] [review]
Root the arguments list in nsObjectLoadingContent::LegacyCall.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 827158
User impact if declined: A GC hazard that may end up being exploitable if one
   tries hard enough.
Testing completed (on m-c, etc.): Passes tests and all.
Risk to taking this patch (and alternatives if risky): Very low risk: just adds
   on-stack rooting.  The other options are to do nothing or to turn off WebIDL
   bindings for object/embed/applet, but the latter is riskier than this patch.
String or IDL/UUID changes made by this patch:  None.
Attachment #744950 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/c2b32320a79f
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Attachment #744950 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.