Closed Bug 868266 Opened 12 years ago Closed 12 years ago

Root the arguments array in nsObjectLoadingContent::LegacyCall

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla23

Tracking Flags:

Tracking

Status

firefox21

---

unaffected

firefox22

fixed

firefox23

---

fixed

People

(Reporter: bzbarsky, Assigned: bzbarsky)

References

Details

Attachments

(1 file)

Root the arguments list in nsObjectLoadingContent::LegacyCall. 12 years ago Boris Zbarsky [:bzbarsky] 1.07 KB, patch	Benjamin : review+ akeybl : approval-mozilla-aurora+	Details \| Diff \| Splinter Review

Boris Zbarsky [:bzbarsky]

Assignee

Description

•

12 years ago

Spinning this off into a separate bug, because I think we want it on Aurora: it's a GC hazard even with our current GC setup.

Boris Zbarsky [:bzbarsky]

Assignee

Comment 1

•

12 years ago

Attached patch Root the arguments list in nsObjectLoadingContent::LegacyCall. — Details — Splinter Review

Attachment #744950 - Flags: review?(terrence)

Boris Zbarsky [:bzbarsky]

Assignee

Updated

•

12 years ago

tracking-firefox22: --- → ?

:Benjamin Peterson

Updated

•

12 years ago

Attachment #744950 - Flags: review?(terrence) → review+

bhavana bajaj [:bajaj]

Updated

•

12 years ago

status-firefox22: --- → affected

tracking-firefox22: ? → +

Boris Zbarsky [:bzbarsky]

Assignee

Comment 2

•

12 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/c2b32320a79f

Flags: in-testsuite-

Whiteboard: [need review]

Target Milestone: --- → mozilla23

Boris Zbarsky [:bzbarsky]

Assignee

Comment 3

•

12 years ago

Comment on attachment 744950 [details] [diff] [review] Root the arguments list in nsObjectLoadingContent::LegacyCall. [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 827158 User impact if declined: A GC hazard that may end up being exploitable if one tries hard enough. Testing completed (on m-c, etc.): Passes tests and all. Risk to taking this patch (and alternatives if risky): Very low risk: just adds on-stack rooting. The other options are to do nothing or to turn off WebIDL bindings for object/embed/applet, but the latter is riskier than this patch. String or IDL/UUID changes made by this patch: None.

Attachment #744950 - Flags: approval-mozilla-aurora?

Phil Ringnalda (:philor)

Comment 4

•

12 years ago

https://hg.mozilla.org/mozilla-central/rev/c2b32320a79f

Status: NEW → RESOLVED

Closed: 12 years ago

Resolution: --- → FIXED

Alex Keybl [:akeybl]

Updated

•

12 years ago

status-firefox21: --- → unaffected

Alex Keybl [:akeybl]

Updated

•

12 years ago

Attachment #744950 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

Ryan VanderMeulen [:RyanVM]

Comment 5

•

12 years ago

https://hg.mozilla.org/releases/mozilla-aurora/rev/b5373e1f83b2

status-firefox22: affected → fixed

status-firefox23: --- → fixed

Nobody; OK to take it and work on it

Updated

•

6 years ago

Component: DOM → DOM: Core & HTML

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Root the arguments array in nsObjectLoadingContent::LegacyCall

Categories

(Core :: DOM: Core & HTML, defect)

Tracking

()

People

(Reporter: bzbarsky, Assigned: bzbarsky)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Updated

Updated

Updated

Comment 2

Comment 3

Comment 4

Updated

Updated

Comment 5

Updated

Attachment

General

Description

File Name

Content Type