Closed
Bug 504144
Opened 15 years ago
Closed 11 years ago
Should nsPopupSetFrame use a regular framelist for the popup children?
Categories
(Core :: XUL, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 544251
Tracking | Status | |
---|---|---|
status1.9.1 | --- | wanted |
People
(Reporter: bzbarsky, Assigned: enndeakin)
References
Details
(Keywords: sec-want, Whiteboard: [sg:want P3])
As far as I can tell, nsPopupSetFrame takes an nsIFrame* list, stores those frames in popup entries, then forgets about the fact that the frames are linked to each other.
This is not a problem per se, except that nsPopupSetFrame::RemoveFrame will destroy the frame without removing the link to it from its previous sibling. After that, we have pointers to dead memory that we're liable to make virtual function calls on...
We're sort of saved right now by not exposing nsGkAtoms::popupList, I think, which means that we don't just crash and burn all over on every test run. But I'm not happy depending on that, of course, and I have no guarantee that this can't be crashed. The right thing to do is to fix things so we don't have those dangling pointers.
Flags: blocking1.9.2?
Reporter | ||
Updated•15 years ago
|
blocking1.9.1: --- → ?
Updated•15 years ago
|
blocking1.9.1: ? → -
status1.9.1:
--- → wanted
Flags: wanted1.9.2-
Flags: blocking1.9.2?
Flags: blocking1.9.2-
We've fixed the dangling pointers in bug 529371. However, I don't see why nsPopupSetFrame needs the setup it has. Can't it just use a regular framelist instead of the custom linked-list it currently uses?
Summary: Popup set does weird things with framelists → Should nsPopupSetFrame use a regular framelist for the popup children?
Reporter | ||
Comment 2•15 years ago
|
||
Does this still need to be security-sensitive?
Comment 3•15 years ago
|
||
Is it a problem on older branches? bug 529371 was marked as a regression, but it wasn't clear from what and your comment 0 doesn't sound like a new condition.
Depends on: 529371
Possibly via the accessibility issue we just addressed, yes.
blocking1.9.1: - → ---
Comment 5•15 years ago
|
||
meaning bug 529371 or bug 529442? both?
both
Updated•15 years ago
|
blocking1.9.1: --- → .7+
Flags: wanted1.9.0.x?
Flags: blocking1.9.0.17?
Updated•15 years ago
|
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.17?
Flags: blocking1.9.0.17+
I think Neil agreed we should use a regular framelist here.
Updated•15 years ago
|
blocking1.9.1: .8+ → ---
Flags: blocking1.9.0.18+
Whiteboard: [sg:investigate]
Updated•15 years ago
|
Whiteboard: [sg:investigate] → [sg:want P3]
Assignee | ||
Comment 8•11 years ago
|
||
I don't think there's anything security sensitive here anymore is there?
Assignee | ||
Comment 9•11 years ago
|
||
In fact, I think the this was fixed long ago by 544251.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•