Closed
Bug 798011
Opened 12 years ago
Closed 12 years ago
mozMatchesSelectorStub crash with Proxy
Categories
(Core :: XPConnect, defect)
Tracking
()
VERIFIED
FIXED
mozilla18
| Tracking | Status | |
|---|---|---|
| firefox17 | + | verified |
| firefox18 | + | verified |
| firefox-esr10 | --- | unaffected |
People
(Reporter: jruderman, Assigned: bzbarsky)
References
Details
(4 keywords, Whiteboard: [adv-track-main17-])
Crash Data
Attachments
(3 files)
|
(deleted),
text/html
|
Details | |
|
(deleted),
text/plain
|
Details | |
|
(deleted),
patch
|
gkrizsanits
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
|
Reporter | |
Comment 1•12 years ago
|
||
|
Assignee | |
Comment 2•12 years ago
|
||
Attachment #668710 -
Flags: review?(gkrizsanits)
|
|
Assignee | |
Comment 3•12 years ago
|
||
I believe this is a guaranteed null-deref, so not security-sensitive....
Assignee: nobody → bzbarsky
Whiteboard: [need review]
|
||
Updated•12 years ago
|
Keywords: csec-nullptr
|
||
Comment 4•12 years ago
|
||
Comment on attachment 668710 [details] [diff] [review]
Deal with JS_ValueToString failing.
Review of attachment 668710 [details] [diff] [review]:
-----------------------------------------------------------------
Just one question. Wouldn't it make sense if an init method that can fail, handled the null case internally? Personally I would put the null check inside nsDependentJSString::init too just in case someone else does the same mistake as I did. Anyway, that being said r+ and thanks for fixing it.
Attachment #668710 -
Flags: review?(gkrizsanits) → review+
|
|
Assignee | |
Comment 5•12 years ago
|
||
We could do that, at the cost of an extra null-check for every single existing consumer...
|
|
Assignee | |
Updated•12 years ago
|
tracking-firefox17:
--- → ?
tracking-firefox18:
--- → ?
|
|
Assignee | |
Comment 6•12 years ago
|
||
Whiteboard: [need review]
Target Milestone: --- → mozilla18
|
|
Assignee | |
Comment 7•12 years ago
|
||
Comment on attachment 668710 [details] [diff] [review]
Deal with JS_ValueToString failing.
[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 763897
User impact if declined: Null-deref crashes that web pages can trigger
Testing completed (on m-c, etc.): Tested on the attached testcase
Risk to taking this patch (and alternatives if risky): Very low risk. Just adds
a missing null-check and exception, instead of crash.
String or UUID changes made by this patch: None.
Attachment #668710 -
Flags: approval-mozilla-aurora?
|
||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Updated•12 years ago
|
|
|
||
Comment 8•12 years ago
|
||
Comment on attachment 668710 [details] [diff] [review]
Deal with JS_ValueToString failing.
[Triage Comment]
Reproducible crash regression with a very low risk fix - approving for Aurora 17. Please land early Monday to make the next merge.
Attachment #668710 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
Assignee | |
Comment 9•12 years ago
|
||
status-firefox17:
--- → fixed
|
|
||
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
|
||
Updated•12 years ago
|
status-firefox18:
--- → fixed
Keywords: csec-dos
|
||
Updated•12 years ago
|
Whiteboard: [adv-track-main17-]
|
||
Comment 10•12 years ago
|
||
Confirmed crash on 2012-10-4
Verified fixed on build 2012-11-13, 17.0b6
Verified fixed on build 2012-11-19, 17.0esr
Verified fixed on build 2012-11-19, 18.0a2 Aurora
|
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•