Closed
Bug 6661
Opened 26 years ago
Closed 26 years ago
Protecting against NULL in JS Glue code
Categories
(Core Graveyard :: Installer: XPInstall Engine, defect, P3)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: dougt, Assigned: ssu0262)
Details
if you pass a NULL version as the parameter of an overloaded functions, you will
chrash. The stacktrace looks like:
JS_GetClass(JSContext * 0x03f3be00, JSObject * 0x00000000) line 1046 + 3 bytes
InstallAddSubcomponent(JSContext * 0x03f3be00, JSObject * 0x00b3a3c8, unsigned
int 6, long * 0x00b3c364, long * 0x0410eeb4) line 491 + 17 bytes
js_Invoke(JSContext * 0x03f3be00, unsigned int 6, int 0) line 650 + 26 bytes
js_Interpret(JSContext * 0x03f3be00, long * 0x0410f6e0) line 2199 + 15 bytes
js_Invoke(JSContext * 0x03f3be00, unsigned int 1, int 0) line 666 + 13 bytes
js_Interpret(JSContext * 0x03f3be00, long * 0x0410ff28) line 2199 + 15 bytes
js_Execute(JSContext * 0x03f3be00, JSObject * 0x00b398c8, JSScript * 0x00b3bc98,
JSFunction * 0x00000000, JSStackFrame * 0x00000000, int 0, long * 0x0410ff28)
line 815 + 13 bytes
JS_EvaluateUCScriptForPrincipals(JSContext * 0x03f3be00, JSObject * 0x00b398c8,
JSPrincipals * 0x00000000, const unsigned short * 0x00b5e52c, unsigned int 3616,
const char * 0x00000000, unsigned int 0, long * 0x0410ff28) line 2390 + 27 bytes
JS_EvaluateUCScript(JSContext * 0x03f3be00, JSObject * 0x00b398c8, const
unsigned short * 0x00b5e52c, unsigned int 3616, const char * 0x00000000,
unsigned int 0, long * 0x0410ff28) line 2372 + 35 bytes
JS_EvaluateScript(JSContext * 0x03f3be00, JSObject * 0x00b398c8, const char *
0x00b7ae30, unsigned int 3616, const char * 0x00000000, unsigned int 0, long *
0x0410ff28) line 2339 + 33 bytes
RunInstallOnThread(void * 0x03f3c3f0) line 346 + 30 bytes
_PR_NativeRunThread(void * 0x03f3dbe0) line 379 + 13 bytes
_threadstartex(void * 0x03f3dae0) line 212 + 13 bytes
KERNEL32! bff88ef7()
KERNEL32! bff86966()
KERNEL32! bff86863()
What is happening is that, NULL is a object. In our overloading, we do this:
if(JSVAL_IS_OBJECT(argv[1]))
{
JSObject* jsobj = JSVAL_TO_OBJECT(argv[1]);
at this point jsobj is 0x00000000, the we call:
JSClass* jsclass = JS_GetClass(cx, jsobj);
poof. we crash. We need to protect ourselves against NULL arguments.
Reporter | ||
Updated•26 years ago
|
Status: NEW → ASSIGNED
Summary: Passing NULL as version crashes → Protecting against NULL in JS Glue code
Reporter | ||
Comment 1•26 years ago
|
||
other places this happens is:
nsCvrtStrToJSVal(*nativeRet, cx, rval);
where nativeRet, which is return from the native C++ object is null.
Status: NEW → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
wrapped JS_GetClass()'s with null check:
if(!JSVAL_IS_NULL(argv[1]))
{
...
JS_GetClass(...);
}
Also wrapped nsCvrtStrToJSVal(*nativeRet, cx, rval)'s with null check:
if(nsnull == nativeRet)
*rval = JSVAL_NULL;
else
nsCvrtStrToJSVal(*nativeRet, cx, rval)
Updated•26 years ago
|
Status: RESOLVED → VERIFIED
Comment 4•26 years ago
|
||
dev bug
Bulk move of XPInstall (component to be deleted) bugs to Installer: XPInstall
Engine
Updated•9 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•