Closed Bug 6661 Opened 26 years ago Closed 26 years ago

Protecting against NULL in JS Glue code

Categories

(Core Graveyard :: Installer: XPInstall Engine, defect, P3)

x86
Other
defect

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: dougt, Assigned: ssu0262)

Details

if you pass a NULL version as the parameter of an overloaded functions, you will chrash. The stacktrace looks like: JS_GetClass(JSContext * 0x03f3be00, JSObject * 0x00000000) line 1046 + 3 bytes InstallAddSubcomponent(JSContext * 0x03f3be00, JSObject * 0x00b3a3c8, unsigned int 6, long * 0x00b3c364, long * 0x0410eeb4) line 491 + 17 bytes js_Invoke(JSContext * 0x03f3be00, unsigned int 6, int 0) line 650 + 26 bytes js_Interpret(JSContext * 0x03f3be00, long * 0x0410f6e0) line 2199 + 15 bytes js_Invoke(JSContext * 0x03f3be00, unsigned int 1, int 0) line 666 + 13 bytes js_Interpret(JSContext * 0x03f3be00, long * 0x0410ff28) line 2199 + 15 bytes js_Execute(JSContext * 0x03f3be00, JSObject * 0x00b398c8, JSScript * 0x00b3bc98, JSFunction * 0x00000000, JSStackFrame * 0x00000000, int 0, long * 0x0410ff28) line 815 + 13 bytes JS_EvaluateUCScriptForPrincipals(JSContext * 0x03f3be00, JSObject * 0x00b398c8, JSPrincipals * 0x00000000, const unsigned short * 0x00b5e52c, unsigned int 3616, const char * 0x00000000, unsigned int 0, long * 0x0410ff28) line 2390 + 27 bytes JS_EvaluateUCScript(JSContext * 0x03f3be00, JSObject * 0x00b398c8, const unsigned short * 0x00b5e52c, unsigned int 3616, const char * 0x00000000, unsigned int 0, long * 0x0410ff28) line 2372 + 35 bytes JS_EvaluateScript(JSContext * 0x03f3be00, JSObject * 0x00b398c8, const char * 0x00b7ae30, unsigned int 3616, const char * 0x00000000, unsigned int 0, long * 0x0410ff28) line 2339 + 33 bytes RunInstallOnThread(void * 0x03f3c3f0) line 346 + 30 bytes _PR_NativeRunThread(void * 0x03f3dbe0) line 379 + 13 bytes _threadstartex(void * 0x03f3dae0) line 212 + 13 bytes KERNEL32! bff88ef7() KERNEL32! bff86966() KERNEL32! bff86863() What is happening is that, NULL is a object. In our overloading, we do this: if(JSVAL_IS_OBJECT(argv[1])) { JSObject* jsobj = JSVAL_TO_OBJECT(argv[1]); at this point jsobj is 0x00000000, the we call: JSClass* jsclass = JS_GetClass(cx, jsobj); poof. we crash. We need to protect ourselves against NULL arguments.
Status: NEW → ASSIGNED
Summary: Passing NULL as version crashes → Protecting against NULL in JS Glue code
other places this happens is: nsCvrtStrToJSVal(*nativeRet, cx, rval); where nativeRet, which is return from the native C++ object is null.
Assignee: dougt → ssu
Status: ASSIGNED → NEW
reassign to Sean.
Status: NEW → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
wrapped JS_GetClass()'s with null check: if(!JSVAL_IS_NULL(argv[1])) { ... JS_GetClass(...); } Also wrapped nsCvrtStrToJSVal(*nativeRet, cx, rval)'s with null check: if(nsnull == nativeRet) *rval = JSVAL_NULL; else nsCvrtStrToJSVal(*nativeRet, cx, rval)
Status: RESOLVED → VERIFIED
dev bug
Bulk move of XPInstall (component to be deleted) bugs to Installer: XPInstall Engine
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.