Bugzilla@Mozilla – Bug 489131
Arbitrary code execution using event listeners attached to an element whose owner document is null
Last modified: 2009-06-11 15:16:11 PDT
Summon comment box
This is a variant of bug 383424. fx3 and fx2 are affected. The owner document of an element can become null after GC. If the owner document is null, nsCxPusher::Push() does not push a JS context, and thus event listeners can be executed on the wrong JS context. (On trunk, if the owner document is null, nsCxPusher::Push() fails, and thus event listeners are not executed.)
Created attachment 373621 [details] testcase
Created attachment 373624 [details] [review] return PR_FALSE if null owner doc This is basically what is done on 191/trunk.
Comment on attachment 373624 [details] [review] return PR_FALSE if null owner doc Approved for 1.9.0.10, a=dveditz for release-drivers
Checking in content/base/src/nsContentUtils.cpp; /cvsroot/mozilla/content/base/src/nsContentUtils.cpp,v <-- nsContentUtils.cpp new revision: 1.312; previous revision: 1.3
Verified fixed in 1.9.0.11 with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11pre) Gecko/2009051104 GranParadiso/3.0.11pre. Verified the ill behavior on 1.9.0.10.
Created attachment 377393 [details] [review] 1.8 patch What about this one for 1.8?
Comment on attachment 377393 [details] [review] 1.8 patch Do you mind to check this one?
Comment on attachment 377393 [details] [review] 1.8 patch Smaug, what do you think about this for 1.8?
Comment on attachment 377393 [details] [review] 1.8 patch Approved for 1.8.1.22. a=ss for release-drivers
Fixed on the 1.8.1 branch Checking in base/src/nsContentUtils.cpp; /cvsroot/mozilla/content/base/src/nsContentUtils.cpp,v <-- nsContentUtils.cpp new revision: 1.107.4.28; previous revision: 1.107.4.27 done
Verified for 1.8.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.22pre) Gecko/20090602 SeaMonkey/1.1.17pre.