RESOLVED FIXED 91419
[Blackberry] Any webpage can crash webkit via qnx.callExtensionMethod assuming 'this' is the 'qnx' object 
https://bugs.webkit.org/show_bug.cgi?id=91419
Summary [Blackberry] Any webpage can crash webkit via qnx.callExtensionMethod assumin...
Benjamin Meyer
Reported 2012-07-16 13:07:37 PDT
Run the following in inspector to crash WebKit qnx.callExtensionMethod.apply(window, []); In the c++ that handles the function it assumes that when callExtensionMethod is called that 'this' is the object 'qnx'. The qnx object has a hidden variable that the code casts and uses, but when 'this' is not qnx such as the example this will cause a crash. Any website can insert the above JavaScript to cause the crash.
Attachments
patch (3.06 KB, patch)
2012-07-16 13:12 PDT, Benjamin Meyer 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Benjamin Meyer
Comment 1 2012-07-16 13:12:50 PDT
Created attachment 152601 [details] patch
Yong Li
Comment 2 2012-07-16 13:22:18 PDT
Are we sure it is null? If so it shouldn't be security issue. But the change log makes me think it could be a non-zero pointer. Then the patch won't fix it. We could compare the vptr.
Benjamin Meyer
Comment 3 2012-07-16 13:23:53 PDT
It is null, I have a test page for this and confirmed it works.
Benjamin Meyer
Comment 4 2012-07-16 13:28:01 PDT
Edit: to be more clear in JSObjectRef.cpp JSObjectGetPrivate() will return 0 when the object is not a JSCallbackObject so a simple check is good enough to stop the crash.
Yong Li
Comment 5 2012-07-16 13:29:07 PDT
changing back from security
WebKit Review Bot
Comment 6 2012-07-16 13:44:59 PDT
Comment on attachment 152601 [details] patch Clearing flags on attachment: 152601 Committed r122757: <http://trac.webkit.org/changeset/122757>
WebKit Review Bot
Comment 7 2012-07-16 13:45:03 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.