WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
91419
[Blackberry] Any webpage can crash webkit via qnx.callExtensionMethod assuming 'this' is the 'qnx' object
https://bugs.webkit.org/show_bug.cgi?id=91419
Summary
[Blackberry] Any webpage can crash webkit via qnx.callExtensionMethod assumin...
Benjamin Meyer
Reported
2012-07-16 13:07:37 PDT
Run the following in inspector to crash WebKit qnx.callExtensionMethod.apply(window, []); In the c++ that handles the function it assumes that when callExtensionMethod is called that 'this' is the object 'qnx'. The qnx object has a hidden variable that the code casts and uses, but when 'this' is not qnx such as the example this will cause a crash. Any website can insert the above JavaScript to cause the crash.
Attachments
patch
(3.06 KB, patch)
2012-07-16 13:12 PDT
,
Benjamin Meyer
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Benjamin Meyer
Comment 1
2012-07-16 13:12:50 PDT
Created
attachment 152601
[details]
patch
Yong Li
Comment 2
2012-07-16 13:22:18 PDT
Are we sure it is null? If so it shouldn't be security issue. But the change log makes me think it could be a non-zero pointer. Then the patch won't fix it. We could compare the vptr.
Benjamin Meyer
Comment 3
2012-07-16 13:23:53 PDT
It is null, I have a test page for this and confirmed it works.
Benjamin Meyer
Comment 4
2012-07-16 13:28:01 PDT
Edit: to be more clear in JSObjectRef.cpp JSObjectGetPrivate() will return 0 when the object is not a JSCallbackObject so a simple check is good enough to stop the crash.
Yong Li
Comment 5
2012-07-16 13:29:07 PDT
changing back from security
WebKit Review Bot
Comment 6
2012-07-16 13:44:59 PDT
Comment on
attachment 152601
[details]
patch Clearing flags on attachment: 152601 Committed
r122757
: <
http://trac.webkit.org/changeset/122757
>
WebKit Review Bot
Comment 7
2012-07-16 13:45:03 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug