From 0649a781243929e058b1d1928e758c68cfd00551 Mon Sep 17 00:00:00 2001 From: "reed@reedloden.com" Date: Tue, 4 Mar 2008 03:25:44 -0800 Subject: [PATCH] Bug 351580 - "Possible null pointer dereferences in |nsCrypto::GenerateCRMFRequest|" (Fixed !NULL checks + GC rooting) [p=honzab@allpeers.com (Honza Bambas [mayhemer]) r=mrbkap a=blocking1.9+] --- security/manager/ssl/src/nsCrypto.cpp | 36 ++++++++++++++++++++++++--- 1 file changed, 33 insertions(+), 3 deletions(-) diff --git a/security/manager/ssl/src/nsCrypto.cpp b/security/manager/ssl/src/nsCrypto.cpp index 7faeaee4910e..87f104adee77 100644 --- a/security/manager/ssl/src/nsCrypto.cpp +++ b/security/manager/ssl/src/nsCrypto.cpp @@ -886,6 +886,8 @@ cryptojs_ReadArgsAndGenerateKey(JSContext *cx, params = nsnull; } else { jsString = JS_ValueToString(cx,argv[1]); + NS_ENSURE_TRUE(jsString, NS_ERROR_OUT_OF_MEMORY); + argv[1] = STRING_TO_JSVAL(jsString); params = JS_GetStringBytes(jsString); } @@ -895,6 +897,8 @@ cryptojs_ReadArgsAndGenerateKey(JSContext *cx, return NS_ERROR_FAILURE; } jsString = JS_ValueToString(cx, argv[2]); + NS_ENSURE_TRUE(jsString, NS_ERROR_OUT_OF_MEMORY); + argv[2] = STRING_TO_JSVAL(jsString); keyGenAlg = JS_GetStringBytes(jsString); keyGenType->keyGenType = cryptojs_interpret_key_gen_type(keyGenAlg); if (keyGenType->keyGenType == invalidKeyGen) { @@ -1816,11 +1820,13 @@ nsCrypto::GenerateCRMFRequest(nsIDOMCRMFObject** aReturn) jsval *argv = nsnull; - ncc->GetArgvPtr(&argv); + nrv = ncc->GetArgvPtr(&argv); + NS_ENSURE_SUCCESS(nrv, nrv); JSContext *cx; - ncc->GetJSContext(&cx); + nrv = ncc->GetJSContext(&cx); + NS_ENSURE_SUCCESS(nrv, nrv); JSObject* script_obj = nsnull; nsCOMPtr holder; @@ -1842,6 +1848,8 @@ nsCrypto::GenerateCRMFRequest(nsIDOMCRMFObject** aReturn) } JSString *jsString = JS_ValueToString(cx,argv[0]); + NS_ENSURE_TRUE(jsString, NS_ERROR_OUT_OF_MEMORY); + argv[0] = STRING_TO_JSVAL(jsString); char * reqDN = JS_GetStringBytes(jsString); char *regToken; @@ -1849,6 +1857,9 @@ nsCrypto::GenerateCRMFRequest(nsIDOMCRMFObject** aReturn) regToken = nsnull; } else { jsString = JS_ValueToString(cx, argv[1]); + NS_ENSURE_TRUE(jsString, NS_ERROR_OUT_OF_MEMORY); + argv[1] = STRING_TO_JSVAL(jsString); + regToken = JS_GetStringBytes(jsString); } char *authenticator; @@ -1856,6 +1867,9 @@ nsCrypto::GenerateCRMFRequest(nsIDOMCRMFObject** aReturn) authenticator = nsnull; } else { jsString = JS_ValueToString(cx, argv[2]); + NS_ENSURE_TRUE(jsString, NS_ERROR_OUT_OF_MEMORY); + argv[2] = STRING_TO_JSVAL(jsString); + authenticator = JS_GetStringBytes(jsString); } char *eaCert; @@ -1863,6 +1877,9 @@ nsCrypto::GenerateCRMFRequest(nsIDOMCRMFObject** aReturn) eaCert = nsnull; } else { jsString = JS_ValueToString(cx, argv[3]); + NS_ENSURE_TRUE(jsString, NS_ERROR_OUT_OF_MEMORY); + argv[3] = STRING_TO_JSVAL(jsString); + eaCert = JS_GetStringBytes(jsString); } if (JSVAL_IS_NULL(argv[4])) { @@ -1871,6 +1888,9 @@ nsCrypto::GenerateCRMFRequest(nsIDOMCRMFObject** aReturn) return NS_ERROR_FAILURE; } jsString = JS_ValueToString(cx, argv[4]); + NS_ENSURE_TRUE(jsString, NS_ERROR_OUT_OF_MEMORY); + argv[4] = STRING_TO_JSVAL(jsString); + char *jsCallback = JS_GetStringBytes(jsString); @@ -2146,7 +2166,12 @@ nsCryptoRunnable::nsCryptoRunnable(nsCryptoRunArgs *args) nsCryptoRunnable::~nsCryptoRunnable() { nsNSSShutDownPreventionLock locker; - JS_RemoveRoot(m_args->m_cx, &m_args->m_scope); + + { + JSAutoRequest ar(m_args->m_cx); + JS_RemoveRoot(m_args->m_cx, &m_args->m_scope); + } + NS_IF_RELEASE(m_args); } @@ -2169,6 +2194,8 @@ nsCryptoRunnable::Run() return NS_ERROR_FAILURE; } + JSAutoRequest ar(cx); + jsval retval; if (JS_EvaluateScriptForPrincipals(cx, m_args->m_scope, principals, m_args->m_jsCallback, @@ -2549,6 +2576,9 @@ nsCrypto::SignText(const nsAString& aStringToSign, const nsAString& aCaOption, PRUint32 i; for (i = 2; i < argc; ++i) { JSString *caName = JS_ValueToString(cx, argv[i]); + NS_ENSURE_TRUE(caName, NS_ERROR_OUT_OF_MEMORY); + argv[i] = STRING_TO_JSVAL(caName); + if (!caName) { aResult.Append(internalError);