Passing a bad resource name to GM_getResourceURL can crash Firefox #1623

Closed
leskets opened this Issue Sep 2, 2012 · 2 comments

3 participants

@leskets

An old script of mine makes Firefox crash with current releases of Greasemonkey.
I use Firefox 15.0 on Ubuntu 12.04.1 LTS on 64bit AMD.

Steps to reproduce the error:
1) Install Amalgam 1.9.3: http://userscripts.org/scripts/version/13348/372734.user.js
2) Open: http://en.wikipedia.org/wiki/Cat
3) Mark some text using the mouse and release the mouse buttom. (Other events like hovering the mouse over a link will sometimes also trigger a crash)

Results for different releases of Greasemonkey:
https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/versions/1.0
Crash

https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/versions/0.9.22
OK

https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/versions/1.0beta7
Crash (First try: Firefox hangs with 0% CPU usage, Second try: real crash)

https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/versions/1.0beta5
Crash

https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/versions/1.0beta4
Crash

https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/versions/1.0beta3
OK

The script makes heavy use of EventListeners. Commenting out all occurences of addEventListener helps against crashes (but reduces functionality, of course). Updating the metadata with @grant does not make any difference.

@Ventero

Here's a heavily reduced testcase: https://gist.github.com/3597309
The GM_getResourceURL call is just to get the current script's UUID so the script protocol handler actually looks for a matching resource. The crash then happens because no matching resource can be found, and so newChannel implicitly returns undefined, which probably leads to a null pointer dereference.

@arantius
Collaborator

Thanks Ventero, updated the title to reflect your findings.

@arantius arantius closed this in 9dbb8a7 Sep 6, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment