Passing a bad resource name to GM_getResourceURL can crash Firefox #1623

Closed
leskets opened this Issue Sep 2, 2012 · 2 comments

Comments

Projects
None yet
3 participants
@leskets

leskets commented Sep 2, 2012

An old script of mine makes Firefox crash with current releases of Greasemonkey.
I use Firefox 15.0 on Ubuntu 12.04.1 LTS on 64bit AMD.

Steps to reproduce the error:

  1. Install Amalgam 1.9.3: http://userscripts.org/scripts/version/13348/372734.user.js
  2. Open: http://en.wikipedia.org/wiki/Cat
  3. Mark some text using the mouse and release the mouse buttom. (Other events like hovering the mouse over a link will sometimes also trigger a crash)

Results for different releases of Greasemonkey:
https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/versions/1.0
Crash

https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/versions/0.9.22
OK

https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/versions/1.0beta7
Crash (First try: Firefox hangs with 0% CPU usage, Second try: real crash)

https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/versions/1.0beta5
Crash

https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/versions/1.0beta4
Crash

https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/versions/1.0beta3
OK

The script makes heavy use of EventListeners. Commenting out all occurences of addEventListener helps against crashes (but reduces functionality, of course). Updating the metadata with @grant does not make any difference.

@Ventero

This comment has been minimized.

Show comment
Hide comment
@Ventero

Ventero Sep 2, 2012

Contributor

Here's a heavily reduced testcase: https://gist.github.com/3597309
The GM_getResourceURL call is just to get the current script's UUID so the script protocol handler actually looks for a matching resource. The crash then happens because no matching resource can be found, and so newChannel implicitly returns undefined, which probably leads to a null pointer dereference.

Contributor

Ventero commented Sep 2, 2012

Here's a heavily reduced testcase: https://gist.github.com/3597309
The GM_getResourceURL call is just to get the current script's UUID so the script protocol handler actually looks for a matching resource. The crash then happens because no matching resource can be found, and so newChannel implicitly returns undefined, which probably leads to a null pointer dereference.

@arantius

This comment has been minimized.

Show comment
Hide comment
@arantius

arantius Sep 5, 2012

Collaborator

Thanks Ventero, updated the title to reflect your findings.

Collaborator

arantius commented Sep 5, 2012

Thanks Ventero, updated the title to reflect your findings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment