CVE-2006-1993: deleted object reference when designMode="on"

Wed May 3 09:34:29 UTC 2006

Today Mozilla pushed a mini update for firefox. Though the official
advisory tells us that 1.0.8 is not affected, we should take it IMO -
actually upstream has no idea as of why 1.0.8 is not affected. Same for 
mozilla. So better safe than sorry.

Attached the combined patch from #334515, which should apply cleanly
for us.

The advisory can be found here:
   http://www.mozilla.org/security/announce/2006/mfsa2006-30.html

Eric, you have time to prepare firefox update?


 - Alexander
-- 
 GPG messages preferred.    |  .''`.  ** Debian GNU/Linux **
 Alexander Sack             | : :' :      The  universal
 asac at debian.org            | `. `'      Operating System
 http://www.asoftsite.org/  |   `-    http://www.debian.org/
-------------- next part --------------
Index: embedding/components/commandhandler/src/nsBaseCommandController.cpp
===================================================================
RCS file: /cvsroot/mozilla/embedding/components/commandhandler/src/nsBaseCommandController.cpp,v
retrieving revision 1.4
retrieving revision 1.4.28.2
diff -u -8 -p -r1.4 -r1.4.28.2

--- embedding/components/commandhandler/src/nsBaseCommandController.cpp	18 Apr 2004 22:00:43 -0000	1.4
+++ embedding/components/commandhandler/src/nsBaseCommandController.cpp	27 Apr 2006 00:01:50 -0000	1.4.28.2
@@ -50,17 +50,17 @@ NS_INTERFACE_MAP_BEGIN(nsBaseCommandCont
 	NS_INTERFACE_MAP_ENTRY(nsIController)
 	NS_INTERFACE_MAP_ENTRY(nsICommandController)
 	NS_INTERFACE_MAP_ENTRY(nsIControllerContext)
 	NS_INTERFACE_MAP_ENTRY(nsIInterfaceRequestor)
 	NS_INTERFACE_MAP_ENTRY_AMBIGUOUS(nsISupports, nsIControllerContext)
 NS_INTERFACE_MAP_END
 
 nsBaseCommandController::nsBaseCommandController()
-: mCommandContext(nsnull)
+  : mCommandContextRawPtr(nsnull)
 {
 }
 
 nsBaseCommandController::~nsBaseCommandController()
 {
 }
 
 NS_IMETHODIMP
@@ -74,17 +74,31 @@ nsBaseCommandController::Init(nsIControl
     mCommandTable = do_CreateInstance(NS_CONTROLLERCOMMANDTABLE_CONTRACTID, &rv);
   
   return rv;
 }
 
 NS_IMETHODIMP
 nsBaseCommandController::SetCommandContext(nsISupports *aCommandContext)
 {
-  mCommandContext = aCommandContext;     // no addref  
+  mCommandContextWeakPtr = nsnull;
+  mCommandContextRawPtr = nsnull;
+
+  if (aCommandContext) {
+    nsCOMPtr<nsISupportsWeakReference> weak = do_QueryInterface(aCommandContext);
+    if (weak) {
+      nsresult rv =
+        weak->GetWeakReference(getter_AddRefs(mCommandContextWeakPtr));
+      NS_ENSURE_SUCCESS(rv, rv);
+    }
+    else {
+      mCommandContextRawPtr = aCommandContext;
+    }
+  }
+
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsBaseCommandController::GetInterface(const nsIID & aIID, void * *result)
 {
   NS_ENSURE_ARG_POINTER(result);
 
@@ -108,48 +122,83 @@ nsBaseCommandController::GetInterface(co
  * ======================================================================= */
 
 NS_IMETHODIMP
 nsBaseCommandController::IsCommandEnabled(const char *aCommand,
                                           PRBool *aResult)
 {
   NS_ENSURE_ARG_POINTER(aCommand);
   NS_ENSURE_ARG_POINTER(aResult);
-  return mCommandTable->IsCommandEnabled(aCommand, mCommandContext, aResult);
+
+  nsISupports* context = mCommandContextRawPtr;
+  nsCOMPtr<nsISupports> weak;
+  if (!context) {
+    weak = do_QueryReferent(mCommandContextWeakPtr);
+    context = weak;
+  }
+  return mCommandTable->IsCommandEnabled(aCommand, context, aResult);
 }
 
 NS_IMETHODIMP
 nsBaseCommandController::SupportsCommand(const char *aCommand, PRBool *aResult)
 {
   NS_ENSURE_ARG_POINTER(aCommand);
   NS_ENSURE_ARG_POINTER(aResult);
-  return mCommandTable->SupportsCommand(aCommand, mCommandContext, aResult);
+
+  nsISupports* context = mCommandContextRawPtr;
+  nsCOMPtr<nsISupports> weak;
+  if (!context) {
+    weak = do_QueryReferent(mCommandContextWeakPtr);
+    context = weak;
+  }
+  return mCommandTable->SupportsCommand(aCommand, context, aResult);
 }
 
 NS_IMETHODIMP
 nsBaseCommandController::DoCommand(const char *aCommand)
 {
   NS_ENSURE_ARG_POINTER(aCommand);
-  return mCommandTable->DoCommand(aCommand, mCommandContext);
+
+  nsISupports* context = mCommandContextRawPtr;
+  nsCOMPtr<nsISupports> weak;
+  if (!context) {
+    weak = do_QueryReferent(mCommandContextWeakPtr);
+    context = weak;
+  }
+  return mCommandTable->DoCommand(aCommand, context);
 }
 
 NS_IMETHODIMP
 nsBaseCommandController::DoCommandWithParams(const char *aCommand,
                                              nsICommandParams *aParams)
 {
   NS_ENSURE_ARG_POINTER(aCommand);
-  return mCommandTable->DoCommandParams(aCommand, aParams, mCommandContext);
+
+  nsISupports* context = mCommandContextRawPtr;
+  nsCOMPtr<nsISupports> weak;
+  if (!context) {
+    weak = do_QueryReferent(mCommandContextWeakPtr);
+    context = weak;
+  }
+  return mCommandTable->DoCommandParams(aCommand, aParams, context);
 }
 
 NS_IMETHODIMP
 nsBaseCommandController::GetCommandStateWithParams(const char *aCommand,
                                                    nsICommandParams *aParams)
 {
   NS_ENSURE_ARG_POINTER(aCommand);
-  return mCommandTable->GetCommandState(aCommand, aParams, mCommandContext);
+
+  nsISupports* context = mCommandContextRawPtr;
+  nsCOMPtr<nsISupports> weak;
+  if (!context) {
+    weak = do_QueryReferent(mCommandContextWeakPtr);
+    context = weak;
+  }
+  return mCommandTable->GetCommandState(aCommand, aParams, context);
 }
 
 NS_IMETHODIMP
 nsBaseCommandController::OnEvent(const char * aEventName)
 {
   NS_ENSURE_ARG_POINTER(aEventName);
   return NS_OK;
 }
Index: embedding/components/commandhandler/src/nsBaseCommandController.h
===================================================================
RCS file: /cvsroot/mozilla/embedding/components/commandhandler/src/nsBaseCommandController.h,v
retrieving revision 1.3
retrieving revision 1.3.28.2
diff -u -8 -p -r1.3 -r1.3.28.2
--- embedding/components/commandhandler/src/nsBaseCommandController.h	18 Apr 2004 22:00:43 -0000	1.3
+++ embedding/components/commandhandler/src/nsBaseCommandController.h	27 Apr 2006 00:01:50 -0000	1.3.28.2
@@ -44,16 +44,18 @@
 #define NS_BASECOMMANDCONTROLLER_CONTRACTID \
  "@mozilla.org/embedcomp/base-command-controller;1"
 
 
 #include "nsIController.h"
 #include "nsIControllerContext.h"
 #include "nsIControllerCommandTable.h"
 #include "nsIInterfaceRequestor.h"
+#include "nsIWeakReference.h"
+#include "nsIWeakReferenceUtils.h"
 
 // The base editor controller is used for both text widgets, 
 //   and all other text and html editing
 class nsBaseCommandController :  public nsIController,
                             public nsIControllerContext,
                             public nsIInterfaceRequestor,
                             public nsICommandController
 {
@@ -74,16 +76,17 @@ public:
   //nsIControllerContext
   NS_DECL_NSICONTROLLERCONTEXT
 
   // nsIInterfaceRequestor
   NS_DECL_NSIINTERFACEREQUESTOR
   
 private:
 
-   nsISupports *mCommandContext;
+   nsWeakPtr mCommandContextWeakPtr;
+   nsISupports* mCommandContextRawPtr;
    
    // Our reference to the command manager
    nsCOMPtr<nsIControllerCommandTable> mCommandTable;     
 };
 
 #endif /* nsBaseCommandController_h_ */
 
