-
Bug
-
Resolution: Fixed
-
P3
-
7
-
b44
-
x86
-
windows_7
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-2225748 | 7u6 | Joe Mcglynn | P3 | Closed | Fixed | b15 |
| JDK-7198528 | 6u38 | Nakul Natu | P2 | Closed | Fixed | b03 |
FULL PRODUCT VERSION :
java version "1.7.0_04"
Java(TM) SE Runtime Environment (build 1.7.0_04-b22)
Java HotSpot(TM) Client VM (build 23.0-b21, mixed mode, sharing)
Java(TM) Platform SE 7 U4 10.4.0.22
ADDITIONAL OS VERSION INFORMATION :
Windows 7 64-bit [Version 6.1.7601]
EXTRA RELEVANT SYSTEM CONFIGURATION :
Firefox 13.0 (32-bit)
A DESCRIPTION OF THE PROBLEM :
If an applet uses netscape.javascript.JSObject to interact with JavaScript/DOM objects in its host web page, but passes null to one of JSObject's methods where a property name is expected, the browser process will crash due to a null pointer dereference in jvm.dll.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Load an applet that calls netscape.javascript.JSObject.getMember(String) with a null member name argument.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The method call gracefully returns null or throws an appropriate exception.
ACTUAL -
An access violation occurs in jvm.dll, terminating the browser process.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
public class CrashApplet extends java.applet.Applet {
public void start() {
netscape.javascript.JSObject.getWindow(this).getMember(null);
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Null-check "name" arguments before passing them to JSObject.
java version "1.7.0_04"
Java(TM) SE Runtime Environment (build 1.7.0_04-b22)
Java HotSpot(TM) Client VM (build 23.0-b21, mixed mode, sharing)
Java(TM) Platform SE 7 U4 10.4.0.22
ADDITIONAL OS VERSION INFORMATION :
Windows 7 64-bit [Version 6.1.7601]
EXTRA RELEVANT SYSTEM CONFIGURATION :
Firefox 13.0 (32-bit)
A DESCRIPTION OF THE PROBLEM :
If an applet uses netscape.javascript.JSObject to interact with JavaScript/DOM objects in its host web page, but passes null to one of JSObject's methods where a property name is expected, the browser process will crash due to a null pointer dereference in jvm.dll.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Load an applet that calls netscape.javascript.JSObject.getMember(String) with a null member name argument.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The method call gracefully returns null or throws an appropriate exception.
ACTUAL -
An access violation occurs in jvm.dll, terminating the browser process.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
public class CrashApplet extends java.applet.Applet {
public void start() {
netscape.javascript.JSObject.getWindow(this).getMember(null);
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Null-check "name" arguments before passing them to JSObject.
- backported by
-
JDK-7198528 Java2JSTest::testJSObjectInvalidArgs test with 6u34 b04 causes browser crash
-
- Closed
-
-
-
- Closed
-