Closed
Bug 816253
Opened 12 years ago
Closed 12 years ago
Heap-use-after-free in nsINode::GetBoolFlag
Categories
(Core :: Layout: Text and Fonts, defect)
Tracking
()
RESOLVED
FIXED
mozilla20
Tracking | Status | |
---|---|---|
firefox19 | --- | unaffected |
firefox20 | --- | fixed |
firefox-esr10 | --- | unaffected |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: ax330d, Assigned: smontagu)
References
Details
(4 keywords, Whiteboard: [asan][adv-main20-])
Attachments
(3 files)
ASan detected heap-use-after free while running attached test-case. One have to wait ~3 seconds until crash. Crashes both for Linux and Windows. ASan log for rev 3c3a8eed0578.
Reporter | ||
Comment 1•12 years ago
|
||
Comment 2•12 years ago
|
||
This feels like a dup.
Comment 3•12 years ago
|
||
It looks similar-ish to bug 815500.
Comment 4•12 years ago
|
||
Yeah, I was thinking that bug couldn't find the right bug.
Assignee | ||
Comment 5•12 years ago
|
||
Apparently not a dupe of bug 815500, nor bug 815276, since it still crashes in a build with the patches from those bugs.
Assignee: nobody → smontagu
Updated•12 years ago
|
Flags: sec-bounty?
Assignee | ||
Comment 6•12 years ago
|
||
When appending a new textnode to an element which already has its direction determined by some other textnode, we weren't removing the entry in nsTextNodeDirectionalityMap for the old textnode.
Attachment #686694 -
Flags: review?(peterv)
Assignee | ||
Comment 7•12 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=c619746b2fd5
Updated•12 years ago
|
Attachment #686694 -
Attachment is patch: true
Updated•12 years ago
|
Component: Untriaged → Layout: Text
Keywords: csec-uaf,
sec-critical
Product: Firefox → Core
Whiteboard: [asan]
Comment 8•12 years ago
|
||
is this a Fx20 regression from bug 548206 like bug 815500 and bug 815477? Or is it an older pre-existing problem?
Assignee | ||
Comment 9•12 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #8) > is this a Fx20 regression from bug 548206 like bug 815500 and bug 815477? Yes
Comment 10•12 years ago
|
||
Simon is there someone else who could review this patch? I get the feeling Peter is swamped.
Updated•12 years ago
|
Attachment #686694 -
Flags: review?(peterv) → review+
Assignee | ||
Comment 11•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/263bc2e3481f https://hg.mozilla.org/integration/mozilla-inbound/rev/25d2aefdca37
Flags: in-testsuite+
Comment 12•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/263bc2e3481f https://hg.mozilla.org/mozilla-central/rev/25d2aefdca37
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox20:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
Updated•12 years ago
|
Blocks: DirAuto
Keywords: regression
Updated•12 years ago
|
Flags: sec-bounty? → sec-bounty+
Comment 15•12 years ago
|
||
marking unaffected for 19 & both esrs as per comment 9
status-firefox-esr10:
--- → unaffected
status-firefox19:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Updated•12 years ago
|
status-b2g18:
--- → unaffected
Updated•11 years ago
|
Whiteboard: [asan] → [asan][adv-main20+]
Updated•11 years ago
|
Whiteboard: [asan][adv-main20+] → [asan][adv-main20-]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•