Closed Bug 816253 Opened 12 years ago Closed 12 years ago

Heap-use-after-free in nsINode::GetBoolFlag

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Version:
20 Branch
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla20
Tracking Flags:
Tracking Status
firefox19 --- unaffected
firefox20 --- fixed
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: ax330d, Assigned: smontagu)

References

Details

(4 keywords, Whiteboard: [asan][adv-main20-])

Attachments

(3 files)

test-case triggering the crash (*.html)
1.02 KB, text/plain
Details
ASan log
5.61 KB, text/plain
Details
Patch
2.77 KB, patch
peterv
: review+
Details | Diff | Splinter Review 
ASan detected heap-use-after free while running attached test-case. One have to wait ~3 seconds until crash. 

Crashes both for Linux and Windows. ASan log for rev 3c3a8eed0578.
Attached file ASan log 

    
  
Keywords: testcase

    
    

    
  
This feels like a dup.

    
    

    
  
It looks similar-ish to bug 815500.

    
    

    
  
Yeah, I was thinking that bug couldn't find the right bug.

    
    

    
  
Apparently not a dupe of bug 815500, nor bug 815276, since it still crashes in a build with the patches from those bugs.
Assignee: nobody → smontagu

    
    

    
  

      
      
      
      

        Attached patch
          
          
        PatchSplinter Review
      

    


  
When appending a new textnode to an element which already has its direction determined by some other textnode, we weren't removing the entry in nsTextNodeDirectionalityMap for the old textnode.

        Attachment #686694 -
        Flags: review?(peterv)

        Attachment #686694 -
        Attachment is patch: true
Component: Untriaged → Layout: Text
Keywords: csec-uaf, 
          
            sec-critical
Product: Firefox → Core
Whiteboard: [asan]

    
    

    
  
is this a Fx20 regression from bug 548206 like bug 815500 and bug 815477? Or is it an older pre-existing problem?

    
  
Blocks: 819014

    
    

    
  
(In reply to Daniel Veditz [:dveditz] from comment #8)
> is this a Fx20 regression from bug 548206 like bug 815500 and bug 815477?

Yes

    
    

    
  
Simon is there someone else who could review this patch? I get the feeling Peter is swamped.

        Attachment #686694 -
        Flags: review?(peterv) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/263bc2e3481f
https://hg.mozilla.org/mozilla-central/rev/25d2aefdca37
Status: NEW → RESOLVED
Closed: 12 years ago

          status-firefox20:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
Blocks: DirAuto
Keywords: regression
Flags: sec-bounty? → sec-bounty+

    
    

    
  
marking unaffected for 19 & both esrs as per comment 9

          status-firefox-esr10:
          --- → unaffected

          status-firefox19:
          --- → unaffected

          status-firefox-esr17:
          --- → unaffected
Whiteboard: [asan] → [asan][adv-main20+]
Whiteboard: [asan][adv-main20+] → [asan][adv-main20-]
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: