Closed
Bug 1253942
Opened 8 years ago
Closed 8 years ago
Null Pointer Exception in IndexedDB - mozilla::dom::indexedDB::(anonymous namespace)::DatabaseConnection::GetCachedStatement
Categories
(Core :: Storage: IndexedDB, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1195149
People
(Reporter: nick, Unassigned)
Details
(Keywords: crash, csectype-nullptr, testcase)
Attachments
(1 file)
3.66 KB,
text/html
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36 Steps to reproduce: Please see the PoC to reproduce the issue. Actual results: The browser crashed citing a null pointer dereference. Expected results: A race condition in IndexedDB leads to a null pointer exception. By repeatedly opening, performing operations, and closing IndexedDB database connections, it is possible to trigger a null pointer exception that crashes the browser. The PoC was tested on Mac OS X 10.11 with the release binary of FireFox 44.0.2 and can cause a crash within a few minutes of opening the poc. Attempts to reproduce the issue on Ubuntu 15.10 and Windows 7 were unsuccessful. The offending line is: dom/indexedDB/ActorsParent.cpp:6700 This becomes an issue when “mStorageConnection” is set to “nullptr” in dom/indexedDB/ActorsParent.cpp:10300. A crash report is available at: https://crash-stats.mozilla.com/report/index/e8160559-442f-413c-a294-444852160306 I'm not certain if this represents a significant security threat, but I will mark is as so just in case.
Comment 1•8 years ago
|
||
Does this still reproduce using Nightly (v47, https://nightly.mozilla.org/ ) ?
Group: firefox-core-security → core-security
Component: Untriaged → DOM: IndexedDB
Flags: needinfo?(nick)
Product: Firefox → Core
Reporter | ||
Comment 2•8 years ago
|
||
I just ran my PoC on nightly for about two hours without a crash. I'll let it run until tomorrow AM, but it seems like this issue is fixed in nightly.
Flags: needinfo?(nick)
Updated•8 years ago
|
Group: core-security → dom-core-security
Reporter | ||
Comment 4•8 years ago
|
||
I never saw any additional crashes on the nightly version. Is there any information I can provide that might assist in helping you reproduce this problem?
Reporter | ||
Comment 5•8 years ago
|
||
I retested with firefox 45 and can't reproduce the crash. My guess is this is fixed now, and may have only been a problem on very specific setups.
I ran this overnight on trunk with no success. It certainly happens in the wild, because this is bug 1195149 and bug 1172822.
Group: dom-core-security
Comment 7•8 years ago
|
||
Kyle, should we dupe this to either bug 1195149 or bug 1172822?
Flags: needinfo?(khuey)
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(khuey)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•