Closed
Bug 765585
Opened 12 years ago
Closed 11 years ago
Heap-use-after-free in js::GCThingIsMarkedGray involving DOM events
Categories
(Core :: DOM: Events, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: ax330d, Unassigned)
Details
(Keywords: sec-moderate, Whiteboard: [asan])
Attachments
(1 file)
8.69 KB,
text/plain
|
Details |
ASan detected heap-use-after-free on build cf4face65451. Without testcase, trying to catch bug.
Reporter | ||
Updated•12 years ago
|
Keywords: testcase-wanted
Comment 1•12 years ago
|
||
Looks like an nsGenericElement is holding a pointer to the mEvent field of an nsDOMEvent that has been freed. Does that ring any bells for you, Olli?
Updated•12 years ago
|
Summary: Heap-use-after-free in js::GCThingIsMarkedGray → Heap-use-after-free in js::GCThingIsMarkedGray involving DOM events
Updated•12 years ago
|
Component: Untriaged → DOM: Events
Product: Firefox → Core
QA Contact: untriaged → events
Comment 2•12 years ago
|
||
Elements shouldn't geep (In reply to Andrew McCreight [:mccr8] from comment #1) > Looks like an nsGenericElement is holding a pointer to the mEvent field of > an nsDOMEvent that has been freed. Does that ring any bells for you, Olli? No. But if that is the case, it is a bug.
Updated•12 years ago
|
Whiteboard: [asan]
Comment 3•12 years ago
|
||
Is there enough information to do anything with this bug, or should we close it incomplete and hope if there's a bad condition here we'll catch it again in future fuzzing?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 4•12 years ago
|
||
Looking back at the old revision, it looks the line that touches freed memory is the NoteXPCOMChild from here: PRUint32 kids = tmp->mAttrsAndChildren.ChildCount(); for (i = 0; i < kids; i++) { NS_CYCLE_COLLECTION_NOTE_EDGE_NAME(cb, "mAttrsAndChildren[i]"); cb.NoteXPCOMChild(tmp->mAttrsAndChildren.GetSafeChildAt(i)); } The line number in ~nsDOMEvent was the final close brace. I'm not sure what that means. The allocation point in Alloc is this: nsStringBuffer *hdr = (nsStringBuffer *) malloc(sizeof(nsStringBuffer) + size); I'm not sure how a string buffer ends up as a child of a node... It all seems pretty odd. None of the three points references by ASAN seem to relate to any other. So I think we'd probably need a test case.
Updated•12 years ago
|
Keywords: sec-moderate
Comment 5•11 years ago
|
||
I don't think there's anything more we can do here without a test case. Please reopen or file a new bug if you have one.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INCOMPLETE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Keywords: testcase-wanted
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•