http2Session.cpp 2685 CleanupStream(streamID, NS_OK, CANCEL_ERROR); MOZ_ASSERT(!mNeedsCleanup || mNeedsCleanup->StreamID() == streamID); the assert derefs mNeedsCleanup, which can be use after free after cleanupstrem() is done. This is both uaf and makes the assert occasionally incorrect. since this is a debug only assert I don't see a reason to backport or security flag it.
Created attachment 8548326 [details] [diff] [review] h2 assert stream id before cleanup
Attachment #8548326 - Flags: review?(hurley)
Assignee: nobody → mcmanus
Status: NEW → ASSIGNED
Attachment #8548326 - Flags: review?(hurley) → review+
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.