Closed Bug 1121058 Opened 7 years ago Closed 7 years ago
uaf in assert http2session
http2Session.cpp 2685 CleanupStream(streamID, NS_OK, CANCEL_ERROR); MOZ_ASSERT(!mNeedsCleanup || mNeedsCleanup->StreamID() == streamID); the assert derefs mNeedsCleanup, which can be use after free after cleanupstrem() is done. This is both uaf and makes the assert occasionally incorrect. since this is a debug only assert I don't see a reason to backport or security flag it.
Assignee: nobody → mcmanus
Status: NEW → ASSIGNED
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.