Closed
Bug 1197012
Opened 10 years ago
Closed 9 years ago
crash in nsAString_internal::Assign(nsAString_internal const&, mozilla::fallible_t const&) | nsAString_internal::Assign(nsAString_internal const&) | mozilla::ErrorResult::ThrowErrorWithMessage(__va_list_tag*, mozilla::dom::ErrNum, nsresult)
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: Harald, Assigned: nsm)
References
Details
(Keywords: crash, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main43+])
Crash Data
Attachments
(1 file, 1 obsolete file)
|
1.92 KB,
patch
|
nsm
:
review+
Sylvestre
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is
report bp-123cedd1-aed8-4e77-86b9-9bfc82150820.
=============================================================
Fresh profile, opened https://johnme-gcm.appspot.com/chat/
- Signed in
- Closed tab
- Received a push notification
- Opened tab
- Refresh
- Waited
- Un-focus the window to do something else
- Crash
|
||
Comment 1•10 years ago
|
||
nikhil, could you please have a look at this crash?
Flags: needinfo?(nsm.nikhil)
|
Assignee | |
Updated•10 years ago
|
Blocks: 1195977
Group: mozilla-employee-confidential
status-firefox42:
--- → affected
Component: General → DOM
Flags: needinfo?(nsm.nikhil)
|
|
Assignee | |
Comment 2•10 years ago
|
||
I don't know what is the appropriate security group.
This should be rated sec-moderate I think. It is the same problem where ThrowTypeError does not validate the format string and arguments. In this case the error type was expecting arguments but wasn't passed any.
|
|
Assignee | |
Comment 3•10 years ago
|
||
Assignee: nobody → nsm.nikhil
Status: NEW → ASSIGNED
Attachment #8650863 -
Flags: review?(continuation)
Group: mozilla-employee-confidential → core-security
|
||
Updated•10 years ago
|
Keywords: sec-moderate
|
|
||
Comment 4•10 years ago
|
||
Comment on attachment 8650863 [details] [diff] [review]
Fix ThrowTypeError
Review of attachment 8650863 [details] [diff] [review]:
-----------------------------------------------------------------
Fun. I'm trying to make my improved error throwing code catch this case, at least by safely crashing.
Attachment #8650863 -
Flags: review?(continuation) → review+
|
|
||
Comment 5•10 years ago
|
||
This case ends up failing in a somewhat different way: it is reading whatever is next on the stack as a string. That's probably a little worse, but off hand it doesn't seem very easy to exploit.
|
|
||
Comment 6•9 years ago
|
||
There's another instance of this problem in ServiceWorkerRegistrationMainThread::ShowNotification(), where it throws MSG_NO_ACTIVE_WORKER. (I found this with my patch to detect these kinds of errors at compile time.)
Flags: needinfo?(nsm.nikhil)
|
|
Assignee | |
Comment 7•9 years ago
|
||
I've changed that callsite as well.
Attachment #8650863 -
Attachment is obsolete: true
Flags: needinfo?(nsm.nikhil)
|
||
Updated•9 years ago
|
Group: core-security → dom-core-security
|
|
||
Comment 8•9 years ago
|
||
Is this ready for review and landing, nsm? Thanks.
Flags: needinfo?(nsm.nikhil)
|
|
Assignee | |
Comment 10•9 years ago
|
||
Comment on attachment 8652396 [details] [diff] [review]
Fix ThrowTypeError
Approval Request Comment
[Feature/regressing bug #]: Bug 1114554
[User impact if declined]: Possible security bug
[Describe test coverage new/current, TreeHerder]: Can't really test this, was a type checking bug.
[Risks and why]: None
[String/UUID change made/needed]: None
Attachment #8652396 -
Flags: review+
Attachment #8652396 -
Flags: approval-mozilla-aurora?
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
||
Updated•9 years ago
|
Group: dom-core-security → core-security-release
|
||
Comment 12•9 years ago
|
||
Comment on attachment 8652396 [details] [diff] [review]
Fix ThrowTypeError
Taking it but next time, please restraint from using "None" as a risk. Every patch brings a risk. Even one-liner...
Attachment #8652396 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
||
Comment 13•9 years ago
|
||
Hi Harald, can you verify that this fix addresses your original report?
Flags: needinfo?(hkirschner)
|
|
||
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage]
|
||
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main43+]
|
|
||
Updated•9 years ago
|
Group: core-security-release
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•