Closed Bug 1231919 Opened 4 years ago Closed 4 years ago

crash in mozilla::a11y::DocAccessible::ValidateARIAOwned

Categories

(Core :: Disability Access APIs, defect, critical)

x86
Windows NT
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla46
Tracking Status
firefox45 --- wontfix
firefox46 --- fixed
firefox-esr38 --- unaffected
firefox-esr45 46+ fixed

People

(Reporter: davidb, Assigned: surkov)

Details

(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [post-critsmash-triage][adv-main46+][adv-esr45.1+])

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is 
report bp-1cee5aa5-a701-47f9-b19f-b134e2151210.
=============================================================

More here: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=mozilla%3A%3Aa11y%3A%3ADocAccessible%3A%3AValidateARIAOwned
Attached patch patchSplinter Review
Assignee: nobody → surkov.alexander
Attachment #8697691 - Flags: review?(dbolter)
Attachment #8697691 - Flags: review?(dbolter) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/a88ff27e1aa921e27b918acbc7b966cd1c4e0e65
Bug 1231919 - crash in mozilla::a11y::DocAccessible::ValidateARIAOwned, r=davidb
https://hg.mozilla.org/mozilla-central/rev/a88ff27e1aa9
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
The crash in 44.0.x (featuring a lot of fffffffe5e5e5e5 crash addresses) is clearly a use-after-free. The crashes in 45.0.x are in a different spot (new code added in 45 by bug 1219299). None of the 45.0.x crashes show the jemalloc-poisoned values, but the patch still looks like UAF-prevention. We should land this patch on the ESR-45 branch.
+NI Alex.
Flags: needinfo?(surkov.alexander)
It is indeed a low risk patch, it can be safely backported I think.
Flags: needinfo?(surkov.alexander)
Whiteboard: [post-critsmash-triage]
Comment on attachment 8697691 [details] [diff] [review]
patch

We need this in esr45 too.
Attachment #8697691 - Flags: approval-mozilla-esr45+
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main46+][adv-esr45.1+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.