Closed Bug 1231919 Opened 4 years ago Closed 4 years ago
crash in mozilla::a11y::Doc
This bug was filed from the Socorro interface and is report bp-1cee5aa5-a701-47f9-b19f-b134e2151210. ============================================================= More here: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=mozilla%3A%3Aa11y%3A%3ADocAccessible%3A%3AValidateARIAOwned
Assignee: nobody → surkov.alexander
Attachment #8697691 - Flags: review?(dbolter)
4 years ago
Attachment #8697691 - Flags: review?(dbolter) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/a88ff27e1aa921e27b918acbc7b966cd1c4e0e65 Bug 1231919 - crash in mozilla::a11y::DocAccessible::ValidateARIAOwned, r=davidb
The crash in 44.0.x (featuring a lot of fffffffe5e5e5e5 crash addresses) is clearly a use-after-free. The crashes in 45.0.x are in a different spot (new code added in 45 by bug 1219299). None of the 45.0.x crashes show the jemalloc-poisoned values, but the patch still looks like UAF-prevention. We should land this patch on the ESR-45 branch.
It is indeed a low risk patch, it can be safely backported I think.
Comment on attachment 8697691 [details] [diff] [review] patch We need this in esr45 too.
Attachment #8697691 - Flags: approval-mozilla-esr45+
You need to log in before you can comment on or make changes to this bug.