Closed
Bug 1233259
Opened 9 years ago
Closed 9 years ago
Heap-use-after-free [@ nsDocument::NotifyMediaFeatureValuesChanged] with srcset
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla46
Tracking | Status | |
---|---|---|
firefox44 | --- | unaffected |
firefox45 | + | fixed |
firefox46 | + | fixed |
firefox-esr38 | --- | unaffected |
People
(Reporter: jruderman, Assigned: smaug)
References
Details
(4 keywords, Whiteboard: [post-critsmash-triage]don't unhide until bug 1240763 is fixed on ESR38)
Attachments
(3 files)
185 bytes,
text/html
|
Details | |
27.82 KB,
text/plain
|
Details | |
786 bytes,
patch
|
nika
:
review+
abillings
:
approval-mozilla-aurora+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
1. Load the testcase 2. Trigger cycle collection (press "CC" button in about:memory) 3. Zoom in on the testcase (press ⌘+ back in its tab) Heap-use-after-free [@ nsDocument::NotifyMediaFeatureValuesChanged]
Reporter | ||
Comment 1•9 years ago
|
||
Assignee | ||
Updated•9 years ago
|
Component: Layout → DOM
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → bugs
Comment 2•9 years ago
|
||
We're missing mResponsiveContent from nsDocument's traverse etc. methods.
Assignee | ||
Comment 3•9 years ago
|
||
Attachment #8699287 -
Flags: review?(michael)
Assignee | ||
Updated•9 years ago
|
status-firefox45:
--- → affected
Assignee | ||
Comment 4•9 years ago
|
||
(In reply to Josh Matthews [:jdm] from comment #2) > We're missing mResponsiveContent from nsDocument's traverse etc. methods. Nope. mResponsiveContent keeps raw pointers to nsIContent objects.
Comment 5•9 years ago
|
||
Comment on attachment 8699287 [details] [diff] [review] patch Review of attachment 8699287 [details] [diff] [review]: ----------------------------------------------------------------- Thanks for figuring this out :)
Attachment #8699287 -
Flags: review?(michael) → review+
Assignee | ||
Comment 6•9 years ago
|
||
Comment on attachment 8699287 [details] [diff] [review] patch [Security approval request comment] How easily could an exploit be constructed based on the patch? Not sure about exploit, but the issue is pretty clear. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Commit message could be Which older supported branches are affected by this flaw? nightly, aurora If not all supported branches, which bug introduced the flaw? bug 1166138 Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? The patch seems to apply to Aurora just fine How likely is this patch to cause regressions; how much testing does it need? Should be very safe.
Attachment #8699287 -
Flags: sec-approval?
Attachment #8699287 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 7•9 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #6) > Do comments in the patch, the check-in comment, or tests included in the > patch paint a bulls-eye on the security problem? > Commit message could be "Bug 1233259, only in-document images should respond to viewport changes, r=mystor"
Assignee | ||
Comment 8•9 years ago
|
||
Wait, am I reading the spec wrong.
Assignee | ||
Comment 9•9 years ago
|
||
Comment on attachment 8699287 [details] [diff] [review] patch (I need to figure out what the spec tries to say here)
Attachment #8699287 -
Flags: sec-approval?
Attachment #8699287 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 10•9 years ago
|
||
Comment on attachment 8699287 [details] [diff] [review] patch Ok, the spec is about to be clarified and the patch gives that behavior https://github.com/whatwg/html/issues/414
Attachment #8699287 -
Flags: sec-approval?
Attachment #8699287 -
Flags: approval-mozilla-aurora?
Comment 11•9 years ago
|
||
(I marked this sec-high rather than critical because it seems like it may require user interaction. That said, resizing the window or whatever isn't too much of a burden so it could also be critical I guess.)
Comment 12•9 years ago
|
||
Comment on attachment 8699287 [details] [diff] [review] patch Approvals given.
Attachment #8699287 -
Flags: sec-approval?
Attachment #8699287 -
Flags: sec-approval+
Attachment #8699287 -
Flags: approval-mozilla-aurora?
Attachment #8699287 -
Flags: approval-mozilla-aurora+
Updated•9 years ago
|
status-firefox44:
--- → unaffected
status-firefox-esr38:
--- → unaffected
tracking-firefox45:
--- → +
tracking-firefox46:
--- → +
Assignee | ||
Comment 13•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/f1d406297b87
Comment 14•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/f1d406297b87
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
Updated•8 years ago
|
Group: layout-core-security → core-security-release
Comment 17•8 years ago
|
||
This says FF 44 is unaffected but I believe bug 1240763 is the same symptom of a crash caused by responsive content in an FF 43 build.
Assignee | ||
Comment 18•8 years ago
|
||
Don't have access to bug 1240763
Updated•8 years ago
|
Group: core-security-release
Updated•8 years ago
|
Group: dom-core-security
Updated•8 years ago
|
Whiteboard: don't unhide until bug 1240763 is fixed on ESR38
Updated•8 years ago
|
Group: dom-core-security → core-security-release
Updated•8 years ago
|
Whiteboard: don't unhide until bug 1240763 is fixed on ESR38 → [post-critsmash-triage]don't unhide until bug 1240763 is fixed on ESR38
Updated•8 years ago
|
Group: core-security-release
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•