Closed
Bug 1236607
Opened 8 years ago
Closed 8 years ago
crash in mozilla::dom::nsContentPermissionRequester::nsContentPermissionRequester
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla46
Tracking | Status | |
---|---|---|
firefox46 | --- | fixed |
People
(Reporter: martijn.martijn, Assigned: smaug)
References
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
763 bytes,
patch
|
xidorn
:
review+
|
Details | Diff | Splinter Review |
I got this crash, while doing some fuzzing. I can't really reproduce very well, but it crashes quite often in this code when I repeat it. This bug was filed from the Socorro interface and is report bp-99bd37fb-8436-436a-b2a0-ae0e22151231. ============================================================= 0 XUL mozilla::dom::nsContentPermissionRequester::nsContentPermissionRequester(nsPIDOMWindow*) xpcom/glue/nsCOMPtr.h 1 XUL nsPointerLockPermissionRequest::nsPointerLockPermissionRequest(mozilla::dom::Element*, bool) dom/base/nsDocument.cpp 2 XUL mozilla::dom::FullscreenRequest::~FullscreenRequest() dom/base/nsDocument.cpp 3 XUL nsCallRequestFullScreen::~nsCallRequestFullScreen() dom/base/nsDocument.cpp 4 XUL nsRunnable::Release() xpcom/glue/nsThreadUtils.cpp 5 XUL nsThread::ProcessNextEvent(bool, bool*) xpcom/glue/nsCOMPtr.h 6 XUL NS_ProcessPendingEvents(nsIThread*, unsigned int) xpcom/glue/nsThreadUtils.cpp 7 XUL nsBaseAppShell::NativeEventCallback() widget/nsBaseAppShell.cpp 8 XUL nsAppShell::ProcessGeckoEvents(void*) widget/cocoa/nsAppShell.mm
Assignee | ||
Comment 1•8 years ago
|
||
Looks like null + offset crash, and the relevant code indeed isn't null safe. We may crash for example in VisibilityChangeListener::VisibilityChangeListener when executing nsCOMPtr<nsIDocument> doc = aWindow->GetExtantDoc();
Assignee: nobody → bugs
Assignee | ||
Comment 2•8 years ago
|
||
Attachment #8703732 -
Flags: review?(quanxunzhen)
Comment 3•8 years ago
|
||
Comment on attachment 8703732 [details] [diff] [review] guess fix (null check) Review of attachment 8703732 [details] [diff] [review]: ----------------------------------------------------------------- Should work. Not sure how to reproduce this crash so not tested.
Attachment #8703732 -
Flags: review?(quanxunzhen) → review+
Comment 5•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/96f1081a231c
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
Reporter | ||
Comment 6•8 years ago
|
||
I couldn't reproduce it anymore in 46.0a1 (2016-01-05), so I'm reasonably sure this fixed the crashes I was seeing (I was also seeing crashes with other stacktraces, which I now also don't get with this build anymore).
Updated•8 years ago
|
Blocks: CVE-2016-2831
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•