Closed Bug 1247914 Opened 4 years ago Closed 4 years ago

global-buffer-overflow in mozilla::dom::KeyframeEffectReadOnly::ComposeStyle

Categories

(Core :: DOM: Animation, defect)

47 Branch
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 1242872
Tracking Status
firefox46 --- unaffected
firefox47 --- fixed
firefox48 --- fixed
firefox-esr38 --- unaffected
firefox-esr45 --- unaffected

People

(Reporter: nils, Assigned: birtles)

References

Details

(Keywords: csectype-bounds, regression, sec-high)

Attachments

(2 files, 1 obsolete file)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20160127070712

Steps to reproduce:

The following testcase crashes the latest ASAN build of Firefox:

<script>
function start() {
	document.documentElement.hidden=true;
	window.setTimeout(t, 10);
}
function t() {
        o2284=document.createElementNS('http://www.w3.org/1999/xhtml','table');
	o3929=document.createElementNS('http://www.w3.org/1999/xhtml','tr');
	o3930=document.createElementNS('http://www.w3.org/1999/xhtml','td');
	o3929.appendChild(o3930);
	o2284.appendChild(o3929);
	o3997=document.createElement('style');
	o3998=document.createTextNode('* { } * { display: list-item }');
	o3997.appendChild(o3998);
	o3930.appendChild(o3997);
	document.documentElement.innerHTML = '<style> @keyframes{{}} @font-face{ font-family: font3; src: url(x)} * { animation-name: key11; animation-duration: 0.01s } </style><style> @keyframes key11 { from { transform-origin: 0rem }}</style>';
	document.documentElement.appendChild(o2284);
}
start();
</script>


Actual results:

ASAN stack trace:


(firefox:3021): Gtk-WARNING **: Locale not supported by C library.
	Using the fallback 'C' locale.
JavaScript warning: chrome://domfuzzhelper/content/fuzzPriv.js, line 335: unreachable code after return statement
=================================================================
==3021==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f553dcd138c at pc 0x7f553233b08a bp 0x7ffd3a2cac30 sp 0x7ffd3a2cac28
READ of size 4 at 0x7f553dcd138c thread T0
    #0 0x7f553233b089 in mozilla::dom::KeyframeEffectReadOnly::ComposeStyle(RefPtr<mozilla::AnimValuesStyleRule>&, nsCSSPropertySet&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:520:0
    #1 0x7f553233a13e in mozilla::dom::Animation::ComposeStyle(RefPtr<mozilla::AnimValuesStyleRule>&, nsCSSPropertySet&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/Animation.cpp:818:0
    #2 0x7f5532349df3 in mozilla::EffectCompositor::ComposeAnimationRule(mozilla::dom::Element*, nsCSSPseudoElements::Type, mozilla::EffectCompositor::CascadeLevel, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/EffectCompositor.cpp:571:0
    #3 0x7f55323491da in mozilla::EffectCompositor::MaybeUpdateAnimationRule(mozilla::dom::Element*, nsCSSPseudoElements::Type, mozilla::EffectCompositor::CascadeLevel) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/EffectCompositor.cpp:230:0
    #4 0x7f553234dca5 in GetAnimationRule /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/EffectCompositor.cpp:262:0
    #5 0x7f553234dca5 in mozilla::EffectCompositor::AnimationStyleRuleProcessor::RulesMatching(ElementRuleProcessorData*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/EffectCompositor.cpp:765:0
    #6 0x7f5536410eac in bool EnumRulesMatching<ElementRuleProcessorData>(nsIStyleRuleProcessor*, void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleSet.cpp:807:0
    #7 0x7f553640ebdd in nsStyleSet::FileRules(bool (*)(nsIStyleRuleProcessor*, void*), RuleProcessorData*, mozilla::dom::Element*, nsRuleWalker*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleSet.cpp:1190:0
    #8 0x7f5536410b52 in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleSet.cpp:1360:0
    #9 0x7f55363e8c4c in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleSet.cpp:1344:0
    #10 0x7f553635bea1 in CalcLengthWith(nsCSSValue const&, int, nsStyleFont const*, nsStyleContext*, nsPresContext*, bool, bool, mozilla::RuleNodeCacheConditions&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsRuleNode.cpp:512:0
    #11 0x7f55363c77cb in CalcLength /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsRuleNode.cpp:584:0
    #12 0x7f55363c77cb in CalcLength /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsRuleNode.cpp:595:0
    #13 0x7f55363c77cb in SetCoord(nsCSSValue const&, nsStyleCoord&, nsStyleCoord const&, int, nsStyleContext*, nsPresContext*, mozilla::RuleNodeCacheConditions&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsRuleNode.cpp:818:0
    #14 0x7f5536397d49 in nsRuleNode::ComputeDisplayData(void*, nsRuleData const*, nsStyleContext*, nsRuleNode*, nsRuleNode::RuleDetail, mozilla::RuleNodeCacheConditions) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsRuleNode.cpp:6174:0
    #15 0x7f55363606cc in nsRuleNode::WalkRuleTree(nsStyleStructID, nsStyleContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsRuleNode.cpp:2443:0
    #16 0x7f55363e2cae in nsStyleContext::ApplyStyleFixups(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleContext.cpp:615:0
    #17 0x7f553640bd5a in NS_NewStyleContext /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleContext.cpp:1223:0
    #18 0x7f553640bd5a in nsStyleSet::GetContext(nsStyleContext*, nsRuleNode*, nsRuleNode*, nsIAtom*, nsCSSPseudoElements::Type, mozilla::dom::Element*, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleSet.cpp:945:0
    #19 0x7f5536411386 in nsStyleSet::ResolveStyleByAddingRules(nsStyleContext*, nsCOMArray<nsIStyleRule> const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleSet.cpp:1451:0
    #20 0x7f553621a73a in ResolvedStyleCache::Get(nsPresContext*, nsStyleContext*, mozilla::css::Declaration*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsAnimationManager.cpp:559:0
    #21 0x7f5536218f2e in nsAnimationManager::BuildAnimations(nsStyleContext*, mozilla::dom::Element*, mozilla::dom::AnimationTimeline*, nsTArray<RefPtr<mozilla::dom::Animation> >&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsAnimationManager.cpp:722:0
    #22 0x7f553621581c in nsAnimationManager::CheckAnimationRule(nsStyleContext*, mozilla::dom::Element*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsAnimationManager.cpp:336:0
    #23 0x7f553640c455 in nsStyleSet::GetContext(nsStyleContext*, nsRuleNode*, nsRuleNode*, nsIAtom*, nsCSSPseudoElements::Type, mozilla::dom::Element*, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleSet.cpp:978:0
    #24 0x7f5536410cdb in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleSet.cpp:1386:0
    #25 0x7f553650e28c in mozilla::ElementRestyler::RestyleUndisplayedNodes(nsRestyleHint, mozilla::UndisplayedNode*, nsIContent*, nsStyleContext*, unsigned char) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:4608:0
    #26 0x7f5536508aa0 in DoRestyleUndisplayedDescendants /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:4553:0
    #27 0x7f5536508aa0 in mozilla::ElementRestyler::RestyleUndisplayedDescendants(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:4539:0
    #28 0x7f5536507bfb in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:4346:0
    #29 0x7f5536501f26 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3431:0
    #30 0x7f553650a6ad in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:4854:0
    #31 0x7f5536507ce0 in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:4376:0
    #32 0x7f5536501f26 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3431:0
    #33 0x7f553650a6ad in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:4854:0
    #34 0x7f5536507ce0 in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:4376:0
    #35 0x7f5536501f26 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3431:0
    #36 0x7f553650d1f5 in mozilla::ElementRestyler::ComputeStyleChangeFor(nsIFrame*, nsStyleChangeList*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&, nsTArray<mozilla::ElementRestyler::ContextToClear>&, nsTArray<RefPtr<nsStyleContext> >&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:4518:0
    #37 0x7f55364f4dc2 in mozilla::RestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:4928:0
    #38 0x7f55364f4a92 in mozilla::RestyleManager::StartRebuildAllStyleData(mozilla::RestyleTracker&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:1699:0
    #39 0x7f553651fb62 in mozilla::RestyleTracker::DoProcessRestyles() /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleTracker.cpp:153:0
    #40 0x7f55364fa5d9 in ProcessRestyles /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.h:526:0
    #41 0x7f55364fa5d9 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:1771:0
    #42 0x7f55367242aa in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsPresShell.cpp:3982:0
    #43 0x7f5536462190 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsRefreshDriver.cpp:1725:0
    #44 0x7f553646efcb in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsRefreshDriver.cpp:244:0
    #45 0x7f553646eafe in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsRefreshDriver.cpp:262:0
    #46 0x7f553646f5f7 in apply<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp)> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:676:0
    #47 0x7f553646f5f7 in nsRunnableMethodImpl<void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), true, mozilla::TimeStamp>::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:870:0
    #48 0x7f552ff9d07f in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:1018:0
    #49 0x7f5530017cfa in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297:0
    #50 0x7f55309ce049 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:95:0
    #51 0x7f5530934d8c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234:0
    #52 0x7f5530934d8c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227:0
    #53 0x7f5530934d8c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201:0
    #54 0x7f5535e0a467 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:156:0
    #55 0x7f5537c519a8 in nsAppStartup::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:281:0
    #56 0x7f5537d53eaa in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4277:0
    #57 0x7f5537d55116 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4374:0
    #58 0x7f5537d55f5e in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4476:0
    #59 0x48a803 in do_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:220:0
    #60 0x48a803 in main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:360:0
    #61 0x7f55494cdb44 in __libc_start_main /build/glibc-I9DIZl/glibc-2.19/csu/libc-start.c:287:0
    #62 0x489c3c in _start ??:0:0

0x7f553dcd138c is located 4 bytes to the right of global variable 'nsTArrayHeader::sEmptyHdr' from '/builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/xpcom/build/Unified_cpp_xpcom_build1.cpp' (0x7f553dcd1380) of size 8
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0feb27b92220: 00 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
  0x0feb27b92230: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0feb27b92240: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0feb27b92250: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0feb27b92260: 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
=>0x0feb27b92270: 00[f9]f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0feb27b92280: 00 00 00 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0feb27b92290: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
  0x0feb27b922a0: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0feb27b922b0: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0feb27b922c0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==3021==ABORTING



Expected results:

no crash
Cameron, looks like this is in DOM::Animation somewhere?
Group: firefox-core-security → core-security
Component: Untriaged → DOM: Animation
Flags: needinfo?(cam)
Product: Firefox → Core
Happy to look into this but it being Saturday I won't get a chance before Monday.
In a debug build, but without ASAN, we fail an assert in EffectCompositeOrderComparator::LessThan, called from sorting the array in EffectCompositor::UpdateCascadeResults.  The assert fails because:

(gdb) p a->GetAnimation()->HasLowerCompositeOrderThan(*b->GetAnimation())
$5 = false
(gdb) p b->GetAnimation()->HasLowerCompositeOrderThan(*a->GetAnimation())
$6 = false

but a != b, so Equals() tests false too.

Looks to me like both GetAnimation() return values are mozilla::dom::CSSAnimation instances.  Both are IsTiedToMarkup().  Both have the same mOwningElement (<html>).  Both have mAnimationIndex set to 0.

I guess the real question is why there are two of them at all.
Flags: needinfo?(bbirtles)
Probably introduced by bug 1234095 although there have been some other changes in this area recently that might have triggered this. This should hopefully be fixed by bug 1242872 since that bug will cause us to stop creating these duplicate animations. I still want to look into this on Monday, however, since I'm surprised we're composing animation style in the middle of building animations.
Just a quick note about the result with patches for bug 1242872.  The assertion in EffectCompositeOrderComparator::LessThan is not hit anymore but I am not sure whether the buffer overflow is also fixed or not because I don't quite understand which buffer is actually overflowed in ComposeStyle.
Leaving this to Brian/Hiro.
Flags: needinfo?(cam)
(In reply to Hiroyuki Ikezoe (:hiro) from comment #5)
> Just a quick note about the result with patches for bug 1242872.  The
> assertion in EffectCompositeOrderComparator::LessThan is not hit anymore but
> I am not sure whether the buffer overflow is also fixed or not because I
> don't quite understand which buffer is actually overflowed in ComposeStyle.

The overflowed buffer is mSegments.  The overflow occurs at https://dxr.mozilla.org/mozilla-central/rev/ea39d4a6232c278dd8d805608a07cf9f4cc4c76b/dom/animation/KeyframeEffect.cpp#530. The overflowed buffer is mSegments.
It's going to take me a while to get an ASAN build running locally to debug so I might just try and fix bug 1245748 instead. It's a lot of work but needs to be done in order to ship Element.animate and should hopefully fix this at the same time.
Flags: needinfo?(bbirtles)
(And fixing bug 1245748 should also mean we can fix bug 1217252 too.)
Group: core-security → dom-core-security
(Assigning to Brian since he's working on bug 1245748 which will hopefully fix this)
Assignee: nobody → bbirtles
FYI: Now the patched for bug 1242872 has been landed.  The buffer overflow caused by this particular html in comment#0  has been fixed.
Does this occur on Firefox 46, however? If so, perhaps bug 1245601 will provide a Firefox 46-specific fix.
(In reply to Brian Birtles (:birtles) from comment #12)
> Does this occur on Firefox 46, however? 

Fortunately, no.
(In reply to Hiroyuki Ikezoe (:hiro) from comment #11)
> FYI: Now the patched for bug 1242872 has been landed.  The buffer overflow
> caused by this particular html in comment#0  has been fixed.

Can we call this bug fixed, then?
Depends on: 1242872
Flags: needinfo?(nils)
Flags: needinfo?(hiikezoe)
Keywords: regression
Yes, I am going to attach an automation test for this crash here.
Flags: needinfo?(hiikezoe)
Attached patch The testSplinter Review
I did not know that ReviewBoard does not accept patches associated with secure bugs.
Attachment #8733095 - Flags: review?(bbirtles)
Attached file stack (obsolete) —
The test causes another assertion.  Last time I checked the HTML file in comment #11, there was no assertion.  Something has been changed after that.
Attached file Correct stack
The previous stack is not correct.  It's just NS_ASSERTION.  Here is the correct one.
Attachment #8733104 - Attachment is obsolete: true
Comment on attachment 8733095 [details] [diff] [review]
The test

Clearing review request.

My memory was something wrong.
The assertion has been started since a patch for 1242872.
https://hg.mozilla.org/mozilla-central/rev/761e73e8ca9a
Attachment #8733095 - Flags: review?(bbirtles)
I am not able to repro this anymore with the latest asan build (non-debug)
Flags: needinfo?(nils)
Resolving as a duplicate of bug 1242872 based on comment 14 and comment 15.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1242872
Flags: sec-bounty? → sec-bounty-
Updating tracking flags since bug 1242872 (which this bug dupes) is fixed in Firefox 47 (and so I can stop getting release tracking alerts).
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.