Crash with possible use-after-free [@ nsPresContext::MediaFeatureValuesChanged ]

RESOLVED WORKSFORME

Status

()

Core
CSS Parsing and Computation
--
critical
RESOLVED WORKSFORME
2 years ago
2 years ago

People

(Reporter: mats, Unassigned)

Tracking

45 Branch
x86
Windows
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

2 years ago
+++ This bug was initially created as a clone of Bug #1240763 +++

bp-76eef7c5-65f1-4477-8720-1f6282160218 is on 45.0b6 so it has the fix from bug 1233259.  It appears there is another bug causing crashes with this signature.
I'm not really seeing this anymore. 4 crashes in the last 4 weeks with this signature, but not showing a UAF address (near nulls). 

https://crash-stats.mozilla.com/report/list?product=Firefox&range_unit=days&range_value=28&signature=nsPresContext%3A%3AMediaFeatureValuesChanged#tab-reports

If there's a remaining bug here I can't justify a sec-high rating for it based on that.
Keywords: csectype-uaf, sec-high
I'm not seeing this crash on any newer version, I think it's been stomped.
Group: layout-core-security
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.