Use-after-free in mozilla::DataChannelConnection::SctpDtlsOutput

RESOLVED DUPLICATE of bug 1294095

Status

()

Product:
Core
Component:
WebRTC: Networking
P1
critical
Rank:
10
RESOLVED DUPLICATE of bug 1294095
Reported:
2 years ago
Modified:
9 months ago

People

(Reporter: mccr8, Assigned: jesup)

Tracking

({crash, csectype-uaf, sec-high})

Version:
Trunk
x86
Windows 7
Keywords:
crash, csectype-uaf, sec-high
Points:
---

Firefox Tracking Flags

(firefox48 unaffected, firefox49 affected, firefox50 affected)

Details

(crash signature)

(Reporter)

Description

2 years ago 
This bug was filed from the Socorro interface and is 
report bp-5fa0f5b1-4aef-4249-8492-c53052160725.
=============================================================

This is not a super common crash, but it looks like it is mostly happening on the jemalloc poison value, indicating a use-after-free.
(Reporter)

Comment 1

2 years ago 
I only see this on 49 and 50, so perhaps it is a regression.
status-firefox48: --- → unaffected
status-firefox49: --- → affected

Comment 2

2 years ago 
This smells to like a regression caused by landing bug 1240209 in 49.
 (Assignee)

Updated

2 years ago
Assignee: nobody → rjesup
Rank: 10
Keywords: sec-high
Priority: -- → P1
 (Reporter)

Updated

2 years ago
Keywords: csectype-uaf
Group: core-security → media-core-security
 (Assignee)

Comment 3

2 years ago 
No reports for any build after this landed (8/26 or so Trunk; 8/25ish Aurora 50, 49b7 or b8).  Appears to be a dup of bug 1294095 (and makes sense)
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1294095
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.