Closed Bug 1295097 Opened 8 years ago Closed 8 years ago

heap-use-after-free in HTMLTrackElement::NotifyShutdown

Categories

(Core :: Audio/Video: Playback, defect, P1)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla51
Tracking Flags:
Tracking Status
firefox-esr45 --- unaffected
firefox50 --- unaffected
firefox51 --- fixed

People

(Reporter: nils, Assigned: bechen)

References

Details

(Keywords: csectype-uaf, regression, sec-high, Whiteboard: [rr])

Attachments

(2 files)

crash.html minimized testcase: requires Jesse's dom fuzzing addon
422 bytes, text/html
Details
bug1295097.patch
2.01 KB, patch
rillian
: review+
Details | Diff | Splinter Review 
The testcase crashes the latest ASAN build of Firefox

crash.html:

<script>
function start() {
        o9=document.createElement('audio');
        o1153=document.createElement('track');
        o1153.setAttribute('src','x');
        o9.appendChild(o1153);
        setTimeout(f1, 4);
}
function f1() {
        o1153.src='javascript:1';
        o9=null;o1153=null;
        fuzzPriv.forceGC();fuzzPriv.CC();fuzzPriv.forceGC();fuzzPriv.CC();
        setTimeout("location.href='crash.html'",400 * Math.random());;
}
</script>
<body onload="start()"></body>

Looks like the vulnerability has been  introduced by https://bugzilla.mozilla.org/show_bug.cgi?id=1286751

ASAN output:

=================================================================
==27836==ERROR: AddressSanitizer: heap-use-after-free on address 0x6100000d94d0 at pc 0x7f68d41941c2 bp 0x7fffa8de4210 sp 0x7fffa8de4208
READ of size 8 at 0x6100000d94d0 thread T0 (Web Content)
    #0 0x7f68d41941c1 in operator bool /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsCOMPtr.h:741:45
    #1 0x7f68d41941c1 in NotifyShutdown /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/html/HTMLTrackElement.cpp:439
    #2 0x7f68d41941c1 in mozilla::dom::WindowDestroyObserver::Observe(nsISupports*, char const*, char16_t const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/html/HTMLTrackElement.cpp:114
    #3 0x7f68ced8c3aa in NotifyObservers /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/ds/nsObserverList.cpp:112:5
    #4 0x7f68ced8c3aa in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/ds/nsObserverService.cpp:305
    #5 0x7f68d189b4fd in WindowDestroyedEvent::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsGlobalWindow.cpp:8964:9
    #6 0x7f68cee4c426 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:1058:7
    #7 0x7f68ceeca3bc in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290:10
    #8 0x7f68cfbe8bff in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:96:21
    #9 0x7f68cfb5db08 in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #10 0x7f68cfb5db08 in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:225
    #11 0x7f68cfb5db08 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:205
    #12 0x7f68d56ab5af in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:156:3
    #13 0x7f68d7762677 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:846:12
    #14 0x7f68cfb5db08 in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #15 0x7f68cfb5db08 in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:225
    #16 0x7f68cfb5db08 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:205
    #17 0x7f68d7761d13 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:676:7
    #18 0x4dfb2b in content_process_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:197:19
    #19 0x4dfb2b in main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:357
    #20 0x7f68ea30282f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #21 0x41ba08 in _start (/home/nils/fuzzer3/firefox/firefox+0x41ba08)

0x6100000d94d0 is located 144 bytes inside of 184-byte region [0x6100000d9440,0x6100000d94f8)
freed by thread T0 (Web Content) here:
    #0 0x4b215b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
    #1 0x7f68ced29dd4 in SnowWhiteKiller::~SnowWhiteKiller() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2681:9
    #2 0x7f68ced299c6 in nsCycleCollector::FreeSnowWhite(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2855:3
    #3 0x7f68ced30085 in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:3837:3
    #4 0x7f68ced2f83c in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:3662:9
    #5 0x7f68ced32b56 in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:4156:3
    #6 0x7f68d1c2a119 in nsJSContext::CycleCollectNow(nsICycleCollectorListener*, int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSEnvironment.cpp:1421:3
    #7 0x7f68d17b4b6d in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*, int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsDOMWindowUtils.cpp:1319:3
    #8 0x7f68cee71ee6 in NS_InvokeByIndex /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_x86_64_unix.cpp:180:23
    #9 0x7f68d0815322 in Invoke /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/xpconnect/src/XPCWrappedNative.cpp:2074:12
    #10 0x7f68d0815322 in Call /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1393
    #11 0x7f68d0815322 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1360
    #12 0x7f68d081c48c in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1128:12
    #13 0x7f68d9988ac3 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235:15
    #14 0x7f68d9988ac3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:441
    #15 0x7f68d9968eeb in CallFromStack /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:504:12
    #16 0x7f68d9968eeb in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2873
    #17 0x7f68d994e9f5 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:399:12
    #18 0x7f68d9989323 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:471:15
    #19 0x7f68d9989db1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:517:10
    #20 0x7f68d94bb708 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:2793:12
    #21 0x7f68d074de05 in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/xpconnect/src/ExportHelpers.cpp:353:18
    #22 0x7f68d9988ac3 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235:15
    #23 0x7f68d9988ac3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:441
    #24 0x7f68d9968eeb in CallFromStack /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:504:12
    #25 0x7f68d9968eeb in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2873
    #26 0x7f68d994e9f5 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:399:12
    #27 0x7f68d9989323 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:471:15
    #28 0x7f68d9989db1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:517:10
    #29 0x7f68d94bdc58 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:2852:12
    #30 0x7f68d36261ad in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/FunctionBinding.cpp:36:8
    #31 0x7f68d187f20f in Call<nsCOMPtr<nsISupports> > /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:70:12
    #32 0x7f68d187f20f in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsGlobalWindow.cpp:12305
    #33 0x7f68d185d354 in nsGlobalWindow::RunTimeout(nsTimeout*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsGlobalWindow.cpp:12548:32
    #34 0x7f68d17f56c1 in nsGlobalWindow::TimerCallback(nsITimer*, void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsGlobalWindow.cpp:12794:3
    #35 0x7f68cee68237 in nsTimerImpl::Fire() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsTimerImpl.cpp:521:7
    #36 0x7f68cee3f61b in nsTimerEvent::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/TimerThread.cpp:286:3

previously allocated by thread T0 (Web Content) here:
    #0 0x4b247b in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
    #1 0x4e0bcd in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7f68d41538a6 in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:193:12
    #3 0x7f68d41538a6 in NS_NewHTMLTrackElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/html/HTMLTrackElement.cpp:57
    #4 0x7f68d41b8534 in CreateHTMLElement /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/html/nsHTMLContentSink.cpp:291:41
    #5 0x7f68d41b8534 in NS_NewHTMLElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAString_internal*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/html/nsHTMLContentSink.cpp:272
    #6 0x7f68d1c78324 in NS_NewElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAString_internal*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsNameSpaceManager.cpp:177:12
    #7 0x7f68d1b61c3f in nsDocument::CreateElem(nsAString_internal const&, nsIAtom*, int, nsAString_internal*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsDocument.cpp:8709:17
    #8 0x7f68d1b3ece2 in nsDocument::CreateElement(nsAString_internal const&, mozilla::dom::ElementCreationOptions const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsDocument.cpp:5589:26
    #9 0x7f68d352b3d4 in mozilla::dom::DocumentBinding::createElement(JSContext*, JS::Handle<JSObject*>, nsIDocument*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/DocumentBinding.cpp:764:53
    #10 0x7f68d39e1ea7 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/bindings/BindingUtils.cpp:2812:13
    #11 0x7f68d9988ac3 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235:15
    #12 0x7f68d9988ac3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:441
    #13 0x7f68d9968eeb in CallFromStack /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:504:12
    #14 0x7f68d9968eeb in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2873
    #15 0x7f68d994e9f5 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:399:12
    #16 0x7f68d9989323 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:471:15
    #17 0x7f68d9989db1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:517:10
    #18 0x7f68d94bdc58 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:2852:12
    #19 0x7f68d34ec3c0 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
    #20 0x7f68d3e3984d in Call<nsISupports *> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
    #21 0x7f68d3e3984d in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/JSEventHandler.cpp:214
    #22 0x7f68d3e064be in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:1133:16
    #23 0x7f68d3e07f34 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:1286:17
    #24 0x7f68d3de3afc in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:379:5
    #25 0x7f68d3de7ea5 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:710:9
    #26 0x7f68d5f6e3c5 in nsDocumentViewer::LoadComplete(nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsDocumentViewer.cpp:996:7
    #27 0x7f68d6cdd11a in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/docshell/base/nsDocShell.cpp:7603:5
    #28 0x7f68d6cd90d1 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/docshell/base/nsDocShell.cpp:7404:7
    #29 0x7f68d6ce04bf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/docshell/base/nsDocShell.cpp:7301:13
    #30 0x7f68d0c3f351 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/uriloader/base/nsDocLoader.cpp:1252:3
    #31 0x7f68d0c3e404 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/uriloader/base/nsDocLoader.cpp:836:5
    #32 0x7f68d0c3b28c in nsDocLoader::DocLoaderIsEmpty(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/uriloader/base/nsDocLoader.cpp:726:9
    #33 0x7f68d0c3d364 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/uriloader/base/nsDocLoader.cpp:608:5
    #34 0x7f68d0c3de5c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/uriloader/base/nsDocLoader.cpp:464:14

SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsCOMPtr.h:741:45 in operator bool
Shadow bytes around the buggy address:
  0x0c2080013240: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2080013250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2080013260: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2080013270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2080013280: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c2080013290: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fa
  0x0c20800132a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c20800132b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c20800132c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c20800132d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c20800132e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27836==ABORTING
Really wish we'd stop fixing memory leaks--at least those aren't security bugs.
Blocks: 1286751
Group: core-security → media-core-security
Flags: needinfo?(bechen)
Keywords: regression
The crash is the result of many to one relationship between WindowDestroyedObserver and HTMLTrackElement. HTMLTrackElement::LoadResource() is called multiple times to create distinct WindowDestroyedObserver instances, all referring to the same HTMLTrackElement. The dtor of HTMLTrackElement only deregisters the latest WindowDestroyedObserver from the observer service, leaving the other instances referring to the freed HTMLTrackElement.

Since these 2 classes have a symbiotic relationship, it makes much more sense to create/destroy the observer in the ctor/dtor of HTMLTrackElement.
Whiteboard: [rr]
Attached patch bug1295097.patchSplinter Review 
Assignee: nobody → bechen
Status: NEW → ASSIGNED
Flags: needinfo?(bechen)

        Attachment #8781796 -
        Flags: review?(giles)

        Attachment #8781796 -
        Flags: review?(giles) → review+

    
  
Keywords: checkin-needed

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/535cfe5e5030
Status: ASSIGNED → RESOLVED
Closed: 8 years ago

          status-firefox51:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
Priority: -- → P1
Group: media-core-security → core-security-release
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: