Closed
Bug 1300145
Opened 8 years ago
Closed 8 years ago
Crash in InvalidArrayIndex_CRASH | mozilla::ContentCache::TextRectArray::GetUnionRectAsFarAsPossible
Categories
(Core :: Widget, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: mccr8, Unassigned)
References
Details
(Keywords: crash, csectype-bounds, sec-low, Whiteboard: [post-critsmash-triage][adv-main51+] fixed by bug 1291082)
Crash Data
This bug was filed from the Socorro interface and is
report bp-150bc69d-c899-4b95-81f5-4749e2160831.
=============================================================
This is happening on the line:
rect = rect.Union(mRects[startOffset - mStart + i]);
These crashes have: ElementAt(aIndex = 4294967295, aLength = 0) where 4294967295 is 2^32-1, so we've underflowed.
Updated•8 years ago
|
Group: core-security → layout-core-security
Comment 1•8 years ago
|
||
I think that this issue is bug 1291082. Although uplift request is rejected, should we fix this?
Flags: needinfo?(dveditz)
Comment 2•8 years ago
|
||
Is this exploitable, or is it always going to crash?
Flags: needinfo?(dveditz)
Comment 3•8 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #2)
> Is this exploitable, or is it always going to crash?
Crash only by invalid memory read.
Reporter | ||
Comment 4•8 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #2)
> Is this exploitable, or is it always going to crash?
It is always going to crash on Nightly and Aurora, but other branches are going to have out of bounds access.
Comment 5•8 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #4)
> (In reply to Daniel Veditz [:dveditz] from comment #2)
> > Is this exploitable, or is it always going to crash?
>
> It is always going to crash on Nightly and Aurora, but other branches are
> going to have out of bounds access.
I cannot find same signature on 51.0a1. :mccr8, do you have same crash signature on 51.0a1?
status-firefox50:
--- → affected
Reporter | ||
Comment 6•8 years ago
|
||
Yeah, I don't see any on 51 either.
Comment 8•8 years ago
|
||
Ritu, although you reject uplift request for bug 1291082, this is filed as sec-other bug.
Could you reconsider uplift approval for bug 1291082?. If still rejected, we should close this as dup or wontfix.
Flags: needinfo?(rkothari)
Comment 9•8 years ago
|
||
Let's call this "fixed" "depends on"
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox-esr45:
--- → wontfix
Resolution: --- → FIXED
Whiteboard: fixed by bug 1291082
Thanks Dan!
Flags: needinfo?(rkothari)
Updated•8 years ago
|
Group: layout-core-security → core-security-release
Updated•8 years ago
|
Flags: qe-verify-
Whiteboard: fixed by bug 1291082 → [post-critsmash-triage] fixed by bug 1291082
Updated•8 years ago
|
Whiteboard: [post-critsmash-triage] fixed by bug 1291082 → [post-critsmash-triage][adv-main51+] fixed by bug 1291082
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•