Closed
Bug 1300145
Opened 8 years ago
Closed 8 years ago
Crash in InvalidArrayIndex_CRASH | mozilla::ContentCache::TextRectArray::GetUnionRectAsFarAsPossible
Categories
(Core :: Widget, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: mccr8, Unassigned)
References
Details
(Keywords: crash, csectype-bounds, sec-low, Whiteboard: [post-critsmash-triage][adv-main51+] fixed by bug 1291082)
Crash Data
This bug was filed from the Socorro interface and is
report bp-150bc69d-c899-4b95-81f5-4749e2160831.
=============================================================
This is happening on the line:
rect = rect.Union(mRects[startOffset - mStart + i]);
These crashes have: ElementAt(aIndex = 4294967295, aLength = 0) where 4294967295 is 2^32-1, so we've underflowed.
|
||
Updated•8 years ago
|
Group: core-security → layout-core-security
|
||
Comment 1•8 years ago
|
||
I think that this issue is bug 1291082. Although uplift request is rejected, should we fix this?
Flags: needinfo?(dveditz)
|
|
||
Comment 2•8 years ago
|
||
Is this exploitable, or is it always going to crash?
Flags: needinfo?(dveditz)
|
|
||
Comment 3•8 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #2)
> Is this exploitable, or is it always going to crash?
Crash only by invalid memory read.
|
Reporter | |
Comment 4•8 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #2)
> Is this exploitable, or is it always going to crash?
It is always going to crash on Nightly and Aurora, but other branches are going to have out of bounds access.
|
|
||
Comment 5•8 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #4)
> (In reply to Daniel Veditz [:dveditz] from comment #2)
> > Is this exploitable, or is it always going to crash?
>
> It is always going to crash on Nightly and Aurora, but other branches are
> going to have out of bounds access.
I cannot find same signature on 51.0a1. :mccr8, do you have same crash signature on 51.0a1?
status-firefox50:
--- → affected
|
|
Reporter | |
Comment 6•8 years ago
|
||
Yeah, I don't see any on 51 either.
|
|
||
Comment 8•8 years ago
|
||
Ritu, although you reject uplift request for bug 1291082, this is filed as sec-other bug.
Could you reconsider uplift approval for bug 1291082?. If still rejected, we should close this as dup or wontfix.
Flags: needinfo?(rkothari)
|
|
||
Comment 9•8 years ago
|
||
Let's call this "fixed" "depends on"
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox-esr45:
--- → wontfix
Resolution: --- → FIXED
Whiteboard: fixed by bug 1291082
Thanks Dan!
Flags: needinfo?(rkothari)
|
|
||
Updated•8 years ago
|
Group: layout-core-security → core-security-release
|
||
Updated•8 years ago
|
Flags: qe-verify-
Whiteboard: fixed by bug 1291082 → [post-critsmash-triage] fixed by bug 1291082
|
||
Updated•8 years ago
|
Whiteboard: [post-critsmash-triage] fixed by bug 1291082 → [post-critsmash-triage][adv-main51+] fixed by bug 1291082
|
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•