Closed Bug 1300145 Opened 8 years ago Closed 8 years ago

Crash in InvalidArrayIndex_CRASH | mozilla::ContentCache::TextRectArray::GetUnionRectAsFarAsPossible

Categories

(Core :: Widget, defect)

x86
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox-esr45 --- wontfix
firefox50 --- wontfix
firefox51 --- fixed

People

(Reporter: mccr8, Unassigned)

References

Details

(Keywords: crash, csectype-bounds, sec-low, Whiteboard: [post-critsmash-triage][adv-main51+] fixed by bug 1291082)

Crash Data

This bug was filed from the Socorro interface and is report bp-150bc69d-c899-4b95-81f5-4749e2160831. ============================================================= This is happening on the line: rect = rect.Union(mRects[startOffset - mStart + i]); These crashes have: ElementAt(aIndex = 4294967295, aLength = 0) where 4294967295 is 2^32-1, so we've underflowed.
Group: core-security → layout-core-security
I think that this issue is bug 1291082. Although uplift request is rejected, should we fix this?
Flags: needinfo?(dveditz)
Is this exploitable, or is it always going to crash?
Flags: needinfo?(dveditz)
(In reply to Daniel Veditz [:dveditz] from comment #2) > Is this exploitable, or is it always going to crash? Crash only by invalid memory read.
(In reply to Daniel Veditz [:dveditz] from comment #2) > Is this exploitable, or is it always going to crash? It is always going to crash on Nightly and Aurora, but other branches are going to have out of bounds access.
(In reply to Andrew McCreight [:mccr8] from comment #4) > (In reply to Daniel Veditz [:dveditz] from comment #2) > > Is this exploitable, or is it always going to crash? > > It is always going to crash on Nightly and Aurora, but other branches are > going to have out of bounds access. I cannot find same signature on 51.0a1. :mccr8, do you have same crash signature on 51.0a1?
Yeah, I don't see any on 51 either.
So hopefully this was fixed by bug 1291082.
Depends on: 1291082
Keywords: sec-other
Ritu, although you reject uplift request for bug 1291082, this is filed as sec-other bug. Could you reconsider uplift approval for bug 1291082?. If still rejected, we should close this as dup or wontfix.
Flags: needinfo?(rkothari)
Let's call this "fixed" "depends on"
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Whiteboard: fixed by bug 1291082
Group: layout-core-security → core-security-release
Flags: qe-verify-
Whiteboard: fixed by bug 1291082 → [post-critsmash-triage] fixed by bug 1291082
Whiteboard: [post-critsmash-triage] fixed by bug 1291082 → [post-critsmash-triage][adv-main51+] fixed by bug 1291082
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.