1369813 - Access violation read crash @ mozilla::CSSStyleSheet::ClearRuleCascades

Status: RESOLVED DUPLICATE of bug 1368690

(Core :: CSS Parsing and Computation, defect)

Description

[Abdulrahman Alqabandi]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36

Steps to reproduce:

Opened web console on nightly start page

Typed the following and crash happened after execution:

throw {toString:function(e){open('http://bing.com','_self');setTimeout('print();open("javascript:alert(1)")',100)}}

crash dump:
https://crash-stats.mozilla.com/report/index/aa8f96da-a590-4db8-b41f-4522b0170602#tab-rawdump


Actual results:

Crash with UaF


Expected results:

No crash.

I cant reproduce on random pages for some reason, will investigate more and will post updates.

Comment 1

[Abdulrahman Alqabandi]

Attachment: PoC.txt

Here is the PoC attached

Comment 2

[Abdulrahman Alqabandi]

Note: I think the 'start page' I was referring to was https://www.mozilla.org/en-US/firefox/55.0a1/whatsnew/?oldversion=52.1.2
Can't reproduce.
It looks like there is already a bug on this, so this might just have been a random bug in the new nightly I havent seen before. Not sure now if it has anything to do with my PoC.

Comment 3

[Andrew McCreight [:mccr8]]

Emilio, is this a dupe of bug 1368690? I'm guessing so, since the signatures match and the timing is close.

Comment 4

[Emilio Cobos Álvarez (:emilio)]

Yes, it is.

See that bug for the diagnosis, but tl;dr: bug 1339629 introduced a virtual call and called that function from the base class constructor, which made the implementations read uninitialized memory.

Thus, I think it's not a UAF.