Closed
Bug 1380749
Opened 6 years ago
Closed 6 years ago
Use-after-poison in GetPrevSibling [@/home/worker/workspace/build/src/layout/generic/nsIFrame.h:1624:45]
Categories
(Core :: Layout, defect, P1)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla57
People
(Reporter: jkratzer, Assigned: MatsPalmgren_bugz)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [adv-main57-][post-critsmash-triage])
Attachments
(2 files)
|
1.54 KB,
text/html
|
Details | |
|
3.94 KB,
patch
|
dholbert
:
review+
|
Details | Diff | Splinter Review |
Testcase found while fuzzing mozilla-central rev 20170712-09a4282d1172. Testcase requires the fuzzPriv extension which can be found at: https://github.com/MozillaSecurity/domfuzz/tree/master/dom/extension ================================================================= ==19870==ERROR: AddressSanitizer: use-after-poison on address 0x6250007d55c8 at pc 0x7f5f82f8a6a5 bp 0x7ffc9b5c9cf0 sp 0x7ffc9b5c9ce8 READ of size 8 at 0x6250007d55c8 thread T0 #0 0x7f5f82f8a6a4 in GetPrevSibling /home/worker/workspace/build/src/layout/generic/nsIFrame.h:1624:45 #1 0x7f5f82f8a6a4 in FindAppendPrevSibling /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6598 #2 0x7f5f82f8a6a4 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, bool, bool, TreeMatchContext*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7780 #3 0x7f5f82ee697e in ContentAppended /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.h:246:5 #4 0x7f5f82ee697e in mozilla::PresShell::ContentAppended(nsIDocument*, nsIContent*, nsIContent*, int) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4430 #5 0x7f5f7efb596f in nsNodeUtils::ContentAppended(nsIContent*, nsIContent*, int) /home/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:167:3 #6 0x7f5f7ef64ac3 in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1635:7 #7 0x7f5f7ef6b1c0 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:2522:14 #8 0x7f5f7f5de898 in InsertBefore /home/worker/workspace/build/src/dom/base/nsINode.h:1804:12 #9 0x7f5f7f5de898 in AppendChild /home/worker/workspace/build/src/dom/base/nsINode.h:1808 #10 0x7f5f7f5de898 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/NodeBinding.cpp:877 #11 0x7f5f80921120 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3060:13 #12 0x7f5f86f16464 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15 #13 0x7f5f86f16464 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470 #14 0x7f5f86eff28b in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12 #15 0x7f5f86eff28b in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3060 #16 0x7f5f86ee6008 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12 #17 0x7f5f86f18d77 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:699:15 #18 0x7f5f86f195e2 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:731:12 #19 0x7f5f878a23c9 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /home/worker/workspace/build/src/js/src/jsapi.cpp:4635:12 #20 0x7f5f7ef925a9 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /home/worker/workspace/build/src/dom/base/nsJSUtils.cpp:265:8 #21 0x7f5f82669534 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /home/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2189:25 #22 0x7f5f82664a7d in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /home/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1773:10 #23 0x7f5f8264b51b in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /home/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1472:10 #24 0x7f5f82647b32 in mozilla::dom::ScriptElement::MaybeProcessScript() /home/worker/workspace/build/src/dom/script/ScriptElement.cpp:149:18 #25 0x7f5f7deec01f in AttemptToExecute /home/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:225:18 #26 0x7f5f7deec01f in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /home/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:703 #27 0x7f5f7dee574c in nsHtml5TreeOpExecutor::RunFlushLoop() /home/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:504:7 #28 0x7f5f7deef93b in nsHtml5ExecutorFlusher::Run() /home/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:128:20 #29 0x7f5f7c204ba5 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1437:14 #30 0x7f5f7c20add8 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:489:10 #31 0x7f5f7d01cc11 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21 #32 0x7f5f7cf78e80 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:320:10 #33 0x7f5f7cf78e80 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:313 #34 0x7f5f7cf78e80 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:293 #35 0x7f5f827b8c3f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27 #36 0x7f5f86864401 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:287:30 #37 0x7f5f86a417b4 in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4595:22 #38 0x7f5f86a433bd in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4778:8 #39 0x7f5f86a447eb in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4873:21 #40 0x4eb613 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22 #41 0x4eb613 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:309 #42 0x7f5f98b6882f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #43 0x41d168 in _start (/home/mozilla/builds/asan/firefox+0x41d168) 0x6250007d55c8 is located 1224 bytes inside of 8192-byte region [0x6250007d5100,0x6250007d7100) allocated by thread T0 here: #0 0x4bb9ec in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3 #1 0x7f5f7c1bc30f in AllocateChunk /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:179:15 #2 0x7f5f7c1bc30f in InternalAllocate /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:214 #3 0x7f5f7c1bc30f in Allocate /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:72 #4 0x7f5f7c1bc30f in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:77 #5 0x7f5f82d709ed in AllocateByObjectID /home/worker/workspace/build/src/layout/base/nsPresArena.h:51:12 #6 0x7f5f82d709ed in AllocateByObjectID /home/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:237 #7 0x7f5f82d709ed in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/nsStyleStruct.h:2663 #8 0x7f5f82d709ed in nsRuleNode::ComputeDisplayData(void*, nsRuleData const*, mozilla::GeckoStyleContext*, nsRuleNode*, nsRuleNode::RuleDetail, mozilla::RuleNodeCacheConditions) /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:5596 #9 0x7f5f82d4bc86 in nsRuleNode::WalkRuleTree(nsStyleStructID, mozilla::GeckoStyleContext*) /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:2811:10 #10 0x7f5f7e409317 in nsStyleDisplay const* nsRuleNode::GetStyleDisplay<true>(mozilla::GeckoStyleContext*) /home/worker/workspace/build/src/obj-firefox/dist/include/nsStyleStructList.h:98:1 #11 0x7f5f82b3e767 in DoGetStyleDisplay<true> /home/worker/workspace/build/src/obj-firefox/layout/style/nsStyleStructList.h:98:1 #12 0x7f5f82b3e767 in StyleDisplay /home/worker/workspace/build/src/obj-firefox/layout/style/nsStyleStructList.h:98 #13 0x7f5f82b3e767 in nsStyleContext::SetStyleBits() /home/worker/workspace/build/src/layout/style/GeckoStyleContext.cpp:542 #14 0x7f5f82b3a8a1 in mozilla::GeckoStyleContext::GeckoStyleContext(nsStyleContext*, nsIAtom*, mozilla::CSSPseudoElementType, already_AddRefed<nsRuleNode>, bool) /home/worker/workspace/build/src/layout/style/GeckoStyleContext.cpp:55:3 #15 0x7f5f82dc8862 in NS_NewStyleContext(nsStyleContext*, nsIAtom*, mozilla::CSSPseudoElementType, nsRuleNode*, bool) /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:625:5 #16 0x7f5f82dd6d2f in nsStyleSet::GetContext(nsStyleContext*, nsRuleNode*, nsRuleNode*, nsIAtom*, mozilla::CSSPseudoElementType, mozilla::dom::Element*, unsigned int) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:934:14 #17 0x7f5f82ddbce1 in nsStyleSet::ResolveStyleForInternal(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&, nsStyleSet::AnimationFlag) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1379:10 #18 0x7f5f82ddb780 in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1389:10 #19 0x7f5f82f75174 in ResolveStyleFor /home/worker/workspace/build/src/layout/style/nsStyleSet.h:139:12 #20 0x7f5f82f75174 in ResolveStyleFor /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StyleSetHandleInlines.h:97 #21 0x7f5f82f75174 in nsCSSFrameConstructor::ResolveStyleContext(nsStyleContext*, nsIContent*, nsFrameConstructorState*, mozilla::dom::Element*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5168 #22 0x7f5f82f78522 in ResolveStyleContext /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5133:10 #23 0x7f5f82f78522 in ResolveStyleContext /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5149 #24 0x7f5f82f78522 in nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, bool, nsCSSFrameConstructor::InsertionPoint const&, nsCSSFrameConstructor::FrameConstructionItemList&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5798 #25 0x7f5f82f5a1d2 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11278:9 #26 0x7f5f82f6455c in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, nsStyleContext*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:12309:3 #27 0x7f5f82f6089a in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*, nsILayoutHistoryState*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2728:5 #28 0x7f5f82f84085 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool, bool, TreeMatchContext*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8037:9 #29 0x7f5f82f7bdc6 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, bool, nsCSSFrameConstructor::RemoveFlags, nsIContent**) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10051:9 #30 0x7f5f82eaeed2 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:1545:25 #31 0x7f5f82e966e2 in mozilla::GeckoRestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3478:3 #32 0x7f5f82e95c2e in mozilla::GeckoRestyleManager::RestyleElement(mozilla::dom::Element*, nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:151:5 #33 0x7f5f82f1e62f in ProcessOneRestyle /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:94:22 #34 0x7f5f82f1e62f in mozilla::RestyleTracker::DoProcessRestyles() /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:255 #35 0x7f5f82e9a0ab in ProcessRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/GeckoRestyleManager.h:371:23 #36 0x7f5f82e9a0ab in mozilla::GeckoRestyleManager::ProcessPendingRestyles() /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:502 #37 0x7f5f82e99ced in mozilla::GeckoRestyleManager::RebuildAllStyleData(nsChangeHint, nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:376:3 #38 0x7f5f8304729d in RebuildAllStyleData /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:31:3 #39 0x7f5f8304729d in RebuildAllStyleData /home/worker/workspace/build/src/layout/base/nsPresContext.cpp:2061 #40 0x7f5f8304729d in nsPresContext::MediaFeatureValuesChanged(nsRestyleHint, nsChangeHint) /home/worker/workspace/build/src/layout/base/nsPresContext.cpp:2132 #41 0x7f5f82fcb2b3 in SetTextZoom /home/worker/workspace/build/src/layout/base/nsPresContext.h:565:5 #42 0x7f5f82fcb2b3 in nsDocumentViewer::SetTextZoom(float) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:3106 #43 0x7f5f7c224151 in NS_InvokeByIndex /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129 #44 0x7f5f7db0a990 in Invoke /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12 #45 0x7f5f7db0a990 in Call /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315 #46 0x7f5f7db0a990 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282 #47 0x7f5f7db12214 in SetAttribute /home/worker/workspace/build/src/js/xpconnect/src/xpcprivate.h:1702:17 #48 0x7f5f7db12214 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:995 #49 0x7f5f86f16464 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15 #50 0x7f5f86f16464 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470 SUMMARY: AddressSanitizer: use-after-poison /home/worker/workspace/build/src/layout/generic/nsIFrame.h:1624:45 in GetPrevSibling Shadow bytes around the buggy address: 0x0c4a800f2a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a800f2a70: 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 0x0c4a800f2a80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 0x0c4a800f2a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a800f2aa0: 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 =>0x0c4a800f2ab0: f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 0x0c4a800f2ac0: f7 f7 f7 f7 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a800f2ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a800f2ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a800f2af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a800f2b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==19870==ABORTING [Exit code: -6]
|
||
Updated•6 years ago
|
Group: core-security → layout-core-security
|
|
||
Comment 1•6 years ago
|
||
use-after-poison is generally a use-after-free inside a long-lived arena. Very unlikely to be a case of uninitialized memory. It's possible, just wouldn't be my first guess (or second).
|
||
Comment 2•6 years ago
|
||
Jet, would you be so kind to find someone to assign to? This sec-high has a testcase to reproduce and we'd like someone to start taking a look soon.
Flags: needinfo?(bugs)
|
Assignee | |
Comment 4•6 years ago
|
||
AdjustAppendParentForAfterContent returns a parentAfterFrame which happens to be a ::first-letter frame, which we intentionally delete (line 7793), but later we use it. http://searchfox.org/mozilla-central/rev/67f38de2443e6b613d874fcf4d2cd1f2fc3d5e97/layout/base/nsCSSFrameConstructor.cpp#7763-7764,7793,7824 Frame-poisoning should make it non-exploitable though.
OS: Unspecified → All
Hardware: Unspecified → All
|
|
Assignee | |
Comment 5•6 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=f4d64bf99a5ff879a19e7e825098ec5477abf071
Attachment #8905999 -
Flags: review?(dholbert)
|
||
Comment 6•6 years ago
|
||
Comment on attachment 8905999 [details] [diff] [review] fix r=me >Bug 1380749 - Retry AdjustAppendParentForAfterContent in case |parentAfterFrame| was a :first-letter frame that we deleted. r=bz (Remember to adjust commit message with s/bz/dholbert/ before landing.)
Attachment #8905999 -
Flags: review?(dholbert) → review+
|
||
Updated•6 years ago
|
Priority: -- → P1
|
|
Assignee | |
Comment 7•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/465c2c33afad0de7d1dcf988e73bb069f770d033
Flags: in-testsuite?
|
||
Comment 8•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/465c2c33afad
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox57:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
|
|
||
Comment 9•6 years ago
|
||
Is this worth backporting to Beta as well?
status-firefox55:
--- → wontfix
status-firefox56:
--- → affected
status-firefox-esr52:
--- → wontfix
Flags: needinfo?(mats)
|
|
Assignee | |
Comment 10•6 years ago
|
||
Probably not. It's not exploitable, and it's extremely unlikely that the crash would occur on any regular web site. (It requires a combination of display:contents, ::first-letter styling and dynamic DOM/style changes to those elements for it to occur.)
Flags: needinfo?(mats)
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
Group: layout-core-security → core-security-release
|
||
Updated•6 years ago
|
Whiteboard: [adv-main57-]
|
||
Updated•5 years ago
|
Flags: qe-verify-
Whiteboard: [adv-main57-] → [adv-main57-][post-critsmash-triage]
|
|
||
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•