Closed
Bug 1380749
Opened 8 years ago
Closed 7 years ago
Use-after-poison in GetPrevSibling [@/home/worker/workspace/build/src/layout/generic/nsIFrame.h:1624:45]
Categories
(Core :: Layout, defect, P1)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla57
People
(Reporter: jkratzer, Assigned: MatsPalmgren_bugz)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [adv-main57-][post-critsmash-triage])
Attachments
(2 files)
|
1.54 KB,
text/html
|
Details | |
|
3.94 KB,
patch
|
dholbert
:
review+
|
Details | Diff | Splinter Review |
Testcase found while fuzzing mozilla-central rev 20170712-09a4282d1172. Testcase requires the fuzzPriv extension which can be found at:
https://github.com/MozillaSecurity/domfuzz/tree/master/dom/extension
=================================================================
==19870==ERROR: AddressSanitizer: use-after-poison on address 0x6250007d55c8 at pc 0x7f5f82f8a6a5 bp 0x7ffc9b5c9cf0 sp 0x7ffc9b5c9ce8
READ of size 8 at 0x6250007d55c8 thread T0
#0 0x7f5f82f8a6a4 in GetPrevSibling /home/worker/workspace/build/src/layout/generic/nsIFrame.h:1624:45
#1 0x7f5f82f8a6a4 in FindAppendPrevSibling /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6598
#2 0x7f5f82f8a6a4 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, bool, bool, TreeMatchContext*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7780
#3 0x7f5f82ee697e in ContentAppended /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.h:246:5
#4 0x7f5f82ee697e in mozilla::PresShell::ContentAppended(nsIDocument*, nsIContent*, nsIContent*, int) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4430
#5 0x7f5f7efb596f in nsNodeUtils::ContentAppended(nsIContent*, nsIContent*, int) /home/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:167:3
#6 0x7f5f7ef64ac3 in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1635:7
#7 0x7f5f7ef6b1c0 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:2522:14
#8 0x7f5f7f5de898 in InsertBefore /home/worker/workspace/build/src/dom/base/nsINode.h:1804:12
#9 0x7f5f7f5de898 in AppendChild /home/worker/workspace/build/src/dom/base/nsINode.h:1808
#10 0x7f5f7f5de898 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/NodeBinding.cpp:877
#11 0x7f5f80921120 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3060:13
#12 0x7f5f86f16464 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#13 0x7f5f86f16464 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
#14 0x7f5f86eff28b in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
#15 0x7f5f86eff28b in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3060
#16 0x7f5f86ee6008 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
#17 0x7f5f86f18d77 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:699:15
#18 0x7f5f86f195e2 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:731:12
#19 0x7f5f878a23c9 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /home/worker/workspace/build/src/js/src/jsapi.cpp:4635:12
#20 0x7f5f7ef925a9 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /home/worker/workspace/build/src/dom/base/nsJSUtils.cpp:265:8
#21 0x7f5f82669534 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /home/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2189:25
#22 0x7f5f82664a7d in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /home/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1773:10
#23 0x7f5f8264b51b in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /home/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1472:10
#24 0x7f5f82647b32 in mozilla::dom::ScriptElement::MaybeProcessScript() /home/worker/workspace/build/src/dom/script/ScriptElement.cpp:149:18
#25 0x7f5f7deec01f in AttemptToExecute /home/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:225:18
#26 0x7f5f7deec01f in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /home/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:703
#27 0x7f5f7dee574c in nsHtml5TreeOpExecutor::RunFlushLoop() /home/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:504:7
#28 0x7f5f7deef93b in nsHtml5ExecutorFlusher::Run() /home/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:128:20
#29 0x7f5f7c204ba5 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1437:14
#30 0x7f5f7c20add8 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:489:10
#31 0x7f5f7d01cc11 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#32 0x7f5f7cf78e80 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:320:10
#33 0x7f5f7cf78e80 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:313
#34 0x7f5f7cf78e80 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:293
#35 0x7f5f827b8c3f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
#36 0x7f5f86864401 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:287:30
#37 0x7f5f86a417b4 in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4595:22
#38 0x7f5f86a433bd in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4778:8
#39 0x7f5f86a447eb in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4873:21
#40 0x4eb613 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22
#41 0x4eb613 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:309
#42 0x7f5f98b6882f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#43 0x41d168 in _start (/home/mozilla/builds/asan/firefox+0x41d168)
0x6250007d55c8 is located 1224 bytes inside of 8192-byte region [0x6250007d5100,0x6250007d7100)
allocated by thread T0 here:
#0 0x4bb9ec in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
#1 0x7f5f7c1bc30f in AllocateChunk /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:179:15
#2 0x7f5f7c1bc30f in InternalAllocate /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:214
#3 0x7f5f7c1bc30f in Allocate /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:72
#4 0x7f5f7c1bc30f in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:77
#5 0x7f5f82d709ed in AllocateByObjectID /home/worker/workspace/build/src/layout/base/nsPresArena.h:51:12
#6 0x7f5f82d709ed in AllocateByObjectID /home/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:237
#7 0x7f5f82d709ed in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/nsStyleStruct.h:2663
#8 0x7f5f82d709ed in nsRuleNode::ComputeDisplayData(void*, nsRuleData const*, mozilla::GeckoStyleContext*, nsRuleNode*, nsRuleNode::RuleDetail, mozilla::RuleNodeCacheConditions) /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:5596
#9 0x7f5f82d4bc86 in nsRuleNode::WalkRuleTree(nsStyleStructID, mozilla::GeckoStyleContext*) /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:2811:10
#10 0x7f5f7e409317 in nsStyleDisplay const* nsRuleNode::GetStyleDisplay<true>(mozilla::GeckoStyleContext*) /home/worker/workspace/build/src/obj-firefox/dist/include/nsStyleStructList.h:98:1
#11 0x7f5f82b3e767 in DoGetStyleDisplay<true> /home/worker/workspace/build/src/obj-firefox/layout/style/nsStyleStructList.h:98:1
#12 0x7f5f82b3e767 in StyleDisplay /home/worker/workspace/build/src/obj-firefox/layout/style/nsStyleStructList.h:98
#13 0x7f5f82b3e767 in nsStyleContext::SetStyleBits() /home/worker/workspace/build/src/layout/style/GeckoStyleContext.cpp:542
#14 0x7f5f82b3a8a1 in mozilla::GeckoStyleContext::GeckoStyleContext(nsStyleContext*, nsIAtom*, mozilla::CSSPseudoElementType, already_AddRefed<nsRuleNode>, bool) /home/worker/workspace/build/src/layout/style/GeckoStyleContext.cpp:55:3
#15 0x7f5f82dc8862 in NS_NewStyleContext(nsStyleContext*, nsIAtom*, mozilla::CSSPseudoElementType, nsRuleNode*, bool) /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:625:5
#16 0x7f5f82dd6d2f in nsStyleSet::GetContext(nsStyleContext*, nsRuleNode*, nsRuleNode*, nsIAtom*, mozilla::CSSPseudoElementType, mozilla::dom::Element*, unsigned int) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:934:14
#17 0x7f5f82ddbce1 in nsStyleSet::ResolveStyleForInternal(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&, nsStyleSet::AnimationFlag) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1379:10
#18 0x7f5f82ddb780 in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1389:10
#19 0x7f5f82f75174 in ResolveStyleFor /home/worker/workspace/build/src/layout/style/nsStyleSet.h:139:12
#20 0x7f5f82f75174 in ResolveStyleFor /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StyleSetHandleInlines.h:97
#21 0x7f5f82f75174 in nsCSSFrameConstructor::ResolveStyleContext(nsStyleContext*, nsIContent*, nsFrameConstructorState*, mozilla::dom::Element*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5168
#22 0x7f5f82f78522 in ResolveStyleContext /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5133:10
#23 0x7f5f82f78522 in ResolveStyleContext /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5149
#24 0x7f5f82f78522 in nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, bool, nsCSSFrameConstructor::InsertionPoint const&, nsCSSFrameConstructor::FrameConstructionItemList&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5798
#25 0x7f5f82f5a1d2 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11278:9
#26 0x7f5f82f6455c in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, nsStyleContext*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:12309:3
#27 0x7f5f82f6089a in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*, nsILayoutHistoryState*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2728:5
#28 0x7f5f82f84085 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool, bool, TreeMatchContext*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8037:9
#29 0x7f5f82f7bdc6 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, bool, nsCSSFrameConstructor::RemoveFlags, nsIContent**) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10051:9
#30 0x7f5f82eaeed2 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:1545:25
#31 0x7f5f82e966e2 in mozilla::GeckoRestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3478:3
#32 0x7f5f82e95c2e in mozilla::GeckoRestyleManager::RestyleElement(mozilla::dom::Element*, nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:151:5
#33 0x7f5f82f1e62f in ProcessOneRestyle /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:94:22
#34 0x7f5f82f1e62f in mozilla::RestyleTracker::DoProcessRestyles() /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:255
#35 0x7f5f82e9a0ab in ProcessRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/GeckoRestyleManager.h:371:23
#36 0x7f5f82e9a0ab in mozilla::GeckoRestyleManager::ProcessPendingRestyles() /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:502
#37 0x7f5f82e99ced in mozilla::GeckoRestyleManager::RebuildAllStyleData(nsChangeHint, nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:376:3
#38 0x7f5f8304729d in RebuildAllStyleData /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:31:3
#39 0x7f5f8304729d in RebuildAllStyleData /home/worker/workspace/build/src/layout/base/nsPresContext.cpp:2061
#40 0x7f5f8304729d in nsPresContext::MediaFeatureValuesChanged(nsRestyleHint, nsChangeHint) /home/worker/workspace/build/src/layout/base/nsPresContext.cpp:2132
#41 0x7f5f82fcb2b3 in SetTextZoom /home/worker/workspace/build/src/layout/base/nsPresContext.h:565:5
#42 0x7f5f82fcb2b3 in nsDocumentViewer::SetTextZoom(float) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:3106
#43 0x7f5f7c224151 in NS_InvokeByIndex /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129
#44 0x7f5f7db0a990 in Invoke /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
#45 0x7f5f7db0a990 in Call /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
#46 0x7f5f7db0a990 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
#47 0x7f5f7db12214 in SetAttribute /home/worker/workspace/build/src/js/xpconnect/src/xpcprivate.h:1702:17
#48 0x7f5f7db12214 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:995
#49 0x7f5f86f16464 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#50 0x7f5f86f16464 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
SUMMARY: AddressSanitizer: use-after-poison /home/worker/workspace/build/src/layout/generic/nsIFrame.h:1624:45 in GetPrevSibling
Shadow bytes around the buggy address:
0x0c4a800f2a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a800f2a70: 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7
0x0c4a800f2a80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00
0x0c4a800f2a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a800f2aa0: 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c4a800f2ab0: f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7
0x0c4a800f2ac0: f7 f7 f7 f7 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a800f2ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a800f2ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a800f2af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a800f2b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==19870==ABORTING
[Exit code: -6]
|
||
Updated•8 years ago
|
Group: core-security → layout-core-security
|
|
||
Comment 1•7 years ago
|
||
use-after-poison is generally a use-after-free inside a long-lived arena. Very unlikely to be a case of uninitialized memory. It's possible, just wouldn't be my first guess (or second).
|
||
Comment 2•7 years ago
|
||
Jet, would you be so kind to find someone to assign to?
This sec-high has a testcase to reproduce and we'd like someone to start taking a look soon.
Flags: needinfo?(bugs)
|
Assignee | |
Comment 4•7 years ago
|
||
AdjustAppendParentForAfterContent returns a parentAfterFrame which happens
to be a ::first-letter frame, which we intentionally delete (line 7793),
but later we use it.
http://searchfox.org/mozilla-central/rev/67f38de2443e6b613d874fcf4d2cd1f2fc3d5e97/layout/base/nsCSSFrameConstructor.cpp#7763-7764,7793,7824
Frame-poisoning should make it non-exploitable though.
OS: Unspecified → All
Hardware: Unspecified → All
|
|
Assignee | |
Comment 5•7 years ago
|
||
Attachment #8905999 -
Flags: review?(dholbert)
|
||
Comment 6•7 years ago
|
||
Comment on attachment 8905999 [details] [diff] [review]
fix
r=me
>Bug 1380749 - Retry AdjustAppendParentForAfterContent in case |parentAfterFrame| was a :first-letter frame that we deleted. r=bz
(Remember to adjust commit message with s/bz/dholbert/ before landing.)
Attachment #8905999 -
Flags: review?(dholbert) → review+
|
||
Updated•7 years ago
|
Priority: -- → P1
|
|
Assignee | |
Comment 7•7 years ago
|
||
Flags: in-testsuite?
|
||
Comment 8•7 years ago
|
||
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox57:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
|
|
||
Comment 9•7 years ago
|
||
Is this worth backporting to Beta as well?
status-firefox55:
--- → wontfix
status-firefox56:
--- → affected
status-firefox-esr52:
--- → wontfix
Flags: needinfo?(mats)
|
|
Assignee | |
Comment 10•7 years ago
|
||
Probably not. It's not exploitable, and it's extremely unlikely that
the crash would occur on any regular web site. (It requires a combination
of display:contents, ::first-letter styling and dynamic DOM/style changes
to those elements for it to occur.)
Flags: needinfo?(mats)
|
|
||
Updated•7 years ago
|
|
|
||
Updated•7 years ago
|
Group: layout-core-security → core-security-release
|
||
Updated•7 years ago
|
Whiteboard: [adv-main57-]
|
||
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [adv-main57-] → [adv-main57-][post-critsmash-triage]
|
|
||
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•