Closed Bug 1408114 Opened 7 years ago Closed 7 years ago

heap-use-after-free in nsParentNodeChildContentList::Item

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Version:
57 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1406395
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox56 --- unaffected
firefox57 --- fixed
firefox58 --- fixed

People

(Reporter: nils, Assigned: ben.tian)

References

Details

(Keywords: csectype-uaf, regression, sec-high)

Attachments

(3 files)

crash.html
1.32 KB, text/html
Details
svgfilter.html
184 bytes, text/html
Details
asan.txt
14.96 KB, text/plain
Details
Attached file crash.html 
The attached testcase crash.html crashes the latest ASAN build of Firefox. It requires the attached svgfilter.html in the same directory and the fuzzPriv extension installed.

See attached asan.txt for the ASAN output.
Attached file svgfilter.html 

    
    

    
  

      
      
      
      

        Attached file
          
        asan.txt
      

    


  
Group: core-security → dom-core-security

    
    

    
  
Possible regression from bug 1384661. We are going to backout bug 1384661 in bug 1406395. NI Ben to take a look and verify the issue after backout.
Flags: needinfo?(btian)
Priority: -- → P1

    
    

    
  
(In reply to Hsin-Yi Tsai [:hsinyi] from comment #3)
> Possible regression from bug 1384661. We are going to backout bug 1384661 in
> bug 1406395. NI Ben to take a look and verify the issue after backout.

Verified on m-c asan build that this bug is fixed and no asan error occurs.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(btian)
Resolution: --- → FIXED
Assignee: nobody → btian
Blocks: 1384661

          status-firefox56:
          --- → unaffected

          status-firefox57:
          --- → fixed

          status-firefox58:
          --- → fixed

          status-firefox-esr52:
          --- → unaffected
Target Milestone: --- → mozilla58
Group: dom-core-security → core-security-release

    
    

    
  
No further verification needed, based on comment 4.
Flags: qe-verify-
Flags: sec-bounty?

    
    

    
  
Looks like Filipe reported this first.
Flags: sec-bounty? → sec-bounty-
Keywords: regression
Resolution: FIXED → DUPLICATE
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: