Closed
Bug 1408114
Opened 7 years ago
Closed 7 years ago
heap-use-after-free in nsParentNodeChildContentList::Item
Categories
(Core :: DOM: Core & HTML, defect, P1)
Tracking
()
RESOLVED
DUPLICATE
of bug 1406395
mozilla58
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox56 | --- | unaffected |
firefox57 | --- | fixed |
firefox58 | --- | fixed |
People
(Reporter: nils, Assigned: ben.tian)
References
Details
(Keywords: csectype-uaf, regression, sec-high)
Attachments
(3 files)
The attached testcase crash.html crashes the latest ASAN build of Firefox. It requires the attached svgfilter.html in the same directory and the fuzzPriv extension installed. See attached asan.txt for the ASAN output.
Updated•7 years ago
|
Group: core-security → dom-core-security
Comment 3•7 years ago
|
||
Possible regression from bug 1384661. We are going to backout bug 1384661 in bug 1406395. NI Ben to take a look and verify the issue after backout.
Flags: needinfo?(btian)
Priority: -- → P1
Updated•7 years ago
|
Keywords: csectype-uaf,
sec-high
Assignee | ||
Comment 4•7 years ago
|
||
(In reply to Hsin-Yi Tsai [:hsinyi] from comment #3) > Possible regression from bug 1384661. We are going to backout bug 1384661 in > bug 1406395. NI Ben to take a look and verify the issue after backout. Verified on m-c asan build that this bug is fixed and no asan error occurs.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(btian)
Resolution: --- → FIXED
Updated•7 years ago
|
Assignee: nobody → btian
Blocks: 1384661
status-firefox56:
--- → unaffected
status-firefox57:
--- → fixed
status-firefox58:
--- → fixed
status-firefox-esr52:
--- → unaffected
Target Milestone: --- → mozilla58
Updated•7 years ago
|
Group: dom-core-security → core-security-release
Updated•6 years ago
|
Flags: sec-bounty?
Comment 6•6 years ago
|
||
Looks like Filipe reported this first.
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•