Closed
Bug 1415476
Opened 7 years ago
Closed 7 years ago
heap-use-after-free in mozilla::dom::ImageTracker::RequestDiscardAll
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1414762
| Tracking | Status | |
|---|---|---|
| firefox58 | --- | fixed |
People
(Reporter: nils, Unassigned)
Details
(Keywords: csectype-uaf, sec-high, Whiteboard: [adv-main58-])
Attachments
(1 file)
|
1.49 KB,
application/x-zip-compressed
|
Details |
The attached testcase (in crash.zip) crashes the latest ASAN build of Firefox nightly. The testcase needs to be loaded from a HTTP server with the following directory structure:
/crash.html
/div.html
/s/rem-self-filter.svg
/s/rem-effects.svg
The subdirectory is required for some reason.
ASAN output:
=================================================================
==14702==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00027c100 at pc 0x7f86658bc77a bp 0x7ffe6af40530 sp 0x7ffe6af40528
READ of size 8 at 0x60c00027c100 thread T0 (Web Content)
#0 0x7f623d637779 in mozilla::dom::ImageTracker::RequestDiscardAll() /builds/worker/workspace/build/src/dom/base/ImageTracker.cpp:153:17
#1 0x7f623d7ee7af in nsDocument::DeleteShell() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:4258:19
#2 0x7f6241931642 in mozilla::PresShell::Destroy() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1314:16
#3 0x7f6241a38ddc in nsDocumentViewer::DestroyPresShell() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:4644:15
#4 0x7f6241a2924c in nsDocumentViewer::Destroy() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1752:5
#5 0x7f6241a3acae in nsDocumentViewer::Show() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2089:17
#6 0x7f6241ace37b in nsPresContext::EnsureVisible() /builds/worker/workspace/build/src/layout/base/nsPresContext.cpp:2246:31
#7 0x7f6241950f83 in mozilla::PresShell::UnsuppressAndInvalidate() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:3896:54
#8 0x7f6241a318e7 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1098:14
#9 0x7f6244ad1c6a in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7765:21
#10 0x7f6244acdc94 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7563:7
#11 0x7f6244ad54ef in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7460:13
#12 0x7f623c641143 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1321:3
#13 0x7f623c6402ac in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:862:14
#14 0x7f623c63d338 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:751:9
#15 0x7f623c63f252 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:633:5
#16 0x7f623c63feac in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:489:14
#17 0x7f623abadb80 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
#18 0x7f623d8272ad in nsDocument::DoUnblockOnload() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9376:18
#19 0x7f623d826e71 in nsDocument::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9298:9
#20 0x7f623d800f49 in nsDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5688:3
#21 0x7f623d87b002 in applyImpl<nsDocument, void (nsDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1142:12
#22 0x7f623d87b002 in apply<nsDocument, void (nsDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1148
#23 0x7f623d87b002 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1192
#24 0x7f623a9d8371 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
#25 0x7f623a9fd3a6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
#26 0x7f623aa17868 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
#27 0x7f623b7e9811 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#28 0x7f623b749e6b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#29 0x7f623b749e6b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#30 0x7f623b749e6b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#31 0x7f62411cc92f in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#32 0x7f62454e5487 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
#33 0x7f623b749e6b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#34 0x7f623b749e6b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#35 0x7f623b749e6b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#36 0x7f62454e4e3a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
#37 0x4ec2de in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
#38 0x4ec2de in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#39 0x7f625819c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#40 0x41dbc8 in _start (/fuzzer3/firefox/firefox+0x41dbc8)
0x60c0003b2d80 is located 0 bytes inside of 128-byte region [0x60c0003b2d80,0x60c0003b2e00)
freed by thread T0 (Web Content) here:
#0 0x4bc0fb in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
#1 0x7f623d278845 in imgRequestProxy::Release() /builds/worker/workspace/build/src/image/imgRequestProxy.cpp:96:1
#2 0x7f623d2526fd in ~nsCOMPtr_base /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:313:7
#3 0x7f623d2526fd in ~nsProgressNotificationProxy /builds/worker/workspace/build/src/image/imgLoader.h:534
#4 0x7f623d2526fd in Release /builds/worker/workspace/build/src/image/imgLoader.cpp:432
#5 0x7f623d2526fd in non-virtual thunk to nsProgressNotificationProxy::Release() /builds/worker/workspace/build/src/image/imgLoader.cpp:432
#6 0x7f623b38932c in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:624:5
#7 0x7f623b38932c in mozilla::net::HttpBaseChannel::SetNotificationCallbacks(nsIInterfaceRequestor*) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpBaseChannel.cpp:612
#8 0x7f623d273a8b in imgRequest::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/image/imgRequest.cpp:880:15
#9 0x7f623b3bf85c in mozilla::net::HttpChannelChild::DoOnStopRequest(nsIRequest*, nsresult, nsISupports*) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:1206:16
#10 0x7f623b3cbbda in mozilla::net::HttpChannelChild::OnStopRequest(nsresult const&, mozilla::net::ResourceTimingStruct const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:1099:5
#11 0x7f623b5acc9e in mozilla::net::ChannelEventQueue::FlushQueue() /builds/worker/workspace/build/src/netwerk/ipc/ChannelEventQueue.cpp:93:12
#12 0x7f623b5b6c40 in MaybeFlushQueue /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:324:5
#13 0x7f623b5b6c40 in CompleteResume /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:306
#14 0x7f623b5b6c40 in mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /builds/worker/workspace/build/src/netwerk/ipc/ChannelEventQueue.cpp:160
#15 0x7f623a9d8371 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
#16 0x7f623a9fd3a6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
#17 0x7f623aa17868 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
#18 0x7f623b7e9806 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5
#19 0x7f623b749e6b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#20 0x7f623b749e6b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#21 0x7f623b749e6b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#22 0x7f62411cc92f in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#23 0x7f62454e5487 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
#24 0x7f623b749e6b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#25 0x7f623b749e6b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#26 0x7f623b749e6b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#27 0x7f62454e4e3a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
#28 0x4ec2de in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
#29 0x4ec2de in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#30 0x7f625819c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T0 (Web Content) here:
#0 0x4bc44c in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
#1 0x4ed85d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17
#2 0x7f623d25563b in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12
#3 0x7f623d25563b in imgLoader::CreateNewProxyForRequest(imgRequest*, nsILoadGroup*, nsIDocument*, imgINotificationObserver*, unsigned int, imgRequestProxy**) /builds/worker/workspace/build/src/image/imgLoader.cpp:1122
#4 0x7f623d262c1d in imgLoader::LoadImage(nsIURI*, nsIURI*, nsIURI*, mozilla::net::ReferrerPolicy, nsIPrincipal*, unsigned long, nsILoadGroup*, imgINotificationObserver*, nsINode*, nsIDocument*, unsigned int, nsISupports*, unsigned int, nsTSubstring<char16_t> const&, bool, imgRequestProxy**) /builds/worker/workspace/build/src/image/imgLoader.cpp:2401:10
#5 0x7f623d3f7369 in nsContentUtils::LoadImage(nsIURI*, nsINode*, nsIDocument*, nsIPrincipal*, unsigned long, nsIURI*, mozilla::net::ReferrerPolicy, imgINotificationObserver*, int, nsTSubstring<char16_t> const&, imgRequestProxy**, unsigned int, bool) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:3841:21
#6 0x7f623d533c6a in nsImageLoadingContent::LoadImage(nsIURI*, bool, bool, nsImageLoadingContent::ImageLoadType, bool, nsIDocument*, unsigned int, nsIPrincipal*) /builds/worker/workspace/build/src/dom/base/nsImageLoadingContent.cpp:1012:17
#7 0x7f623d53512b in nsImageLoadingContent::LoadImage(nsTSubstring<char16_t> const&, bool, bool, nsImageLoadingContent::ImageLoadType, nsIPrincipal*) /builds/worker/workspace/build/src/dom/base/nsImageLoadingContent.cpp:889:10
#8 0x7f62406407cc in mozilla::dom::SVGFEImageElement::LoadSVGImage(bool, bool) /builds/worker/workspace/build/src/dom/svg/SVGFEImageElement.cpp:97:10
#9 0x7f6240640af0 in mozilla::dom::SVGFEImageElement::AfterSetAttr(int, nsAtom*, nsAttrValue const*, nsAttrValue const*, nsIPrincipal*, bool) /builds/worker/workspace/build/src/dom/svg/SVGFEImageElement.cpp:135:7
#10 0x7f623d5e40a4 in mozilla::dom::Element::SetAttrAndNotify(int, nsAtom*, nsAtom*, nsAttrValue const*, nsAttrValue&, nsIPrincipal*, unsigned char, bool, bool, bool, nsIDocument*, mozAutoDocUpdate const&) /builds/worker/workspace/build/src/dom/base/Element.cpp:2778:10
#11 0x7f623d5e5ba5 in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2618:10
#12 0x7f6240d5ac9d in SetAttr /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIContent.h:380:12
#13 0x7f6240d5ac9d in nsXMLContentSink::AddAttributes(char16_t const**, nsIContent*) /builds/worker/workspace/build/src/dom/xml/nsXMLContentSink.cpp:1417
#14 0x7f6240d5595f in nsXMLContentSink::HandleStartElement(char16_t const*, char16_t const**, unsigned int, unsigned int, bool) /builds/worker/workspace/build/src/dom/xml/nsXMLContentSink.cpp:975:12
#15 0x7f623c70d5bf in nsExpatDriver::HandleStartElement(char16_t const*, char16_t const**) /builds/worker/workspace/build/src/parser/htmlparser/nsExpatDriver.cpp:379:7
#16 0x7f62433889fd in doContent /builds/worker/workspace/build/src/parser/expat/lib/xmlparse.c:2468:11
#17 0x7f624337ec0a in contentProcessor /builds/worker/workspace/build/src/parser/expat/lib/xmlparse.c:2098:27
#18 0x7f624337ec0a in doProlog /builds/worker/workspace/build/src/parser/expat/lib/xmlparse.c:4078
#19 0x7f624337566d in prologProcessor /builds/worker/workspace/build/src/parser/expat/lib/xmlparse.c:3812:10
#20 0x7f624337566d in prologInitProcessor /builds/worker/workspace/build/src/parser/expat/lib/xmlparse.c:3629
#21 0x7f6243373941 in MOZ_XML_Parse /builds/worker/workspace/build/src/parser/expat/lib/xmlparse.c:1530:17
#22 0x7f623c7133e7 in nsExpatDriver::ParseBuffer(char16_t const*, unsigned int, bool, unsigned int*) /builds/worker/workspace/build/src/parser/htmlparser/nsExpatDriver.cpp:999:16
#23 0x7f623c714572 in nsExpatDriver::ConsumeToken(nsScanner&, bool&) /builds/worker/workspace/build/src/parser/htmlparser/nsExpatDriver.cpp:1097:5
#24 0x7f623c7211e0 in nsParser::Tokenize(bool) /builds/worker/workspace/build/src/parser/htmlparser/nsParser.cpp:1539:30
#25 0x7f623c71ca65 in nsParser::ResumeParse(bool, bool, bool) /builds/worker/workspace/build/src/parser/htmlparser/nsParser.cpp:1056:41
#26 0x7f623c7223da in nsParser::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) /builds/worker/workspace/build/src/parser/htmlparser/nsParser.cpp:1437:12
#27 0x7f623b3ca306 in DoOnDataAvailable /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:971:28
#28 0x7f623b3ca306 in mozilla::net::HttpChannelChild::OnTransportAndData(nsresult const&, nsresult const&, unsigned long const&, unsigned int const&, nsTString<char> const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:897
#29 0x7f623b5acc9e in mozilla::net::ChannelEventQueue::FlushQueue() /builds/worker/workspace/build/src/netwerk/ipc/ChannelEventQueue.cpp:93:12
#30 0x7f623b5b6c40 in MaybeFlushQueue /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:324:5
#31 0x7f623b5b6c40 in CompleteResume /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:306
#32 0x7f623b5b6c40 in mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /builds/worker/workspace/build/src/netwerk/ipc/ChannelEventQueue.cpp:160
#33 0x7f623a9d8371 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
#34 0x7f623a9fd3a6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
#35 0x7f623aa17868 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
#36 0x7f623b7e9811 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/base/ImageTracker.cpp:153:17 in mozilla::dom::ImageTracker::RequestDiscardAll()
Shadow bytes around the buggy address:
0x0c188006e560: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c188006e570: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c188006e580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c188006e590: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c188006e5a0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
=>0x0c188006e5b0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c188006e5c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c188006e5d0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c188006e5e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c188006e5f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c188006e600: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==14662==ABORTING
|
||
Updated•7 years ago
|
Keywords: csectype-uaf,
sec-high
|
|
||
Updated•7 years ago
|
Group: core-security → dom-core-security
|
||
Comment 1•7 years ago
|
||
I expect this is a dupe of bug 1414762.
|
||
Comment 2•7 years ago
|
||
(In reply to Timothy Nikkel (:tnikkel) from comment #1) > I expect this is a dupe of bug 1414762. Hi Nils, could you please confirm if this has been fixed on the latest nightly?
Flags: needinfo?(nils)
Hi, I can confirm this doesn't reproduce in the latest nightly build.
Flags: needinfo?(nils)
|
||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
|
||
Updated•6 years ago
|
Whiteboard: [adv-main58-]
|
|
||
Updated•6 years ago
|
Flags: sec-bounty?
|
|
||
Updated•6 years ago
|
Flags: sec-bounty? → sec-bounty-
|
|
||
Updated•6 years ago
|
Group: dom-core-security
|
Assignee | |
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•