Closed Bug 1428684 Opened 6 years ago Closed 6 years ago

Reduce the chance of UAF when changing states of MDSM

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla59

Tracking Flags:

Tracking

Status

firefox59

---

fixed

People

(Reporter: jwwang, Assigned: jwwang)

Details

Attachments

(1 file)

Bug 1428684 - reduce the chance of UAF when changing states of MDSM. 6 years ago JW Wang [:jwwang] [:jw_wang] 59 bytes, text/x-review-board-request	kaku : review+	Details

JW Wang [:jwwang] [:jw_wang]

Assignee

Description

•

6 years ago

https://searchfox.org/mozilla-central/rev/f42618c99dcb522fb674221acfbc68c2d92e7936/dom/media/MediaDecoderStateMachine.cpp#279-282

SetState() will delete the current state object and UAF will happen if members are accessed after this call.

However, sometimes it is not obvious if SetState() is called indirectly as we do in MaybeFinishSeek().

https://searchfox.org/mozilla-central/rev/f42618c99dcb522fb674221acfbc68c2d92e7936/dom/media/MediaDecoderStateMachine.cpp#1310

To make it less error-prone, we will keep the old state object alive for a bit longer and set mMaster to null to catch potential UAF.

Comment hidden (mozreview-request)

SetState() will delete the current state object and UAF will happen if members
are accessed after this call. However, sometimes it is not obvious if SetState()
is called indirectly as we do in MaybeFinishSeek().

To make it less error-prone, we will keep the old state object alive for a bit
longer and set mMaster to null to catch potential UAF.

Review commit: https://reviewboard.mozilla.org/r/210800/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/210800/

JW Wang [:jwwang] [:jw_wang]

Assignee

Updated

•

6 years ago

Attachment #8940591 - Flags: review?(kaku)

Tzuhao Kuo [:kaku]

Comment 2

•

6 years ago

mozreview-review

Comment on attachment 8940591 [details]
Bug 1428684 - reduce the chance of UAF when changing states of MDSM.

https://reviewboard.mozilla.org/r/210800/#review217016

Isn't the original way easier to show a pattern of some potential faults?

Attachment #8940591 - Flags: review?(kaku) → review+

JW Wang [:jwwang] [:jw_wang]

Assignee

Comment 3

•

6 years ago

mozreview-review-reply

Comment on attachment 8940591 [details]
Bug 1428684 - reduce the chance of UAF when changing states of MDSM.

https://reviewboard.mozilla.org/r/210800/#review217016

Not really. The original code will result in UAF which might show a crash stack which seems unrelated to MDSM.

JW Wang [:jwwang] [:jw_wang]

Assignee

Comment 4

•

6 years ago

Thanks!

JW Wang [:jwwang] [:jw_wang]

Assignee

Updated

•

6 years ago

Assignee: nobody → jwwang

Priority: -- → P3

Pulsebot

Comment 5

•

6 years ago

Pushed by jwwang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/afb1b6f44c25
reduce the chance of UAF when changing states of MDSM. r=kaku

Eliza Balazs [:ebalazs_]

Comment 6

•

6 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/afb1b6f44c25

Status: NEW → RESOLVED

Closed: 6 years ago

status-firefox59: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla59

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Reduce the chance of UAF when changing states of MDSM

Categories

(Core :: Audio/Video: Playback, enhancement, P3)

Tracking

()

People

(Reporter: jwwang, Assigned: jwwang)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Updated

Comment 2

Comment 3

Comment 4

Updated

Comment 5

Comment 6

Attachment

General

Description

File Name

Content Type