Closed Bug 1438165 Opened 2 years ago Closed 2 years ago

Incorrect display item arena allocations / deallocations

Categories

(Core :: Web Painting, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla60
Tracking Status
firefox60 --- fixed

People

(Reporter: miko, Assigned: miko)

References

Details

Attachments

(1 file)

Memory management for different size display items that share a type is handled incorrectly.
Group: mozilla-employee-confidential
[Pretty sure you meant to mark this as a "Security-Sensitive Layout Bug" rather than "Employee-Confidential". Both are hidden, but to different groups. --> Fixing.]
Group: mozilla-employee-confidential → layout-core-security
Attachment #8951272 - Flags: review?(matt.woodrow)
(In reply to Daniel Holbert [:dholbert] from comment #1)
> [Pretty sure you meant to mark this as a "Security-Sensitive Layout Bug"
> rather than "Employee-Confidential". Both are hidden, but to different
> groups. --> Fixing.]

I was not completely sure about the security implications of this bug and marked it employee confidential just in case. After examining this further and discussing it with Matt, this is most likely not exploitable at the moment.
Group: layout-core-security
Comment on attachment 8951272 [details] [diff] [review]
unique-displayitem-types.diff

Review of attachment 8951272 [details] [diff] [review]:
-----------------------------------------------------------------

Please make the assertion in nsDisplayListBuilder::Allocate a MOZ_RELEASE_ASSERT too!
Attachment #8951272 - Flags: review?(matt.woodrow) → review+
Pushed by mikokm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/7faf85adc898
Ensure that all display items have a unique type r=mattwoodrow
https://hg.mozilla.org/mozilla-central/rev/7faf85adc898
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Blocks: 1467514
No longer blocks: 1467514
You need to log in before you can comment on or make changes to this bug.