Closed
Bug 1440783
Opened 6 years ago
Closed 6 years ago
Use-after-free in AppendToLibPath
Categories
(Toolkit :: Application Update, defect)
Tracking
()
RESOLVED
FIXED
mozilla60
| Tracking | Status | |
|---|---|---|
| firefox60 | --- | fixed |
People
(Reporter: mstange, Assigned: mstange)
References
Details
Attachments
(1 file)
|
1.72 KB,
patch
|
Details | Diff | Splinter Review |
The UniquePtr returned by Smprintf is not kept alive for long enough. This was causing crashes in bug 1439118. For some reason these crashes only started happening after an unrelated patch landed (bug 1437428). (It looks like bug 1437428 affects a profiler test which runs in an xpcshell process at the same time as marAppApplyUpdateStageOldVersionFailure.js runs in a different xpcshell process, but it's unclear to me how this could affect things.) Here's a green try push with the patch: https://treeherder.mozilla.org/#/jobs?repo=try&revision=04c01f9e6953643ef1ddfc0d1610d5c920f8002a Here's what the revision this push was based on looked like without the patch: https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=b915e160a690eb75d647c3681682064f87869f10&filter-searchStr=linux%20debug%20xpcshell
|
Assignee | |
Comment 1•6 years ago
|
||
Attachment #8953623 -
Flags: review?(robert.strong.bugs)
|
||
Comment 2•6 years ago
|
||
Thanks for reporting this and proposing a fix. I have put in a request to temporarily back out the offending patch from bug 1434666 so I can test it more carefully. I will incorporate your UAF fix in the new version.
|
|
Assignee | |
Comment 3•6 years ago
|
||
Thanks. Fixed by backout of bug 1434666.
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
|
|
Assignee | |
Updated•6 years ago
|
Attachment #8953623 -
Flags: review?(robert.strong.bugs)
You need to log in
before you can comment on or make changes to this bug.
Description
•