Closed Bug 1449755 Opened 8 years ago Closed 7 years ago

Crash in nsCOMPtr<T>::nsCOMPtr<T> | nsDocShell::GetChromeEventHandler

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
All
Windows
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox59 --- wontfix
firefox60 --- wontfix
firefox61 --- wontfix

People

(Reporter: philipp, Unassigned)

Details

(Keywords: crash, csectype-uaf, sec-moderate)

Crash Data

This bug was filed from the Socorro interface and is report bp-8f154bb2-acbe-40ee-938b-6c69e0180318. ============================================================= Top 10 frames of crashing thread: 0 xul.dll nsCOMPtr<nsIDOMElement>::nsCOMPtr<nsIDOMElement> xpcom/base/nsCOMPtr.h:486 1 xul.dll nsDocShell::GetChromeEventHandler docshell/base/nsDocShell.cpp:2019 2 xul.dll nsDocumentViewer::CreateStyleSet layout/base/nsDocumentViewer.cpp:2369 3 xul.dll nsPrintEngine::ReflowPrintObject layout/printing/nsPrintEngine.cpp:2270 4 xul.dll nsPrintEngine::ReflowDocList layout/printing/nsPrintEngine.cpp:1901 5 xul.dll nsPrintEngine::InitPrintDocConstruction layout/printing/nsPrintEngine.cpp:1931 6 xul.dll nsPrintEngine::Observe layout/printing/nsPrintEngine.cpp:3713 7 xul.dll mozilla::embedding::PrintProgressDialogChild::RecvDialogOpened toolkit/components/printingui/ipc/PrintProgressDialogChild.cpp:42 8 xul.dll mozilla::embedding::PPrintProgressDialogChild::OnMessageReceived ipc/ipdl/PPrintProgressDialogChild.cpp:193 9 xul.dll mozilla::dom::PContentChild::OnMessageReceived ipc/ipdl/PContentChild.cpp:4896 ============================================================= this is a crash on windows while printing, uaf in many instances. a whole lot of comments are indicating that they have tried to print parts of digital newspapers that seem to be hosted through www.pagesuite.com: https://crash-stats.mozilla.com/signature/?product=Firefox&signature=nsCOMPtr%3CT%3E%3A%3AnsCOMPtr%3CT%3E%20|%20nsDocShell%3A%3AGetChromeEventHandler&date=%3E%3D2017-12-30#comments
could be a sec-high, but looks like all the crashes involve printing which requires more less common user interaction so going with moderate for now
Keywords: sec-moderate
Group: core-security → layout-core-security
Component: General → Layout
Crash Signature: [@ nsCOMPtr<T>::nsCOMPtr<T> | nsDocShell::GetChromeEventHandler] → [@ nsCOMPtr<T>::nsCOMPtr<T> | nsDocShell::GetChromeEventHandler] [@ RefPtr<T>::RefPtr<T> | nsDocShell::GetChromeEventHandler]
@jwatt I think you said you're going to work on printing code in the near future. Perhaps you can take a look at this when you have that code paged in?
Flags: needinfo?(jwatt)

It looks like 60.0.5 fixed this.

Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(jwatt)
Resolution: --- → WORKSFORME
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.