Closed Bug 1451405 Opened 2 years ago Closed 2 years ago

debug-only image observers run script during painting.

Categories

(Core :: DOM: Core & HTML, enhancement)

enhancement
Not set

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox-esr52 --- unaffected
firefox59 --- wontfix
firefox60 --- wontfix
firefox61 --- fixed

People

(Reporter: emilio, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uaf, sec-other, Whiteboard: [adv-main61-][post-critsmash-triage])

Attachments

(1 file)

Which breaks assertions we want to add.
Attached patch Patch.Splinter Review
Notify off a script runner for this stuff.
Attachment #8964984 - Flags: review?(bzbarsky)
Group: core-security
Comment on attachment 8964984 [details] [diff] [review]
Patch.

>+  RefPtr<nsIURI> uri = mURI->ToIURI();

Why not nsCOMPtr?  Normally that's what we would use with an nsI* thing.

r=me with that fixed or explained.
Attachment #8964984 - Flags: review?(bzbarsky) → review+
Group: core-security → dom-core-security
Group: dom-core-security → core-security-release
(In reply to Sebastian Hengst [:aryx] (needinfo on intermittent or backout) from comment #3)
> https://hg.mozilla.org/integration/mozilla-inbound/rev/
> c989bd874ddb726eb0d2c6390441d844e11098b2
> https://hg.mozilla.org/mozilla-central/rev/c989bd874ddb

How did this even get checked in without a sec-approval and a security rating?
Flags: needinfo?(emilio)
Dan points out from the summary that this may be debug only? If so, I guess it made sense to check in. Emilio, can you confirm?
Not visible in the patch itself but this is in an "ifdef DEBUG" block and doesn't affect releases.
Flags: needinfo?(emilio)
It's debug only, yes.
Whiteboard: [adv-main61-]
Flags: qe-verify-
Whiteboard: [adv-main61-] → [adv-main61-][post-critsmash-triage]
Component: DOM → DOM: Core & HTML
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.