Closed
Bug 1479588
Opened 6 years ago
Closed 6 years ago
No null-check on mParentContent when creating remote browsers
Categories
(Core :: DOM: Core & HTML, defect, P2)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla63
People
(Reporter: nika, Assigned: nika)
Details
(Keywords: crash, csectype-nullptr, testcase-wanted, Whiteboard: [sg:dos])
Attachments
(1 file)
We currently do this check for non-remote browsers correctly. This caused me a segfault in some code when running the debugger, due to the debugger attempting to access the loadContext argument of a dead nsFrameLoader and causing a null deref.
Assignee | ||
Comment 1•6 years ago
|
||
Comment 2•6 years ago
|
||
Comment on attachment 8996092 [details] Bug 1479588 - Check mOwnerContent when starting new remote browser, r=bzbarsky Boris Zbarsky [:bz] (no decent commit message means r-) has approved the revision. https://phabricator.services.mozilla.com/D2524
Attachment #8996092 -
Flags: review+
Comment 3•6 years ago
|
||
Is this really a security bug? "dead nsFrameLoader" sounds bad, but this patch fixes a guaranteed null-deref. Are there other places/ways the dead nsFrameLoader could be referenced and do bad things without hitting this null? If so that's not getting fixed here (yet?) but does sound like a good reason to keep the bug hidden.
Group: core-security → dom-core-security
Has STR: --- → no
Flags: needinfo?(nika)
Assignee | ||
Comment 4•6 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #3) > Is this really a security bug? "dead nsFrameLoader" sounds bad, but this > patch fixes a guaranteed null-deref. Are there other places/ways the dead > nsFrameLoader could be referenced and do bad things without hitting this > null? If so that's not getting fixed here (yet?) but does sound like a good > reason to keep the bug hidden. I am not aware of any way to trigger this without opening the jsdebugger, and I don't think there's any way to make it anything other than a null-deref, so I imagine this is not really a sec bug, but I marked it as one just-in-case.
Flags: needinfo?(nika)
Updated•6 years ago
|
Group: dom-core-security
Whiteboard: [sg:dos]
Updated•6 years ago
|
Priority: -- → P2
Updated•6 years ago
|
Attachment #8996092 -
Attachment description: Bug 1479588 - Check mParentContent when starting new remote browser, r=bzbarsky → Bug 1479588 - Check mOwnerContent when starting new remote browser, r=bzbarsky
Pushed by nlayzell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a578e22f77c6 Check mOwnerContent when starting new remote browser, r=bzbarsky
Comment 6•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/a578e22f77c6
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox63:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Updated•6 years ago
|
status-firefox61:
--- → wontfix
status-firefox62:
--- → wontfix
status-firefox-esr52:
--- → wontfix
status-firefox-esr60:
--- → wontfix
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
Updated•5 years ago
|
Type: enhancement → defect
You need to log in
before you can comment on or make changes to this bug.
Description
•