Closed Bug 1488803 Opened 2 years ago Closed 2 years ago

AddressSanitizer: heap-use-after-free [@ mozilla::widget::TSFTextStore::InsertTextAtSelectionInternal] with READ of size 4

Categories

(Core :: Widget, defect)

x86_64
Windows
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla64
Tracking Status
firefox-esr60 63+ verified
firefox62 --- wontfix
firefox63 + verified
firefox64 + verified

People

(Reporter: decoder, Assigned: m_kato)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-main63+][adv-esr60.3+])

Crash Data

Attachments

(3 files, 1 obsolete file)

The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 64.0a1-20180905123750-https://hg.mozilla.org/mozilla-central/rev/26990836dc5cc3cd1b8027392b79210e71094dc3.

For detailed crash information, see attachment.
I have 16 reports submitted all by the same person here. The DLLs inbetween the stack seem to belong to the Microsoft Office IME.

Question for the original reporter: Are you able to reproduce this by interacting somehow with Microsoft Office? Or do you have any kind of special setup related to these DLLs?
Flags: needinfo?(ash153311)
Crash Signature: [@ mozilla::widget::TSFTextStore::InsertTextAtSelectionInternal]
:jimm, it appears you worked on some of this code. Can you take a look or suggest who might be able to dive into this? Thanks!
Flags: needinfo?(jmathies)
I reproduced the issue when I enter Korean language on URL bar and clicked a space bar (not English).
Therefore, the Firefox with AddressSanitizer was accidentally closed.
(normal Firefox nightly build was not  affected.)
In addition I am using Microsoft office insider (version 1809, 10823.20000).
Flags: needinfo?(ash153311)
{
  "application": {
    "name": "Firefox",
    "osVersion": "Windows_NT 10.0",
    "version": "64.0a1",
    "buildID": "20180905123750",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0",
    "safeMode": false,
    "updateChannel": "nightly",
    "supportURL": "https://support.mozilla.org/1/firefox/64.0a1/WINNT/en-US/",
    "numTotalWindows": 1,
    "numRemoteWindows": 1,
    "remoteAutoStart": true,
    "currentContentProcesses": 7,
    "maxContentProcesses": 6,
    "autoStartStatus": 1,
    "policiesStatus": 0,
    "keyGoogleFound": true,
    "keyMozillaFound": true
  },
  "securitySoftware": {
    "registeredAntiVirus": "Windows Defender 바이러스 백신",
    "registeredAntiSpyware": "Windows Defender 바이러스 백신",
    "registeredFirewall": "Windows 방화벽"
  },
  "modifiedPreferences": {
    "accessibility.typeaheadfind.flashBar": 0,
    "browser.cache.disk.capacity": 1048576,
    "browser.cache.disk.filesystem_reported": 1,
    "browser.cache.disk.smart_size.first_run": false,
    "browser.search.useDBForOrder": true,
    "browser.sessionstore.upgradeBackup.latestBuildID": "20180905123750",
    "browser.startup.homepage_override.buildID": "20180905123750",
    "browser.startup.homepage_override.mstone": "64.0a1",
    "browser.tabs.crashReporting.includeURL": true,
    "browser.tabs.warnOnClose": false,
    "browser.urlbar.placeholderName": "Google",
    "browser.urlbar.timesBeforeHidingSuggestionsHint": 0,
    "dom.forms.autocomplete.formautofill": true,
    "dom.ipc.processCount": 6,
    "dom.payments.request.enabled": true,
    "dom.push.userAgentID": "9378a9e5f8af4bec8002a13b54fb751b",
    "dom.streams.enabled": true,
    "extensions.formautofill.creditCards.used": 3,
    "extensions.lastAppVersion": "64.0a1",
    "gfx.color_management.enablev4": true,
    "gfx.webrender.all": true,
    "javascript.options.shared_memory": true,
    "javascript.options.streams": true,
    "layers.mlgpu.sanity-test-failed": false,
    "media.av1.enabled": true,
    "media.benchmark.vp9.fps": 229,
    "media.benchmark.vp9.versioncheck": 5,
    "media.gmp-manager.buildID": "20180905123750",
    "media.gmp-manager.lastCheck": 1536162035,
    "media.gmp.storage.version.observed": 1,
    "media.hardware-video-decoding.failed": true,
    "media.track.enabled": true,
    "network.cookie.cookieBehavior": 4,
    "network.dns.disablePrefetch": true,
    "network.http.speculative-parallel-limit": 0,
    "network.predictor.cleaned-up": true,
    "network.predictor.enabled": false,
    "network.prefetch-next": false,
    "network.preload": true,
    "network.trr.mode": 2,
    "network.trr.uri": "https://mozilla.cloudflare-dns.com/dns-query",
    "places.database.lastMaintenance": 1535853936,
    "places.history.expiration.transient_current_max_pages": 147826,
    "plugin.disable_full_page_plugin_for_types": "application/pdf",
    "print.printer_HP_Photosmart_8100_Series.print_bgcolor": false,
    "print.printer_HP_Photosmart_8100_Series.print_bgimages": false,
    "print.printer_HP_Photosmart_8100_Series.print_duplex": 0,
    "print.printer_HP_Photosmart_8100_Series.print_edge_bottom": 0,
    "print.printer_HP_Photosmart_8100_Series.print_edge_left": 0,
    "print.printer_HP_Photosmart_8100_Series.print_edge_right": 0,
    "print.printer_HP_Photosmart_8100_Series.print_edge_top": 0,
    "print.printer_HP_Photosmart_8100_Series.print_evenpages": true,
    "print.printer_HP_Photosmart_8100_Series.print_footercenter": "",
    "print.printer_HP_Photosmart_8100_Series.print_footerleft": "&PT",
    "print.printer_HP_Photosmart_8100_Series.print_footerright": "&D",
    "print.printer_HP_Photosmart_8100_Series.print_headercenter": "",
    "print.printer_HP_Photosmart_8100_Series.print_headerleft": "&T",
    "print.printer_HP_Photosmart_8100_Series.print_headerright": "&U",
    "print.printer_HP_Photosmart_8100_Series.print_in_color": true,
    "print.printer_HP_Photosmart_8100_Series.print_margin_bottom": "0.5",
    "print.printer_HP_Photosmart_8100_Series.print_margin_left": "0.5",
    "print.printer_HP_Photosmart_8100_Series.print_margin_right": "0.5",
    "print.printer_HP_Photosmart_8100_Series.print_margin_top": "0.5",
    "print.printer_HP_Photosmart_8100_Series.print_oddpages": true,
    "print.printer_HP_Photosmart_8100_Series.print_orientation": 0,
    "print.printer_HP_Photosmart_8100_Series.print_page_delay": 50,
    "print.printer_HP_Photosmart_8100_Series.print_paper_data": 0,
    "print.printer_HP_Photosmart_8100_Series.print_paper_height": " 11.00",
    "print.printer_HP_Photosmart_8100_Series.print_paper_name": "",
    "print.printer_HP_Photosmart_8100_Series.print_paper_size_unit": 0,
    "print.printer_HP_Photosmart_8100_Series.print_paper_width": "  8.50",
    "print.printer_HP_Photosmart_8100_Series.print_resolution": 0,
    "print.printer_HP_Photosmart_8100_Series.print_reversed": false,
    "print.printer_HP_Photosmart_8100_Series.print_scaling": "  1.00",
    "print.printer_HP_Photosmart_8100_Series.print_shrink_to_fit": true,
    "print.printer_HP_Photosmart_8100_Series.print_to_file": false,
    "print.printer_HP_Photosmart_8100_Series.print_unwriteable_margin_bottom": 0,
    "print.printer_HP_Photosmart_8100_Series.print_unwriteable_margin_left": 0,
    "print.printer_HP_Photosmart_8100_Series.print_unwriteable_margin_right": 0,
    "print.printer_HP_Photosmart_8100_Series.print_unwriteable_margin_top": 0,
    "privacy.sanitize.pending": "[{\"id\":\"newtab-container\",\"itemsToClear\":[],\"options\":{}}]",
    "privacy.donottrackheader.enabled": true,
    "privacy.trackingprotection.enabled": true,
    "security.sandbox.content.level": 6,
    "security.sandbox.content.tempDirSuffix": "{46b20935-47d0-4d01-9f43-6da1553f93a1}",
    "security.webauth.u2f": true,
    "services.sync.declinedEngines": "addons,prefs",
    "services.sync.lastPing": 1536159910,
    "services.sync.lastSync": "Wed Sep 05 2018 12:42:46 GMT-0400 (Eastern Daylight Time)",
    "services.sync.engine.addons": false,
    "services.sync.engine.addresses": true,
    "services.sync.engine.addresses.available": true,
    "services.sync.engine.bookmarks.validation.lastTime": 1536159911,
    "services.sync.engine.creditcards": true,
    "services.sync.engine.creditcards.available": true,
    "services.sync.engine.passwords.validation.lastTime": 1536159911,
    "services.sync.engine.prefs": false,
    "services.sync.engine.prefs.modified": false,
    "signon.importedFromSqlite": true,
    "storage.vacuum.last.index": 1,
    "storage.vacuum.last.places.sqlite": 1534997569,
    "ui.osk.debug.keyboardDisplayReason": "IKPOS: Touch screen not found."
  },
  "lockedPreferences": {},
  "media": {
    "currentAudioBackend": "wasapi",
    "currentMaxAudioChannels": 8,
    "currentPreferredSampleRate": 48000,
    "audioOutputDevices": [
      {
        "name": "Speakers(High Definition Audio Device)",
        "groupId": "HDAUDIO\\FUNC_01&VEN_10EC&DEV_0295&SUBSYS_10431BB0&REV_1000\\4&3c1ec81&0&0001",
        "vendor": "",
        "type": 2,
        "state": 0,
        "preferred": 0,
        "supportedFormat": 4112,
        "defaultFormat": 4096,
        "maxChannels": 8,
        "defaultRate": 48000,
        "maxRate": 48000,
        "minRate": 48000,
        "maxLatency": 0,
        "minLatency": 0
      },
      {
        "name": "Speakers(Realtek High Definition Audio)",
        "groupId": "HDAUDIO\\FUNC_01&VEN_10EC&DEV_0295&SUBSYS_10431BB0&REV_1000\\4&3c1ec81&0&0001",
        "vendor": "",
        "type": 2,
        "state": 2,
        "preferred": 7,
        "supportedFormat": 4112,
        "defaultFormat": 4096,
        "maxChannels": 8,
        "defaultRate": 48000,
        "maxRate": 48000,
        "minRate": 48000,
        "maxLatency": 480,
        "minLatency": 144
      },
      {
        "name": "Headphones(High Definition Audio Device)",
        "groupId": "HDAUDIO\\FUNC_01&VEN_10EC&DEV_0295&SUBSYS_10431BB0&REV_1000\\4&3c1ec81&0&0001",
        "vendor": "",
        "type": 2,
        "state": 0,
        "preferred": 0,
        "supportedFormat": 4112,
        "defaultFormat": 4096,
        "maxChannels": 0,
        "defaultRate": 0,
        "maxRate": 0,
        "minRate": 0,
        "maxLatency": 0,
        "minLatency": 0
      }
    ],
    "audioInputDevices": [
      {
        "name": "Stereo Mix(Realtek High Definition Audio)",
        "groupId": "HDAUDIO\\FUNC_01&VEN_10EC&DEV_0295&SUBSYS_10431BB0&REV_1000\\4&3c1ec81&0&0001",
        "vendor": "",
        "type": 1,
        "state": 0,
        "preferred": 0,
        "supportedFormat": 4112,
        "defaultFormat": 4096,
        "maxChannels": 8,
        "defaultRate": 48000,
        "maxRate": 48000,
        "minRate": 48000,
        "maxLatency": 0,
        "minLatency": 0
      },
      {
        "name": "Microphone Array(Realtek High Definition Audio)",
        "groupId": "HDAUDIO\\FUNC_01&VEN_10EC&DEV_0295&SUBSYS_10431BB0&REV_1000\\4&3c1ec81&0&0001",
        "vendor": "",
        "type": 1,
        "state": 2,
        "preferred": 7,
        "supportedFormat": 4112,
        "defaultFormat": 4096,
        "maxChannels": 8,
        "defaultRate": 48000,
        "maxRate": 48000,
        "minRate": 48000,
        "maxLatency": 480,
        "minLatency": 64
      },
      {
        "name": "Microphone(High Definition Audio Device)",
        "groupId": "HDAUDIO\\FUNC_01&VEN_10EC&DEV_0295&SUBSYS_10431BB0&REV_1000\\4&3c1ec81&0&0001",
        "vendor": "",
        "type": 1,
        "state": 0,
        "preferred": 0,
        "supportedFormat": 4112,
        "defaultFormat": 4096,
        "maxChannels": 8,
        "defaultRate": 44100,
        "maxRate": 44100,
        "minRate": 44100,
        "maxLatency": 0,
        "minLatency": 0
      },
      {
        "name": "Internal AUX Jack(High Definition Audio Device)",
        "groupId": "HDAUDIO\\FUNC_01&VEN_10EC&DEV_0295&SUBSYS_10431BB0&REV_1000\\4&3c1ec81&0&0001",
        "vendor": "",
        "type": 1,
        "state": 0,
        "preferred": 0,
        "supportedFormat": 4112,
        "defaultFormat": 4096,
        "maxChannels": 0,
        "defaultRate": 0,
        "maxRate": 0,
        "minRate": 0,
        "maxLatency": 0,
        "minLatency": 0
      }
    ]
  },
  "javaScript": {
    "incrementalGCEnabled": true
  },
  "accessibility": {
    "isActive": false,
    "forceDisabled": 0,
    "handlerUsed": false,
    "instantiator": ""
  },
  "libraryVersions": {
    "NSPR": {
      "minVersion": "4.20",
      "version": "4.20"
    },
    "NSS": {
      "minVersion": "3.39",
      "version": "3.39"
    },
    "NSSUTIL": {
      "minVersion": "3.39",
      "version": "3.39"
    },
    "NSSSSL": {
      "minVersion": "3.39",
      "version": "3.39"
    },
    "NSSSMIME": {
      "minVersion": "3.39",
      "version": "3.39"
    }
  },
  "userJS": {
    "exists": false
  },
  "intl": {
    "localeService": {
      "requested": [
        "en-US"
      ],
      "available": [
        "en-US"
      ],
      "supported": [
        "en-US"
      ],
      "regionalPrefs": [
        "en-US"
      ],
      "defaultLocale": "en-US"
    },
    "osPrefs": {
      "systemLocales": [
        "ko-KR"
      ],
      "regionalPrefsLocales": [
        "ko-KR"
      ]
    }
  },
  "graphics": {
    "numTotalWindows": 1,
    "numAcceleratedWindows": 1,
    "windowLayerManagerType": "WebRender",
    "windowLayerManagerRemote": true,
    "windowUsingAdvancedLayers": false,
    "adapterDescription": "Intel(R) UHD Graphics 630",
    "adapterVendorID": "0x8086",
    "adapterDeviceID": "0x3e9b",
    "adapterSubsysID": "10711043",
    "adapterRAM": "Unknown",
    "adapterDrivers": "igdumdim64 igd10iumd64 igd10iumd64 igd12umd64 igdumdim32 igd10iumd32 igd10iumd32 igd12umd32",
    "driverVersion": "23.20.16.5018",
    "driverDate": "3-27-2018",
    "adapterDescription2": "NVIDIA GeForce GTX 1050 Ti",
    "adapterVendorID2": "0x10de",
    "adapterDeviceID2": "0x1c8c",
    "adapterSubsysID2": "10711043",
    "adapterRAM2": "4096",
    "adapterDrivers2": "C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\nvami.inf_amd64_05db8c39344e07a5\\nvldumdx.dll,C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\nvami.inf_amd64_05db8c39344e07a5\\nvldumdx.dll,C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\nvami.inf_amd64_05db8c39344e07a5\\nvldumdx.dll,C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\nvami.inf_amd64_05db8c39344e07a5\\nvldumdx.dll C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\nvami.inf_amd64_05db8c39344e07a5\\nvldumd.dll,C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\nvami.inf_amd64_05db8c39344e07a5\\nvldumd.dll,C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\nvami.inf_amd64_05db8c39344e07a5\\nvldumd.dll,C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\nvami.inf_amd64_05db8c39344e07a5\\nvldumd.dll",
    "driverVersion2": "24.21.13.9907",
    "driverDate2": "8-21-2018",
    "isGPU2Active": false,
    "direct2DEnabled": true,
    "directWriteEnabled": true,
    "directWriteVersion": "10.0.17751.1",
    "usesTiling": false,
    "contentUsesTiling": true,
    "offMainThreadPaintEnabled": true,
    "offMainThreadPaintWorkerCount": 4,
    "webgl1Renderer": "Google Inc. -- ANGLE (Intel(R) UHD Graphics 630 Direct3D11 vs_5_0 ps_5_0)",
    "webgl1Version": "OpenGL ES 2.0 (ANGLE 2.1.0.ae3b5a6552ee)",
    "webgl1DriverExtensions": "GL_ANGLE_client_arrays GL_ANGLE_depth_texture GL_ANGLE_explicit_context GL_ANGLE_explicit_context_gles1 GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_pack_reverse_row_order GL_ANGLE_program_cache_control GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_color_buffer_float_rgb GL_CHROMIUM_color_buffer_float_rgba GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_sync_query GL_EXT_blend_minmax GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_frag_depth GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_s3tc_srgb GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_KHR_robust_buffer_access_behavior GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_compressed_ETC1_RGB8_texture GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_surfaceless_context GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object OES_compressed_EAC_R11_signed_texture OES_compressed_EAC_R11_unsigned_texture OES_compressed_EAC_RG11_signed_texture OES_compressed_EAC_RG11_unsigned_texture OES_compressed_ETC2_RGB8_texture OES_compressed_ETC2_RGBA8_texture OES_compressed_ETC2_punchthroughA_RGBA8_texture OES_compressed_ETC2_punchthroughA_sRGB8_alpha_texture OES_compressed_ETC2_sRGB8_alpha8_texture OES_compressed_ETC2_sRGB8_texture ",
    "webgl1Extensions": "ANGLE_instanced_arrays EXT_blend_minmax EXT_color_buffer_half_float EXT_frag_depth EXT_sRGB EXT_shader_texture_lod EXT_texture_filter_anisotropic EXT_disjoint_timer_query OES_element_index_uint OES_standard_derivatives OES_texture_float OES_texture_float_linear OES_texture_half_float OES_texture_half_float_linear OES_vertex_array_object WEBGL_color_buffer_float WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_depth_texture WEBGL_draw_buffers WEBGL_lose_context",
    "webgl1WSIInfo": "EGL_VENDOR: Google Inc. (adapter LUID: 000000000000c01b)\nEGL_VERSION: 1.4 (ANGLE 2.1.0.ae3b5a6552ee)\nEGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_stream_producer_d3d_texture EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_CHROMIUM_sync_control EGL_EXT_pixel_format_float EGL_KHR_surfaceless_context EGL_ANGLE_display_texture_share_group EGL_ANGLE_create_context_client_arrays EGL_ANGLE_program_cache_control EGL_ANGLE_robust_resource_initialization EGL_ANGLE_create_context_extensions_enabled \nEGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses EGL_ANGLE_explicit_context ",
    "webgl2Renderer": "Google Inc. -- ANGLE (Intel(R) UHD Graphics 630 Direct3D11 vs_5_0 ps_5_0)",
    "webgl2Version": "OpenGL ES 3.0 (ANGLE 2.1.0.ae3b5a6552ee)",
    "webgl2DriverExtensions": "GL_ANGLE_client_arrays GL_ANGLE_depth_texture GL_ANGLE_explicit_context GL_ANGLE_explicit_context_gles1 GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_multiview GL_ANGLE_pack_reverse_row_order GL_ANGLE_program_cache_control GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_color_buffer_float_rgb GL_CHROMIUM_color_buffer_float_rgba GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_sync_query GL_EXT_blend_minmax GL_EXT_color_buffer_float GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_frag_depth GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_s3tc_srgb GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_norm16 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_KHR_robust_buffer_access_behavior GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_EGL_image_external_essl3 GL_OES_compressed_ETC1_RGB8_texture GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_surfaceless_context GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object OES_compressed_EAC_R11_signed_texture OES_compressed_EAC_R11_unsigned_texture OES_compressed_EAC_RG11_signed_texture OES_compressed_EAC_RG11_unsigned_texture OES_compressed_ETC2_RGB8_texture OES_compressed_ETC2_RGBA8_texture OES_compressed_ETC2_punchthroughA_RGBA8_texture OES_compressed_ETC2_punchthroughA_sRGB8_alpha_texture OES_compressed_ETC2_sRGB8_alpha8_texture OES_compressed_ETC2_sRGB8_texture ",
    "webgl2Extensions": "EXT_color_buffer_float EXT_texture_filter_anisotropic EXT_disjoint_timer_query OES_texture_float_linear WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_lose_context",
    "webgl2WSIInfo": "EGL_VENDOR: Google Inc. (adapter LUID: 000000000000c01b)\nEGL_VERSION: 1.4 (ANGLE 2.1.0.ae3b5a6552ee)\nEGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_stream_producer_d3d_texture EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_CHROMIUM_sync_control EGL_EXT_pixel_format_float EGL_KHR_surfaceless_context EGL_ANGLE_display_texture_share_group EGL_ANGLE_create_context_client_arrays EGL_ANGLE_program_cache_control EGL_ANGLE_robust_resource_initialization EGL_ANGLE_create_context_extensions_enabled \nEGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses EGL_ANGLE_explicit_context ",
    "info": {
      "AzureCanvasBackend (UI Process)": "skia",
      "AzureFallbackCanvasBackend (UI Process)": "cairo",
      "AzureContentBackend (UI Process)": "skia",
      "AzureCanvasBackend": "direct2d 1.1",
      "AzureContentBackend": "skia",
      "AzureCanvasAccelerated": 0,
      "ApzWheelInput": 1,
      "ApzDragInput": 1,
      "ApzKeyboardInput": 1,
      "ApzAutoscrollInput": 1
    },
    "featureLog": {
      "features": [
        {
          "name": "HW_COMPOSITING",
          "description": "Compositing",
          "status": "available",
          "log": [
            {
              "type": "default",
              "status": "available"
            }
          ]
        },
        {
          "name": "D3D11_COMPOSITING",
          "description": "Direct3D11 Compositing",
          "status": "available",
          "log": [
            {
              "type": "default",
              "status": "available"
            }
          ]
        },
        {
          "name": "DIRECT2D",
          "description": "Direct2D",
          "status": "available",
          "log": [
            {
              "type": "default",
              "status": "available"
            }
          ]
        },
        {
          "name": "D3D11_HW_ANGLE",
          "description": "Direct3D11 hardware ANGLE",
          "status": "available",
          "log": [
            {
              "type": "default",
              "status": "available"
            }
          ]
        },
        {
          "name": "GPU_PROCESS",
          "description": "GPU Process",
          "status": "available",
          "log": [
            {
              "type": "default",
              "status": "available"
            }
          ]
        },
        {
          "name": "WEBRENDER",
          "description": "WebRender",
          "status": "available",
          "log": [
            {
              "type": "default",
              "status": "opt-in",
              "message": "WebRender is an opt-in feature"
            },
            {
              "type": "user",
              "status": "available",
              "message": "Force enabled by pref"
            }
          ]
        },
        {
          "name": "WEBRENDER_QUALIFIED",
          "description": "WebRender qualified",
          "status": "blocked",
          "log": [
            {
              "type": "default",
              "status": "available"
            },
            {
              "type": "env",
              "status": "blocked",
              "message": "No qualified hardware"
            }
          ]
        },
        {
          "name": "OMTP",
          "description": "Off Main Thread Painting",
          "status": "available",
          "log": [
            {
              "type": "default",
              "status": "available"
            }
          ]
        },
        {
          "name": "ADVANCED_LAYERS",
          "description": "Advanced Layers",
          "status": "available",
          "log": [
            {
              "type": "default",
              "status": "available"
            }
          ]
        }
      ],
      "fallbacks": []
    },
    "crashGuards": []
  },
  "extensions": [
    {
      "name": "Mate Translate – translator, dictionary",
      "version": "6.0.4",
      "isActive": true,
      "id": "jid1-TMndP6cdKgxLcQ@jetpack"
    },
    {
      "name": "MEGA",
      "version": "3.39.3",
      "isActive": true,
      "id": "firefox@mega.co.nz"
    },
    {
      "name": "Timeline Support",
      "version": "1.0.5",
      "isActive": true,
      "id": "{86edaa83-cd97-4f43-8104-5d771ba0e14a}"
    },
    {
      "name": "uBlock Origin",
      "version": "1.16.20",
      "isActive": true,
      "id": "uBlock0@raymondhill.net"
    }
  ],
  "features": [
    {
      "name": "Application Update Service Helper",
      "version": "2.0",
      "id": "aushelper@mozilla.org"
    },
    {
      "name": "ASan Crash Reporter",
      "version": "1.0.0",
      "id": "asan-reporter@mozilla.org"
    },
    {
      "name": "Firefox Screenshots",
      "version": "33.0.0",
      "id": "screenshots@mozilla.org"
    },
    {
      "name": "Form Autofill",
      "version": "1.0",
      "id": "formautofill@mozilla.org"
    },
    {
      "name": "Photon onboarding",
      "version": "1.0",
      "id": "onboarding@mozilla.org"
    },
    {
      "name": "Pocket",
      "version": "1.0.5",
      "id": "firefox@getpocket.com"
    },
    {
      "name": "Web Compat",
      "version": "2.0.1",
      "id": "webcompat@mozilla.org"
    },
    {
      "name": "WebCompat Reporter",
      "version": "1.0.0",
      "id": "webcompat-reporter@mozilla.org"
    }
  ]
}
I am going to reinstall stable Microsoft office 365
I have reinstalled office 365 pro-plus version 1803 9126.2275), but the Firefox AddressSanitizer build has been crashed.
I have refreshed the Firefox AddressSanitizer build, but it has been crashed when I input Korean into URL bar.

{
  "application": {
    "name": "Firefox",
    "osVersion": "Windows_NT 10.0",
    "version": "64.0a1",
    "buildID": "20180905123750",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0",
    "safeMode": false,
    "updateChannel": "nightly",
    "supportURL": "https://support.mozilla.org/1/firefox/64.0a1/WINNT/en-US/",
    "numTotalWindows": 1,
    "numRemoteWindows": 1,
    "remoteAutoStart": true,
    "currentContentProcesses": 4,
    "maxContentProcesses": 4,
    "autoStartStatus": 1,
    "policiesStatus": 0,
    "keyGoogleFound": true,
    "keyMozillaFound": true
  },
  "securitySoftware": {
    "registeredAntiVirus": "Windows Defender 바이러스 백신",
    "registeredAntiSpyware": "Windows Defender 바이러스 백신",
    "registeredFirewall": "Windows 방화벽"
  },
  "modifiedPreferences": {
    "browser.cache.disk.capacity": 1048576,
    "browser.cache.disk.filesystem_reported": 1,
    "browser.cache.disk.smart_size.first_run": false,
    "browser.sessionstore.upgradeBackup.latestBuildID": "20180905123750",
    "browser.startup.homepage_override.buildID": "20180905123750",
    "browser.startup.homepage_override.mstone": "64.0a1",
    "browser.tabs.warnOnClose": false,
    "browser.urlbar.placeholderName": "Google",
    "browser.urlbar.timesBeforeHidingSuggestionsHint": 0,
    "dom.forms.autocomplete.formautofill": true,
    "extensions.lastAppVersion": "64.0a1",
    "layers.mlgpu.sanity-test-failed": false,
    "media.gmp.storage.version.observed": 1,
    "media.hardware-video-decoding.failed": false,
    "network.predictor.cleaned-up": true,
    "places.history.expiration.transient_current_max_pages": 148104,
    "plugin.disable_full_page_plugin_for_types": "application/pdf",
    "privacy.sanitize.pending": "[{\"id\":\"newtab-container\",\"itemsToClear\":[],\"options\":{}}]",
    "services.sync.declinedEngines": "addons,prefs",
    "services.sync.lastPing": 1536174186,
    "services.sync.lastSync": "Wed Sep 05 2018 15:05:45 GMT-0400 (Eastern Daylight Time)",
    "services.sync.engine.prefs": false,
    "services.sync.engine.bookmarks.validation.lastTime": 1536174343,
    "services.sync.engine.passwords.validation.lastTime": 1536174343,
    "services.sync.engine.addresses": true,
    "services.sync.engine.addons": false,
    "services.sync.engine.creditcards": true,
    "services.sync.engine.prefs.modified": false,
    "services.sync.engine.addresses.available": true,
    "services.sync.engine.creditcards.available": true,
    "signon.importedFromSqlite": true,
    "ui.osk.debug.keyboardDisplayReason": "IKPOS: Touch screen not found."
  },
  "lockedPreferences": {},
  "media": {
    "currentAudioBackend": "wasapi",
    "currentMaxAudioChannels": 8,
    "currentPreferredSampleRate": 48000,
    "audioOutputDevices": [
      {
        "name": "Speakers(High Definition Audio Device)",
        "groupId": "HDAUDIO\\FUNC_01&VEN_10EC&DEV_0295&SUBSYS_10431BB0&REV_1000\\4&3c1ec81&0&0001",
        "vendor": "",
        "type": 2,
        "state": 0,
        "preferred": 0,
        "supportedFormat": 4112,
        "defaultFormat": 4096,
        "maxChannels": 8,
        "defaultRate": 48000,
        "maxRate": 48000,
        "minRate": 48000,
        "maxLatency": 0,
        "minLatency": 0
      },
      {
        "name": "Speakers(Realtek High Definition Audio)",
        "groupId": "HDAUDIO\\FUNC_01&VEN_10EC&DEV_0295&SUBSYS_10431BB0&REV_1000\\4&3c1ec81&0&0001",
        "vendor": "",
        "type": 2,
        "state": 2,
        "preferred": 7,
        "supportedFormat": 4112,
        "defaultFormat": 4096,
        "maxChannels": 8,
        "defaultRate": 48000,
        "maxRate": 48000,
        "minRate": 48000,
        "maxLatency": 480,
        "minLatency": 144
      },
      {
        "name": "Headphones(High Definition Audio Device)",
        "groupId": "HDAUDIO\\FUNC_01&VEN_10EC&DEV_0295&SUBSYS_10431BB0&REV_1000\\4&3c1ec81&0&0001",
        "vendor": "",
        "type": 2,
        "state": 0,
        "preferred": 0,
        "supportedFormat": 4112,
        "defaultFormat": 4096,
        "maxChannels": 0,
        "defaultRate": 0,
        "maxRate": 0,
        "minRate": 0,
        "maxLatency": 0,
        "minLatency": 0
      }
    ],
    "audioInputDevices": [
      {
        "name": "Stereo Mix(Realtek High Definition Audio)",
        "groupId": "HDAUDIO\\FUNC_01&VEN_10EC&DEV_0295&SUBSYS_10431BB0&REV_1000\\4&3c1ec81&0&0001",
        "vendor": "",
        "type": 1,
        "state": 0,
        "preferred": 0,
        "supportedFormat": 4112,
        "defaultFormat": 4096,
        "maxChannels": 8,
        "defaultRate": 48000,
        "maxRate": 48000,
        "minRate": 48000,
        "maxLatency": 0,
        "minLatency": 0
      },
      {
        "name": "Microphone Array(Realtek High Definition Audio)",
        "groupId": "HDAUDIO\\FUNC_01&VEN_10EC&DEV_0295&SUBSYS_10431BB0&REV_1000\\4&3c1ec81&0&0001",
        "vendor": "",
        "type": 1,
        "state": 2,
        "preferred": 7,
        "supportedFormat": 4112,
        "defaultFormat": 4096,
        "maxChannels": 8,
        "defaultRate": 48000,
        "maxRate": 48000,
        "minRate": 48000,
        "maxLatency": 480,
        "minLatency": 64
      },
      {
        "name": "Microphone(High Definition Audio Device)",
        "groupId": "HDAUDIO\\FUNC_01&VEN_10EC&DEV_0295&SUBSYS_10431BB0&REV_1000\\4&3c1ec81&0&0001",
        "vendor": "",
        "type": 1,
        "state": 0,
        "preferred": 0,
        "supportedFormat": 4112,
        "defaultFormat": 4096,
        "maxChannels": 8,
        "defaultRate": 44100,
        "maxRate": 44100,
        "minRate": 44100,
        "maxLatency": 0,
        "minLatency": 0
      },
      {
        "name": "Internal AUX Jack(High Definition Audio Device)",
        "groupId": "HDAUDIO\\FUNC_01&VEN_10EC&DEV_0295&SUBSYS_10431BB0&REV_1000\\4&3c1ec81&0&0001",
        "vendor": "",
        "type": 1,
        "state": 0,
        "preferred": 0,
        "supportedFormat": 4112,
        "defaultFormat": 4096,
        "maxChannels": 0,
        "defaultRate": 0,
        "maxRate": 0,
        "minRate": 0,
        "maxLatency": 0,
        "minLatency": 0
      }
    ]
  },
  "javaScript": {
    "incrementalGCEnabled": true
  },
  "accessibility": {
    "isActive": false,
    "forceDisabled": 0,
    "handlerUsed": false,
    "instantiator": ""
  },
  "libraryVersions": {
    "NSPR": {
      "minVersion": "4.20",
      "version": "4.20"
    },
    "NSS": {
      "minVersion": "3.39",
      "version": "3.39"
    },
    "NSSUTIL": {
      "minVersion": "3.39",
      "version": "3.39"
    },
    "NSSSSL": {
      "minVersion": "3.39",
      "version": "3.39"
    },
    "NSSSMIME": {
      "minVersion": "3.39",
      "version": "3.39"
    }
  },
  "userJS": {
    "exists": false
  },
  "intl": {
    "localeService": {
      "requested": [
        "en-US"
      ],
      "available": [
        "en-US"
      ],
      "supported": [
        "en-US"
      ],
      "regionalPrefs": [
        "en-US"
      ],
      "defaultLocale": "en-US"
    },
    "osPrefs": {
      "systemLocales": [
        "ko-KR"
      ],
      "regionalPrefsLocales": [
        "ko-KR"
      ]
    }
  },
  "graphics": {
    "numTotalWindows": 1,
    "numAcceleratedWindows": 1,
    "windowLayerManagerType": "Direct3D 11",
    "windowLayerManagerRemote": true,
    "windowUsingAdvancedLayers": true,
    "adapterDescription": "Intel(R) UHD Graphics 630",
    "adapterVendorID": "0x8086",
    "adapterDeviceID": "0x3e9b",
    "adapterSubsysID": "10711043",
    "adapterRAM": "Unknown",
    "adapterDrivers": "igdumdim64 igd10iumd64 igd10iumd64 igd12umd64 igdumdim32 igd10iumd32 igd10iumd32 igd12umd32",
    "driverVersion": "23.20.16.5018",
    "driverDate": "3-27-2018",
    "adapterDescription2": "NVIDIA GeForce GTX 1050 Ti",
    "adapterVendorID2": "0x10de",
    "adapterDeviceID2": "0x1c8c",
    "adapterSubsysID2": "10711043",
    "adapterRAM2": "4096",
    "adapterDrivers2": "C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\nvami.inf_amd64_05db8c39344e07a5\\nvldumdx.dll,C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\nvami.inf_amd64_05db8c39344e07a5\\nvldumdx.dll,C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\nvami.inf_amd64_05db8c39344e07a5\\nvldumdx.dll,C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\nvami.inf_amd64_05db8c39344e07a5\\nvldumdx.dll C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\nvami.inf_amd64_05db8c39344e07a5\\nvldumd.dll,C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\nvami.inf_amd64_05db8c39344e07a5\\nvldumd.dll,C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\nvami.inf_amd64_05db8c39344e07a5\\nvldumd.dll,C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\nvami.inf_amd64_05db8c39344e07a5\\nvldumd.dll",
    "driverVersion2": "24.21.13.9907",
    "driverDate2": "8-21-2018",
    "isGPU2Active": false,
    "direct2DEnabled": true,
    "directWriteEnabled": true,
    "directWriteVersion": "10.0.17751.1",
    "usesTiling": false,
    "contentUsesTiling": false,
    "offMainThreadPaintEnabled": true,
    "offMainThreadPaintWorkerCount": 4,
    "webgl1Renderer": "Google Inc. -- ANGLE (Intel(R) UHD Graphics 630 Direct3D11 vs_5_0 ps_5_0)",
    "webgl1Version": "OpenGL ES 2.0 (ANGLE 2.1.0.ae3b5a6552ee)",
    "webgl1DriverExtensions": "GL_ANGLE_client_arrays GL_ANGLE_depth_texture GL_ANGLE_explicit_context GL_ANGLE_explicit_context_gles1 GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_pack_reverse_row_order GL_ANGLE_program_cache_control GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_color_buffer_float_rgb GL_CHROMIUM_color_buffer_float_rgba GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_sync_query GL_EXT_blend_minmax GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_frag_depth GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_s3tc_srgb GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_KHR_robust_buffer_access_behavior GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_compressed_ETC1_RGB8_texture GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_surfaceless_context GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object OES_compressed_EAC_R11_signed_texture OES_compressed_EAC_R11_unsigned_texture OES_compressed_EAC_RG11_signed_texture OES_compressed_EAC_RG11_unsigned_texture OES_compressed_ETC2_RGB8_texture OES_compressed_ETC2_RGBA8_texture OES_compressed_ETC2_punchthroughA_RGBA8_texture OES_compressed_ETC2_punchthroughA_sRGB8_alpha_texture OES_compressed_ETC2_sRGB8_alpha8_texture OES_compressed_ETC2_sRGB8_texture ",
    "webgl1Extensions": "ANGLE_instanced_arrays EXT_blend_minmax EXT_color_buffer_half_float EXT_frag_depth EXT_sRGB EXT_shader_texture_lod EXT_texture_filter_anisotropic EXT_disjoint_timer_query OES_element_index_uint OES_standard_derivatives OES_texture_float OES_texture_float_linear OES_texture_half_float OES_texture_half_float_linear OES_vertex_array_object WEBGL_color_buffer_float WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_depth_texture WEBGL_draw_buffers WEBGL_lose_context",
    "webgl1WSIInfo": "EGL_VENDOR: Google Inc. (adapter LUID: 000000000000c1ec)\nEGL_VERSION: 1.4 (ANGLE 2.1.0.ae3b5a6552ee)\nEGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_stream_producer_d3d_texture EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_CHROMIUM_sync_control EGL_EXT_pixel_format_float EGL_KHR_surfaceless_context EGL_ANGLE_display_texture_share_group EGL_ANGLE_create_context_client_arrays EGL_ANGLE_program_cache_control EGL_ANGLE_robust_resource_initialization EGL_ANGLE_create_context_extensions_enabled \nEGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses EGL_ANGLE_explicit_context ",
    "webgl2Renderer": "Google Inc. -- ANGLE (Intel(R) UHD Graphics 630 Direct3D11 vs_5_0 ps_5_0)",
    "webgl2Version": "OpenGL ES 3.0 (ANGLE 2.1.0.ae3b5a6552ee)",
    "webgl2DriverExtensions": "GL_ANGLE_client_arrays GL_ANGLE_depth_texture GL_ANGLE_explicit_context GL_ANGLE_explicit_context_gles1 GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_multiview GL_ANGLE_pack_reverse_row_order GL_ANGLE_program_cache_control GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_color_buffer_float_rgb GL_CHROMIUM_color_buffer_float_rgba GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_sync_query GL_EXT_blend_minmax GL_EXT_color_buffer_float GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_frag_depth GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_s3tc_srgb GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_norm16 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_KHR_robust_buffer_access_behavior GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_EGL_image_external_essl3 GL_OES_compressed_ETC1_RGB8_texture GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_surfaceless_context GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object OES_compressed_EAC_R11_signed_texture OES_compressed_EAC_R11_unsigned_texture OES_compressed_EAC_RG11_signed_texture OES_compressed_EAC_RG11_unsigned_texture OES_compressed_ETC2_RGB8_texture OES_compressed_ETC2_RGBA8_texture OES_compressed_ETC2_punchthroughA_RGBA8_texture OES_compressed_ETC2_punchthroughA_sRGB8_alpha_texture OES_compressed_ETC2_sRGB8_alpha8_texture OES_compressed_ETC2_sRGB8_texture ",
    "webgl2Extensions": "EXT_color_buffer_float EXT_texture_filter_anisotropic EXT_disjoint_timer_query OES_texture_float_linear WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_lose_context",
    "webgl2WSIInfo": "EGL_VENDOR: Google Inc. (adapter LUID: 000000000000c1ec)\nEGL_VERSION: 1.4 (ANGLE 2.1.0.ae3b5a6552ee)\nEGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_stream_producer_d3d_texture EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_CHROMIUM_sync_control EGL_EXT_pixel_format_float EGL_KHR_surfaceless_context EGL_ANGLE_display_texture_share_group EGL_ANGLE_create_context_client_arrays EGL_ANGLE_program_cache_control EGL_ANGLE_robust_resource_initialization EGL_ANGLE_create_context_extensions_enabled \nEGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses EGL_ANGLE_explicit_context ",
    "info": {
      "AzureCanvasBackend (UI Process)": "skia",
      "AzureFallbackCanvasBackend (UI Process)": "cairo",
      "AzureContentBackend (UI Process)": "skia",
      "AzureCanvasBackend": "direct2d 1.1",
      "AzureContentBackend": "direct2d 1.1",
      "AzureCanvasAccelerated": 0,
      "ApzWheelInput": 1,
      "ApzDragInput": 1,
      "ApzKeyboardInput": 1,
      "ApzAutoscrollInput": 1
    },
    "featureLog": {
      "features": [
        {
          "name": "HW_COMPOSITING",
          "description": "Compositing",
          "status": "available",
          "log": [
            {
              "type": "default",
              "status": "available"
            }
          ]
        },
        {
          "name": "D3D11_COMPOSITING",
          "description": "Direct3D11 Compositing",
          "status": "available",
          "log": [
            {
              "type": "default",
              "status": "available"
            }
          ]
        },
        {
          "name": "DIRECT2D",
          "description": "Direct2D",
          "status": "available",
          "log": [
            {
              "type": "default",
              "status": "available"
            }
          ]
        },
        {
          "name": "D3D11_HW_ANGLE",
          "description": "Direct3D11 hardware ANGLE",
          "status": "available",
          "log": [
            {
              "type": "default",
              "status": "available"
            }
          ]
        },
        {
          "name": "GPU_PROCESS",
          "description": "GPU Process",
          "status": "available",
          "log": [
            {
              "type": "default",
              "status": "available"
            }
          ]
        },
        {
          "name": "WEBRENDER",
          "description": "WebRender",
          "status": "opt-in",
          "log": [
            {
              "type": "default",
              "status": "opt-in",
              "message": "WebRender is an opt-in feature"
            }
          ]
        },
        {
          "name": "WEBRENDER_QUALIFIED",
          "description": "WebRender qualified",
          "status": "blocked",
          "log": [
            {
              "type": "default",
              "status": "available"
            },
            {
              "type": "env",
              "status": "blocked",
              "message": "No qualified hardware"
            }
          ]
        },
        {
          "name": "OMTP",
          "description": "Off Main Thread Painting",
          "status": "available",
          "log": [
            {
              "type": "default",
              "status": "available"
            }
          ]
        },
        {
          "name": "ADVANCED_LAYERS",
          "description": "Advanced Layers",
          "status": "available",
          "log": [
            {
              "type": "default",
              "status": "available"
            }
          ]
        }
      ],
      "fallbacks": []
    },
    "crashGuards": []
  },
  "extensions": [],
  "features": [
    {
      "name": "Application Update Service Helper",
      "version": "2.0",
      "id": "aushelper@mozilla.org"
    },
    {
      "name": "ASan Crash Reporter",
      "version": "1.0.0",
      "id": "asan-reporter@mozilla.org"
    },
    {
      "name": "Firefox Screenshots",
      "version": "33.0.0",
      "id": "screenshots@mozilla.org"
    },
    {
      "name": "Form Autofill",
      "version": "1.0",
      "id": "formautofill@mozilla.org"
    },
    {
      "name": "Photon onboarding",
      "version": "1.0",
      "id": "onboarding@mozilla.org"
    },
    {
      "name": "Pocket",
      "version": "1.0.5",
      "id": "firefox@getpocket.com"
    },
    {
      "name": "Web Compat",
      "version": "2.0.1",
      "id": "webcompat@mozilla.org"
    },
    {
      "name": "WebCompat Reporter",
      "version": "1.0.0",
      "id": "webcompat-reporter@mozilla.org"
    }
  ]
}
Group: core-security → layout-core-security
Steps to reproduce:
1. start latest Firefox asan build (not normal Firefox nightly)
2. enter Korean into any input field. (I used URL bar)
3. click space bar or backspace button.
4. re-enter Korean into the same field




Result:

The Firefox has been crashed.
Flags: sec-bounty?
According to the attachment, the crash line is here:

https://searchfox.org/mozilla-central/rev/6201a9e0067cf6af118c6a99ae9314b8ceb2c4d5/widget/windows/TSFTextStore.cpp#5292
>    TS_SELECTION_ACP oldSelection = contentForTSF.Selection().ACP();
>    if (!mComposition.IsComposing()) {
>      // Use a temporary composition to contain the text
>      PendingAction* compositionStart = mPendingActions.AppendElement();
>      compositionStart->mType = PendingAction::Type::eCompositionStart;
>      compositionStart->mSelectionStart = oldSelection.acpStart;
>      compositionStart->mSelectionLength =
>        oldSelection.acpEnd - oldSelection.acpStart;
>      compositionStart->mAdjustSelection = false;
>  
>      PendingAction* compositionEnd = mPendingActions.AppendElement();
>      compositionEnd->mType = PendingAction::Type::eCompositionEnd;
>      compositionEnd->mData = aInsertStr;
>>     compositionEnd->mSelectionStart = compositionStart->mSelectionStart;
>  
>      MOZ_LOG(sTextStoreLog, LogLevel::Debug,

compositionStart->mSelectionStart is LONG, so, this is 4byte. However, compositionStart is result of nsTArray<PendingAction>::AppendElement(). I don't understand what happened.
(In reply to Masayuki Nakano [:masayuki] (JST, +0900) (offline: 9/21-9/30) from comment #12)
> compositionStart->mSelectionStart is LONG, so, this is 4byte. However,
> compositionStart is result of nsTArray<PendingAction>::AppendElement(). I
> don't understand what happened.

This attached report means use-after-free...
Taegeon, what IME do you reproduce this?  Microsoft Korean IME that installed on Windows 10?
Flags: needinfo?(ash153311)
Yes, I use installes Korean IEM on windows 10.
Flags: needinfo?(ash153311)
(In reply to Makoto Kato [:m_kato] (PTO 9/2 - 9/9) from comment #13)
> (In reply to Masayuki Nakano [:masayuki] (JST, +0900) (offline: 9/21-9/30)
> from comment #12)
> > compositionStart->mSelectionStart is LONG, so, this is 4byte. However,
> > compositionStart is result of nsTArray<PendingAction>::AppendElement(). I
> > don't understand what happened.
> 
> This attached report means use-after-free...

compositionStart should still be in the heap here...
ASAN says that AppendElement may cause realloc.  

0x119bd7d04d44 is located 68 bytes inside of 128-byte region [0x119bd7d04d00,0x1
19bd7d04d80)
freed by thread T0 here:
    #0 0x7ff8866b42d5 in realloc Z:\task_1536324217\build\src\build\build-clang\build-clang\src\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:97
    #1 0x7ff8b00b3ccd in moz_xrealloc z:\build\build\src\memory\mozalloc\mozalloc.cpp:93
    #2 0x7ff865c0618d in nsTArray_base<nsTArrayInfallibleAllocator,nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator> z:\build\build\src\ob
j-firefox\dist\include\nsTArray-inl.h:183
    #3 0x7ff86fcaab91 in mozilla::widget::TSFTextStore::InsertTextAtSelectionInternal z:\build\build\src\widget\windows\TSFTextStore.cpp:5289

So after creating compositionEnd, we should not touch compositionStart.
Assignee: nobody → m_kato
Ah, good point. Perhaps, there could be similar mistakes around TSFTextStore.
After landing bug 1475153, this UAF occurs.  But even if it isn't 63, logging code causes this UAF.  So 63+ has UAF.  But ESR60 doesn't occur UAF with normal setting.
Comment on attachment 9007723 [details] [diff] [review]
Don't allocate PwndingAction twice

This is possible use-after-free by the following code.

  PendingAction* compositionStart = mPendingActions.AppendElement();
  PendingAction* compositionEnd = mPendingActions.AppendElement();

When calling AppendElement twice, the return value (compositionStart) of fist AppendElement call may become invalid pointer since AppendElement may call realloc().

So we should use AppendElements instead of twice AppendElement call.
Attachment #9007723 - Flags: review?(masayuki)
Comment on attachment 9007723 [details] [diff] [review]
Don't allocate PwndingAction twice

You need to fix here too:
https://searchfox.org/mozilla-central/rev/d4ef4e9747133aa2914aca2a15cf9df1e42a6aa0/widget/windows/TSFTextStore.cpp#5511,5518,5520-5521
(and perhaps, above |action| should be cleared with nullptr for safety.)
Attachment #9007723 - Flags: review?(masayuki)
(In reply to Masayuki Nakano [:masayuki] (JST, +0900) (offline: 9/21-9/30) from comment #22)
> Comment on attachment 9007723 [details] [diff] [review]
> Don't allocate PwndingAction twice
> 
> You need to fix here too:
> https://searchfox.org/mozilla-central/rev/
> d4ef4e9747133aa2914aca2a15cf9df1e42a6aa0/widget/windows/TSFTextStore.
> cpp#5511,5518,5520-5521
> (and perhaps, above |action| should be cleared with nullptr for safety.)

OK.
Attachment #9007723 - Attachment is obsolete: true
Comment on attachment 9007993 [details] [diff] [review]
Don't allocate PwndingAction twice

copy selection start and length for safety.
Attachment #9007993 - Flags: review?(masayuki)
Comment on attachment 9007993 [details] [diff] [review]
Don't allocate PwndingAction twice

Thank you for fixing my mistakes!
Attachment #9007993 - Flags: review?(masayuki) → review+
Btw, it's not certain, but a quick scan of the tree for similar patterns didn't find anything
Comment on attachment 9007993 [details] [diff] [review]
Don't allocate PwndingAction twice

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

This is use-after-free, but it is 4 byte read (as offset value of string) of possible unallocated area after calling realloc at same thread.

So it is difficult to create an exploit and it requires user interaction to input character via IME.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No

Which older supported branches are affected by this flaw?

at least, 60+

If not all supported branches, which bug introduced the flaw?

N/A

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

60+

How likely is this patch to cause regressions; how much testing does it need?

No, because this changes that we don't call AppendElement twice.  test case is comment #10.
Attachment #9007993 - Flags: sec-approval?
Comment on attachment 9007993 [details] [diff] [review]
Don't allocate PwndingAction twice

As a sec-moderate, this doesn't need sec-approval to land on mozilla-central.

https://wiki.mozilla.org/Security/Bug_Approval_Process
Attachment #9007993 - Flags: sec-approval?
https://hg.mozilla.org/integration/mozilla-inbound/rev/a9fdec3eed75112ddf060a383cfadded04d1d29a
https://hg.mozilla.org/mozilla-central/rev/a9fdec3eed75
Group: layout-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Surprisingly, this caused bug 1488141 (i.e., the space was filled with different data).

In InsertTextAtSelectionInternal(), both mSelectionStart should be set to same value.  However, when IsLastPendingActionCompositionEndAt() checks the selection range, new composition range and inserted text range are not matched since the compositionend stores different value.
https://searchfox.org/mozilla-central/rev/dd965445ec47fbf3cee566eff93b301666bda0e1/widget/windows/TSFTextStore.cpp#5411

Then, RecordCompositionStartAction() creates another composition with setting mAdjustSelection to true (the range is same as the range of inserted text).
https://searchfox.org/mozilla-central/rev/dd965445ec47fbf3cee566eff93b301666bda0e1/widget/windows/TSFTextStore.cpp#5429-5432,5440-5441,5444

Finally, RecordCompositionEndAction() decides the another composition is redundant since the composition has not been exposed to the web yet and the text is not changed by the composition:
https://searchfox.org/mozilla-central/rev/dd965445ec47fbf3cee566eff93b301666bda0e1/widget/windows/TSFTextStore.cpp#5510-5515

After that, it'll *restore* selection as same as before the another composition.
https://searchfox.org/mozilla-central/rev/dd965445ec47fbf3cee566eff93b301666bda0e1/widget/windows/TSFTextStore.cpp#5510-5515

Therefore, every input text is selected and next type replaces the text with new text. This is the symptom of bug 1488141.

Makoto-san, could you request uplift to beta? This needs to be fixed in beta 63 for Korean users.
Please request Beta & ESR60 approval on this when you get a chance.
Flags: needinfo?(jmathies) → needinfo?(m_kato)
Do we need to hide comment 6 and comment 9 before making this bug public?

Not sure why I rated this sec-moderate originally. Perhaps I minimized it because the bug only affected a small faction of our user-base. But for affected users (a whole country!) it qualifies as sec-high.
Flags: sec-bounty? → sec-bounty+
Keywords: sec-moderatesec-high
I think it was the requirement for user interaction, and we thought it was a 3rd party IME, and didn't realize it was a default Windows IME.
I tested Firefox asan build 20180917100342-https://hg.mozilla.org/mozilla-central/rev/7ac2e2fc613b444a5f972c83502848082d3302cd. It properly works.
The user affected issue is caused by bug 1475153 starting from 63. On the other hand, the other point is caused by bug 1234216 starting from 46 (oh, so, the latter is necessary to uplift 60ESR...). I'm not sure the reason of that only the first case is affected to users. Reallocation timing issue or changing compiler from VC to clang? If the old space is not reused so immediately, it shouldn't cause any visible symptom.
(In reply to Masayuki Nakano [:masayuki] (JST, +0900) (offline: 9/21-9/30) from comment #36)
> The user affected issue is caused by bug 1475153 starting from 63. On the
> other hand, the other point is caused by bug 1234216 starting from 46 (oh,
> so, the latter is necessary to uplift 60ESR...). I'm not sure the reason of
> that only the first case is affected to users. Reallocation timing issue or
> changing compiler from VC to clang? If the old space is not reused so

No, ASAN build is added recently after landing/supporting clang-cl.  So there is no way to detect this issue before ASAN build.
realloc is implemented by jemalloc, and even if realloc is called, most cases won't change heap address since heap has enough memory space.  (reuse is immediately, so heap won't be override by other code when using it again)
Comment on attachment 9007993 [details] [diff] [review]
Don't allocate PwndingAction twice

Approval Request Comment
[Feature/Bug causing the regression]:
No as supported branch.  But bug 1475153 can cause use-after-free easily by attached reproduce step with Microsoft Korean IME.

[User impact if declined]:
This issue is possible use-after-free.  When using Korean IME, it might cause use-after-free by inputting any character after committing composing string.

[Is this code covered by automated tests?]:
No.

[Has the fix been verified in Nightly?]:
Yes.

[Needs manual test from QE? If yes, steps to reproduce]: 
1. Install Microsoft Korean IME
2. Set focus to address bar, then turn on IME
3. Type [A], [B], [Space] and [A]

[List of other uplifts needed for the feature/fix]:
None

[Is the change risky?]:
No

[Why is the change risky/not risky?]:
Don't allocate object twice.  (allocation may cause realloc)

[String changes made/needed]:
No
Flags: needinfo?(m_kato)
Attachment #9007993 - Flags: approval-mozilla-beta?
(In reply to Makoto Kato [:m_kato] from comment #37)
> (In reply to Masayuki Nakano [:masayuki] (JST, +0900) (offline: 9/21-9/30)
> from comment #36)
> > The user affected issue is caused by bug 1475153 starting from 63. On the
> > other hand, the other point is caused by bug 1234216 starting from 46 (oh,
> > so, the latter is necessary to uplift 60ESR...). I'm not sure the reason of
> > that only the first case is affected to users. Reallocation timing issue or
> > changing compiler from VC to clang? If the old space is not reused so
> 
> No, ASAN build is added recently after landing/supporting clang-cl.  So
> there is no way to detect this issue before ASAN build.
> realloc is implemented by jemalloc, and even if realloc is called, most
> cases won't change heap address since heap has enough memory space.  (reuse
> is immediately, so heap won't be override by other code when using it again)

Yeah, I believed so. But bug 1475153 is reported with normal build, and I can reproduce it easily.
Comment on attachment 9007993 [details] [diff] [review]
Don't allocate PwndingAction twice

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: 
Possible use-after-free.  Although 63+ has easy reproduce step, there is no easy step is ESR60.  But code still has use-after-free even if ESR60.

Fix Landed on Version:
64

Risk to taking this patch (and alternatives if risky): 
Too low.  Don't allocate array element twice after this fix.

String or UUID changes made by this patch: 
No

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #9007993 - Flags: approval-mozilla-esr60?
Comment on attachment 9007993 [details] [diff] [review]
Don't allocate PwndingAction twice

Fix landed on mozilla-central 4 days ago with no reported regression, approved for 63 Beta 8, thanks.
Attachment #9007993 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify+
Managed to get the crash instantly after inputting Korean characters and pressing the space key in the address bar on 63.0a1 (2018-08-29).
Verified with 20180919100043 for 64.0a1 and 20180919010441 for 63.0b8; no encountered issues.
Status: RESOLVED → VERIFIED
Whiteboard: [post-critsmash-triage]
Comment on attachment 9007993 [details] [diff] [review]
Don't allocate PwndingAction twice

This doesn't graft cleanly to ESR60. Please attach a rebased patch and re-request approval.
Flags: needinfo?(m_kato)
Attachment #9007993 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60-
Attached patch For ESR60Splinter Review
Comment on attachment 9015421 [details] [diff] [review]
For ESR60

[ESR Uplift Approval Request]

If this is not a sec:{high,crit} bug, please state case for ESR consideration: This is sec:high

User impact if declined: Possible use-after-free.  Although 63+ has easy reproduce step, there is no easy step is ESR60.  But code still has use-after-free even if ESR60.

Fix Landed on Version: 63

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): Don't allocate array element twice after this fix.

String or UUID changes made by this patch: No
Flags: needinfo?(m_kato)
Attachment #9015421 - Flags: approval-mozilla-esr60?
Comment on attachment 9015421 [details] [diff] [review]
For ESR60

Fixes a sec-high, approved for ESR 60.3.
Attachment #9015421 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
Verified the ESR(60) with the treeherder build. 
No crash was encountered.
Flags: qe-verify+ → qe-verify-
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main63+][adv-esr60.3+]
Correcting flag status.
Flags: qe-verify-
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.