Closed
Bug 1492080
Opened 6 years ago
Closed 6 years ago
AddressSanitizer: heap-use-after-free [@ nsDisplayListBuilder::RemoveFromWillChangeBudget] with READ of size 8
Categories
(Core :: Web Painting, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1492034
| Tracking | Status | |
|---|---|---|
| firefox64 | --- | fixed |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, csectype-uaf, regression, Whiteboard: [adv-main64-])
Attachments
(1 file)
|
26.53 KB,
text/plain
|
Details |
The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 64.0a1-20180917220115-https://hg.mozilla.org/mozilla-central/rev/87a95e1b7ec691bef7b938e722fe1b01cce68664. For detailed crash information, see attachment.
|
Reporter | |
Comment 1•6 years ago
|
||
|
|
Reporter | |
Updated•6 years ago
|
Flags: sec-bounty?
|
||
Comment 3•6 years ago
|
||
This looks like another display list crash, if you could take a look, Matt. Thanks.
Group: core-security → layout-core-security
Component: Layout → Layout: Web Painting
Flags: needinfo?(matt.woodrow)
Keywords: csectype-uaf
|
|
||
Comment 4•6 years ago
|
||
RyanVM pointed out that there are some existing display list crashes that were fixed by a backout, and this looks like one of them.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(matt.woodrow)
Resolution: --- → DUPLICATE
|
||
Updated•6 years ago
|
Flags: sec-bounty? → sec-bounty-
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
Whiteboard: [adv-main64-]
|
||
Updated•4 years ago
|
Group: layout-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•