Closed Bug 1588579 Opened 5 years ago Closed 5 years ago

AddressSanitizer: heap-use-after-free [@ WaylandDMABufSurface::Resize] with READ of size 4

Categories

(Core :: Widget: Gtk, defect)

Product:
Core
Component:
Widget: Gtk
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla71
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox67 --- unaffected
firefox68 --- unaffected
firefox69 --- unaffected
firefox70 --- unaffected
firefox71 --- fixed

People

(Reporter: decoder, Assigned: stransky)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(2 files)

Detailed Crash Information
26.59 KB, text/plain
Details
Bug 1588579 [Wayland] Use explicit names for surface release methods, r=jhorak
47 bytes, text/x-phabricator-request
Details | Review

The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 71.0a1-20191013213650-https://hg.mozilla.org/mozilla-central/rev/3bdfb7bc00a06a84c676d4d72ce47ea16b4b0042.

For detailed crash information, see attachment.

This is a regression from Bug 1578380 where WaylandDMABufSurface were created as ref-counted so only FF71 is affected.

Assignee: nobody → stransky
Group: core-security → gfx-core-security
status-firefox69: --- → unaffected
status-firefox70: --- → unaffected
Keywords: csectype-uaf, sec-high

https://hg.mozilla.org/mozilla-central/rev/ff51e132555b

Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox71: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla71

:decoder is there a bounty to be paid on this?

Flags: needinfo?(choller)
Flags: needinfo?(choller)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: