Closed Bug 1603104 Opened 2 years ago Closed 2 years ago

AddressSanitizer: heap-buffer-overflow [@ IsAllowedAsChild] with READ of size 8

Categories

(Core :: DOM: Core & HTML, defect)

64 Branch
x86_64
Windows
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1499861

People

(Reporter: decoder, Unassigned)

Details

(4 keywords)

Attachments

(1 file)

The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 64.0a1-20181013100102-https://hg.mozilla.org/mozilla-central/rev/94a62c1aad526dc24dc9186a6ccebb0db276ee87.

For detailed crash information, see attachment.

This report comes from a super-old Firefox version, but I decided to file it anyway, in case it points to a bug that might still be present in our code. If this is not interesting/actionable, feel free to close the bug.

Group: core-security → dom-core-security
Component: DOM: HTML Parser → DOM: Core & HTML

mozilla::dom::HTMLOptionsCollection_Binding::DOMProxyHandler::setCustom() is on the stack, which reminded me of bug 1371259, which added some rooting in that function, but that was fixed in Firefox 55, so too old for this particular version to be affected.

Version: Trunk → 64 Branch

Peter, do you think it's worth keeping this open?

Flags: needinfo?(peterv)

Per comment 4 marking dup of bug 1499861.
Please reopen if needed.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: CVE-2018-18492
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.