member call on null pointer of type 'mozilla::dom::BrowsingContext' in dom/ipc/ContentParent.cpp:5927
Categories
(Core :: Audio/Video: Playback, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox72 | --- | wontfix |
firefox73 | --- | fixed |
firefox74 | --- | fixed |
People
(Reporter: tsmith, Assigned: alwu)
References
Details
(Keywords: crash, csectype-nullptr, oss-fuzz)
Attachments
(1 file)
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
|
Details | Review |
Info
Reproduced with: 20191219-8e1b11b00157
Fuzz Target: ContentParentIPC
Reliably Reproduces: Yes
Pernosco session: https://pernos.co/debug/mVRcwYuZmXMDwTlVvbOz6Q/index.html
If this issue is benign it can be added to the suppression list upon request and the particular message will be ignored in future fuzzing runs.
Callstack
dom/ipc/ContentParent.cpp:5927:44: runtime error: member call on null pointer of type 'mozilla::dom::BrowsingContext'
#0 0x7f00a0c884b6 in mozilla::dom::ContentParent::RecvNotifyMediaAudibleChanged(mozilla::dom::BrowsingContext*, bool) dom/ipc/ContentParent.cpp:5927:44
#1 0x7f009a7fb033 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) objdir-ff-ubsan/ipc/ipdl/PContentParent.cpp:11248:57
#2 0x7f009880c40b in void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) objdir-ff-ubsan/dist/include/ProtocolFuzzer.h:96:18
#3 0x7f009880bc10 in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:27:3
#4 0x55b1ff935385 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:529:15
#5 0x55b1ff921e7e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerDriver.cpp:286:6
#6 0x55b1ff923ee9 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) tools/fuzzing/libfuzzer/FuzzerDriver.cpp:715:9
#7 0x7f00a55c73f4 in mozilla::FuzzerRunner::Run(int*, char***) tools/fuzzing/interface/harness/FuzzerRunner.cpp:54:10
#8 0x7f00a54eb98d in XREMain::XRE_mainStartup(bool*) toolkit/xre/nsAppRunner.cpp:3752:35
#9 0x7f00a54f4cab in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4722:12
#10 0x7f00a54f591b in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4818:21
#11 0x55b1ff7b0df2 in do_main(int, char**, char**) browser/app/nsBrowserApp.cpp:217:22
#12 0x55b1ff7b0500 in main browser/app/nsBrowserApp.cpp:339:16
Comment 1•5 years ago
|
||
Alastor, it looks like we have an null BrowsingContext
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 2•5 years ago
|
||
Comment 4•5 years ago
|
||
bugherder |
Comment 5•5 years ago
|
||
Is this something we should consider uplifting to Beta for Fx73? Please nominate if so.
Assignee | ||
Comment 6•5 years ago
|
||
Comment on attachment 9117900 [details]
Bug 1605536 - abort notifying controller if browsing context doesn't exist or has been discarded.
Beta/Release Uplift Approval Request
- User impact if declined: Crash under certain situation
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This change is to add an additional check to prevent accessing a
null
browsing context, which is a should-have check and pretty safe. - String changes made/needed: no
Comment 7•5 years ago
|
||
Comment on attachment 9117900 [details]
Bug 1605536 - abort notifying controller if browsing context doesn't exist or has been discarded.
Fixes a possible null crash. Approved for 73.0b5.
Comment 8•5 years ago
|
||
bugherder uplift |
Description
•