Closed Bug 1605536 Opened 5 years ago Closed 5 years ago

member call on null pointer of type 'mozilla::dom::BrowsingContext' in dom/ipc/ContentParent.cpp:5927

Categories

(Core :: Audio/Video: Playback, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla74
Tracking Status
firefox-esr68 --- unaffected
firefox72 --- wontfix
firefox73 --- fixed
firefox74 --- fixed

People

(Reporter: tsmith, Assigned: alwu)

References

Details

(Keywords: crash, csectype-nullptr, oss-fuzz)

Attachments

(1 file)

Info

Reproduced with: 20191219-8e1b11b00157
Fuzz Target: ContentParentIPC
Reliably Reproduces: Yes
Pernosco session: https://pernos.co/debug/mVRcwYuZmXMDwTlVvbOz6Q/index.html

If this issue is benign it can be added to the suppression list upon request and the particular message will be ignored in future fuzzing runs.

Callstack

dom/ipc/ContentParent.cpp:5927:44: runtime error: member call on null pointer of type 'mozilla::dom::BrowsingContext'
    #0 0x7f00a0c884b6 in mozilla::dom::ContentParent::RecvNotifyMediaAudibleChanged(mozilla::dom::BrowsingContext*, bool) dom/ipc/ContentParent.cpp:5927:44
    #1 0x7f009a7fb033 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) objdir-ff-ubsan/ipc/ipdl/PContentParent.cpp:11248:57
    #2 0x7f009880c40b in void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) objdir-ff-ubsan/dist/include/ProtocolFuzzer.h:96:18
    #3 0x7f009880bc10 in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:27:3
    #4 0x55b1ff935385 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:529:15
    #5 0x55b1ff921e7e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerDriver.cpp:286:6
    #6 0x55b1ff923ee9 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) tools/fuzzing/libfuzzer/FuzzerDriver.cpp:715:9
    #7 0x7f00a55c73f4 in mozilla::FuzzerRunner::Run(int*, char***) tools/fuzzing/interface/harness/FuzzerRunner.cpp:54:10
    #8 0x7f00a54eb98d in XREMain::XRE_mainStartup(bool*) toolkit/xre/nsAppRunner.cpp:3752:35
    #9 0x7f00a54f4cab in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4722:12
    #10 0x7f00a54f591b in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4818:21
    #11 0x55b1ff7b0df2 in do_main(int, char**, char**) browser/app/nsBrowserApp.cpp:217:22
    #12 0x55b1ff7b0500 in main browser/app/nsBrowserApp.cpp:339:16

Alastor, it looks like we have an null BrowsingContext

Flags: needinfo?(alwu)
Priority: -- → P2
Assignee: nobody → alwu
Flags: needinfo?(alwu)
Pushed by alwu@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6dd7302c363d abort notifying controller if browsing context doesn't exist or has been discarded. r=farre
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla74

Is this something we should consider uplifting to Beta for Fx73? Please nominate if so.

Flags: needinfo?(alwu)

Comment on attachment 9117900 [details]
Bug 1605536 - abort notifying controller if browsing context doesn't exist or has been discarded.

Beta/Release Uplift Approval Request

  • User impact if declined: Crash under certain situation
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This change is to add an additional check to prevent accessing a null browsing context, which is a should-have check and pretty safe.
  • String changes made/needed: no
Flags: needinfo?(alwu)
Attachment #9117900 - Flags: approval-mozilla-beta?

Comment on attachment 9117900 [details]
Bug 1605536 - abort notifying controller if browsing context doesn't exist or has been discarded.

Fixes a possible null crash. Approved for 73.0b5.

Attachment #9117900 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: