Closed Bug 1612573 Opened 4 years ago Closed 4 years ago

crash near null in [@ mozilla::dom::ExternalHelperAppParent::Init]

Categories

(Core :: DOM: Navigation, defect, P1)

Product:
Core
Component:
DOM: Navigation
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1611588
Tracking Flags:
Tracking Status
firefox73 --- fixed
firefox74 --- fixed

People

(Reporter: tsmith, Unassigned)

References

(Regression)

Details

(4 keywords)

This appears to be due to a missing null check on BrowsingContext* aContext.

https://searchfox.org/mozilla-central/rev/2e355fa82aaa87e8424a9927c8136be184eeb6c7/uriloader/exthandler/ExternalHelperAppParent.cpp#83

==1==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000190 (pc 0x7fc704afd5cb bp 0x7ffefb601810 sp 0x7ffefb601810 T0)
==1==The signal is caused by a READ memory access.
==1==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0x7fc704afd5ca in RefPtr<mozilla::dom::WindowContext>::get() const /work/obj-fuzz/dist/include/mozilla/RefPtr.h:284:27
    #1 0x7fc705913349 in mozilla::dom::ExternalHelperAppParent::Init(mozilla::Maybe<mozilla::net::LoadInfoArgs> const&, nsTString<char> const&, bool const&, mozilla::Maybe<mozilla::ipc::URIParams> const&, mozilla::dom::BrowsingContext*, bool const&) mozilla-central/uriloader/exthandler/ExternalHelperAppParent.cpp:83:55
    #2 0x7fc709a99ed7 in mozilla::dom::ContentParent::RecvPExternalHelperAppConstructor(mozilla::dom::PExternalHelperAppParent*, mozilla::Maybe<mozilla::ipc::URIParams> const&, mozilla::Maybe<mozilla::net::LoadInfoArgs> const&, nsTString<char> const&, nsTString<char> const&, unsigned int const&, nsTString<char16_t> const&, bool const&, long const&, bool const&, mozilla::Maybe<mozilla::ipc::URIParams> const&, mozilla::dom::BrowsingContext*, bool const&) mozilla-central/dom/ipc/ContentParent.cpp:3885:49
    #3 0x7fc704ad85ef in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /work/obj-fuzz/ipc/ipdl/PContentParent.cpp:8497:57
    #4 0x7fc7031fe8f2 in void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) /work/obj-fuzz/dist/include/ProtocolFuzzer.h:96:18
    #5 0x7fc7031fe228 in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) mozilla-central/dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:27:3
    #6 0x56455b82869f in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)
    #7 0x56455b81435e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long)
    #8 0x56455b8166c9 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))
    #9 0x7fc70cf02873 in mozilla::FuzzerRunner::Run(int*, char***) mozilla-central/tools/fuzzing/interface/harness/FuzzerRunner.cpp:54:10
    #10 0x7fc70ce49435 in XREMain::XRE_mainStartup(bool*) mozilla-central/toolkit/xre/nsAppRunner.cpp:3696:35
    #11 0x7fc70ce513cb in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) mozilla-central/toolkit/xre/nsAppRunner.cpp:4682:12
    #12 0x7fc70ce519c3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) mozilla-central/toolkit/xre/nsAppRunner.cpp:4746:21
    #13 0x56455b6e8c34 in do_main(int, char**, char**)
    #14 0x56455b6e848b in main
Summary: crash near null in → crash near null in [@ mozilla::dom::ExternalHelperAppParent::Init]
Flags: needinfo?(matt.woodrow)
Regressed by: 1589270
Has Regression Range: --- → yes
Keywords: regression
Blocks: fission-dogfooding
Priority: -- → P1
Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(matt.woodrow)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.