Closed
Bug 1615746
Opened 4 years ago
Closed 4 years ago
Crash in [@ FramingChecker::CheckOneFrameOptionsPolicy]
Categories
(Core :: DOM: Security, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox73 | --- | unaffected |
| firefox74 | --- | unaffected |
| firefox75 | --- | fixed |
People
(Reporter: nika, Assigned: ckerschb)
Details
(Keywords: crash, Whiteboard: [domsecurity-active])
Crash Data
Attachments
(1 file)
This bug is for crash report bp-b1e1f4cf-ac16-43eb-9cc4-5ed550200214.
Top 10 frames of crashing thread:
0 libxul.so FramingChecker::CheckOneFrameOptionsPolicy dom/security/FramingChecker.cpp:164
1 libxul.so FramingChecker::CheckFrameOptions dom/security/FramingChecker.cpp:308
2 libxul.so DOMSecurityManager::Observe dom/security/DOMSecurityManager.cpp:107
3 libxul.so nsObserverList::NotifyObservers xpcom/ds/nsObserverList.cpp:65
4 libxul.so nsObserverService::NotifyObservers xpcom/ds/nsObserverService.cpp:292
5 libxul.so mozilla::net::nsHttpHandler::NotifyObservers netwerk/protocol/http/nsHttpHandler.cpp:823
6 libxul.so mozilla::net::nsHttpChannel::ProcessResponse netwerk/protocol/http/nsHttpChannel.cpp:2545
7 libxul.so mozilla::net::nsHttpChannel::OnStartRequest netwerk/protocol/http/nsHttpChannel.cpp:7864
8 libxul.so nsInputStreamPump::OnStateStart netwerk/base/nsInputStreamPump.cpp:504
9 libxul.so nsInputStreamPump::OnInputStreamReady netwerk/base/nsInputStreamPump.cpp:413
From a quick look, it appears as though the crashing line is https://searchfox.org/mozilla-central/rev/174f1195ec740e8f17223b48018f7e14e6d4e40e/dom/security/FramingChecker.cpp#164. The access to principal on this line is not null-checked, while other accesses to principal in the surrounding function are null-checked, so I expect this crash would be avoided by guarding the IsSameOrigin check.
I have Fission enabled.
|
Assignee | |
Comment 1•4 years ago
|
||
Yeah, that's very likely - I'll fix that.
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [domsecurity-active]
|
|
Assignee | |
Comment 2•4 years ago
|
||
Pushed by ccoroiu@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a89ae0203f38 Fix crash in FramingChecker.cpp by adding a nullcheck on the principal. r=baku
|
||
Comment 4•4 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox75:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
|
||
Updated•4 years ago
|
status-firefox73:
--- → unaffected
status-firefox74:
--- → unaffected
status-firefox-esr68:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•