macOS crash in [@ webrender::hit_test::HitTester::hit_test]
Categories
(Core :: Graphics: WebRender, defect, P3)
Tracking
()
People
(Reporter: gsvelto, Unassigned)
References
Details
(Keywords: crash, csectype-uaf, sec-high)
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/a0d013de-ab6e-4413-94c9-564010201030
MOZ_CRASH Reason: index out of bounds: the len is 85 but the index is 3857049061
Top 10 frames of crashing thread:
0 XUL RustMozCrash mozglue/static/rust/wrappers.cpp:17
1 XUL mozglue_static::panic_hook mozglue/static/rust/lib.rs:89
2 XUL core::ops::function::Fn::call /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:70
3 XUL std::panicking::rust_panic_with_hook library/std/src/panicking.rs:573
4 XUL std::panicking::begin_panic_handler::{{closure}} library/std/src/panicking.rs:476
5 XUL std::sys_common::backtrace::__rust_end_short_backtrace library/std/src/sys_common/backtrace.rs:153
6 XUL rust_begin_unwind library/std/src/panicking.rs:475
7 XUL core::panicking::panic_fmt library/core/src/panicking.rs:85
8 XUL core::panicking::panic_bounds_check library/core/src/panicking.rs:62
9 XUL webrender::hit_test::HitTester::hit_test gfx/wr/webrender/src/hit_test.rs:365
This appears to be yet another manifestation of bug 1665411. Note that the OOB index in hex is the poison pattern so we're reading from a dead object.
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
||
Comment 1•3 years ago
|
||
The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:bhood, could you consider increasing the severity of this security bug?
For more information, please visit auto_nag documentation.
|
||
Updated•3 years ago
|
|
||
Comment 2•2 years ago
|
||
No recent reports from any modern versions.
|
||
Comment 3•2 years ago
|
||
Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.
|
||
Updated•2 years ago
|
Description
•