Closed Bug 1782674 Opened 1 year ago Closed 1 year ago

Add missing mDestroyed checks to WebRenderBridgeParent

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
105 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox-esr102 --- wontfix
firefox103 --- wontfix
firefox104 --- wontfix
firefox105 --- fixed

People

(Reporter: decoder, Assigned: decoder)

Details

(Keywords: sec-other, Whiteboard: [adv-main105-])

Attachments

(1 file)

Bug 1782674 - Add some missing mDestroyed checks on WebRenderBridge. r?mstange
48 bytes, text/x-phabricator-request
Details | Review

The WebRenderBridgeParent has a few methods that seem to miss the checks for mDestroyed before using members of the class. In fuzzing, this showed up as several nullptr derefs because WebRenderBridgeParent::ClearResources (called by Destroy) nulls out most of the member pointers.

I haven't seen exploitable crashes and all the places I am fixing are using a nulled pointer, so I think this is not s-s (but keeping locked with the rest of the IPC bugs).

Group: dom-core-security → gfx-core-security

Add some missing mDestroyed checks on WebRenderBridge. r=sotaro
https://hg.mozilla.org/integration/autoland/rev/9d405f481333975c7112ddf59565db02588ab233
https://hg.mozilla.org/mozilla-central/rev/9d405f481333

Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox105: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [adv-main105-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.