Closed Bug 1786818 (CVE-2022-46884) Opened 2 years ago Closed 2 years ago

always hold a ref while ticking the refresh driver

Categories

(Core :: Layout, defect)

defect

Tracking

()

RESOLVED FIXED
106 Branch
Tracking Status
firefox-esr91 --- wontfix
firefox-esr102 --- wontfix
firefox104 --- wontfix
firefox105 --- wontfix
firefox106 --- fixed

People

(Reporter: tnikkel, Assigned: tnikkel)

Details

(Keywords: csectype-uaf, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main106+r])

Attachments

(2 files)

Two places don't seem to

https://searchfox.org/mozilla-central/rev/d01591796d5faccf762adb09a311d8ee12f7ca7f/image/SVGDocumentWrapper.cpp#183

https://searchfox.org/mozilla-central/rev/d01591796d5faccf762adb09a311d8ee12f7ca7f/dom/base/nsDOMWindowUtils.cpp#2823

The first is inside svg images, and those documents have scripting restricted I believe so a tick can do less than in a general document.

The second is test only code that you need privileges for.

So this doesn't seem to be a big deal.

Noticed these while looking into bug 1762368.

Attached file Bug 1786818. r?mstange
Assignee: nobody → tnikkel
Status: NEW → ASSIGNED
Group: core-security → layout-core-security
Severity: -- → S3
Group: layout-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main106+r]
Alias: CVE-2022-46884
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: