Closed Bug 306789 Opened 19 years ago Closed 19 years ago

[@ IncrementalReflow::AddCommand]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
1.8 Branch
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 306782

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [sg:dupe 306782] hold for 306663-based testcase)

Crash Data

The testcase crashes Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US;
rv:1.8b4) Gecko/20050901 Firefox/1.0+ after a few seconds (when the status bar
counter says "464").  It doesn't crash trunk.

I'm filing this as security-sensitive because the testcase uses code from bug
306663.  I wasn't able to make a simplified testcase, although I will admit to
giving up easily.

I haven't seen many stacks with [@ IncrementalReflow::AddCommand] near the top,
but the ones I have seen didn't make it look exploitable.

  

  



    
    

    
  
Crashes with this testcase: TB8955446K, TB8955351Q

Crashes with similar JavaScript but different PRNG or different HTML: TB8924737X

  

  



    
    

    
  
No crash with a Gecko 1.8 branch hourly.  Fixed by the patch for bug 265367.

  

  



    
    

    
  

*** This bug has been marked as a duplicate of 306782 ***

  

  


Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 306782] hold for 306663-based testcase
Group: security
Crash Signature: [@ IncrementalReflow::AddCommand]

    
    

    
  
I am mileseli, working for techiesstar as pr consultant. With more than 6 years experience in PR and Digital Industry, helping teams to achieve goals by streamilining the process.

@https://www.techiesstar.com/



  

  



          You need to log in
          before you can comment on or make changes to this bug.