Closed
Bug 341355
Opened 18 years ago
Closed 17 years ago
probably print preview uses free memory on clicking close.
Categories
(Core :: Print Preview, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: guninski, Assigned: dbaron)
References
Details
(Keywords: fixed1.8.0.9, fixed1.8.1.1, Whiteboard: [sg:critical? freed mem] fixed by 355059)
probably print preview uses free memory on clicking close in 1.5 and 2.0 branch. symptoms are: 1. on linux with valgrind - clicking close on any print preview: ==4853== ==4853== Invalid read of size 4 ==4853== at 0x1C161276: FT_Done_Face (in /usr/lib/libfreetype.so.6.3.8) ==4853== Address 0x1EE4FA80 is 96 bytes inside a block of size 540 free'd ==4853== at 0x1B9003B3: free (vg_replace_malloc.c:235) ==4853== by 0x1C15DADA: (within /usr/lib/libfreetype.so.6.3.8) on trunk with valgrind don't get this error. 2. on freebsd 6.1 with MALLOC_OPTIONS=J. this malloc option forces free() to clear the deallocated memory, filling it with 0xd0. after clicking "close" in print preview, firefox crashes with SIGBUS and if gdb and the core are to believed the stack is full with 0xd0 (probably caused by MALLOC_OPTIONS). if the 'J' option isn't set, firefox doesn't crash. couldn't fill the free()ed memory with my data yet, so probably the window of opportunity is small.
|
||
Updated•18 years ago
|
Assignee: nobody → dbaron
Whiteboard: [sg:critical? freed mem]
could you possibly file bugs into core instead of firefox? people don't always triage firefox very well :(
Component: General → Print Preview
Product: Firefox → Core
Version: 1.5.0.x Branch → 1.8 Branch
|
Reporter | |
Comment 2•18 years ago
|
||
(In reply to comment #1) > could you possibly file bugs into core instead of firefox? people don't always > triage firefox very well :( > ok, got it.
|
|
Reporter | |
Comment 3•18 years ago
|
||
i don't crash anymore with clearing hooks and valgrind doesn't complain as before so this seems fixed?
|
|
Reporter | |
Comment 4•18 years ago
|
||
i mean i don't crash on trunk.
|
|
Reporter | |
Comment 5•18 years ago
|
||
trunk seems safe from this, but 1.5.0.5 and 2.0b1 crash.
|
|
Reporter | |
Comment 6•18 years ago
|
||
trunk and 2.0.0.1 are safe, 1.5.0.9 is not according to valgrind.
|
Assignee | |
Comment 7•18 years ago
|
||
There's almost no stack given with the valgrind warnings above, but this seems like it's probably a duplicate of bug 355059.
|
|
Assignee | |
Comment 8•18 years ago
|
||
Could you retest with *tomorrow's* 1.8.0 branch build?
|
|
Reporter | |
Comment 9•18 years ago
|
||
(In reply to comment #8) > Could you retest with *tomorrow's* 1.8.0 branch build? > according to valgrding today's 1.8.0 branch is safe from this on linux.
|
||
Comment 10•17 years ago
|
||
so, is this ready to close?
|
|
Reporter | |
Comment 11•17 years ago
|
||
according to my tests this is fixed on linux trunk and 2.0.1 not fixed in 1.5.0.9
|
|
Reporter | |
Comment 12•17 years ago
|
||
confirming comment #10 that 1.8.0-latest is safe according to valgrind
|
||
Comment 13•17 years ago
|
||
So this is fixed? Why not then mark this FIXED or WORKSFORME
|
|
Assignee | |
Updated•17 years ago
|
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
|
|
Reporter | |
Updated•17 years ago
|
Resolution: DUPLICATE → FIXED
|
|
||
Updated•17 years ago
|
Group: security
Depends on: 355059
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12+
Keywords: fixed1.8.0.9,
fixed1.8.1.1
Whiteboard: [sg:critical? freed mem] → [sg:critical? freed mem] fixed by 355059
|
|
||
Updated•17 years ago
|
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12+
You need to log in
before you can comment on or make changes to this bug.
Description
•