Closed Bug 371370 Opened 18 years ago Closed 16 years ago

live connect blowing the document causes trouble, probably use after free

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Version:
1.8 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: guninski, Unassigned)

Details

(Whiteboard: [sg:critical?] 1.8 branch only, wfm 1.9)

Attachments

(3 files)

testcase
297 bytes, text/html
Details
fil4.java
1.31 KB, text/plain
Details
compiled fil4.class
2.03 KB, application/java-vm
Details
Attached file testcase
live connect blowing the document causes trouble, probably use after free window.vv=document.applets[0]; alert('wait1'); then the applet blowing the document via document.open() causes either a java crash or mozilla crash. on debug builds |this| is screwed to 0xdddddddd on optimized 2.0.1 looks like null dereference at first sight. bugzilla attachments do not allow applet names, so attaching java source.
Attached file fil4.java
may need several reloads on debug 2.0latest. trunk build causes valgrind to exit with something like internal error.
Product: Firefox → Core
QA Contact: general → general
Version: 2.0 Branch → 1.8 Branch
georgi, is this a problem on the trunk?
don't crash anymore with current trunk. just get assertions (known in another bug) WARNING: Moving XPConnect wrappedNative to new scope, but can't fixup __proto__: file /opt/joro/firefox-cvs/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 1211 ###!!! ASSERTION: QueryInterface needed: 'query_result.get() == mRawPtr', file ../../dist/include/xpcom/nsCOMPtr.h, line 594
this may be different problem, but latest branch has some problems with this testcase. load it, close the alert. in location bar hit enter to reload it. at this point there should be alert "wait1" and orange java picture in conent. right click on the java picture, close the alert. result is either SEGV or internal java error.
original report is almost sure "use after free", marking [sg:critical?] this seems fixed on trunk, though comment #5 indicates similar problems exist. let me know if i should fork comment #5 in another bug
Whiteboard: [sg:critical?]
georgi, or anyone else, care to attach a compiled class file of the testcase? My java isn't finding necessary classes etc to compile it.
Attached file compiled fil4.class
compiled fil4.class
>My java isn't finding necessary classes etc to compile it. jst, if you have |javac|, probably you can compile stuff containing liveconnect this way: javac -classpath /path/to/java/plugin.jar file.java
java seems broken on linux trunk i386 (all of java). on 3.0, the testcase doesn't crash, though i still get assertion: ###!!! ASSERTION: QueryInterface needed: 'query_result.get() == mRawPtr', file ../../dist/include/xpcom/nsCOMPtr.h, line 594 ###!!! ASSERTION: QueryInterface needed: 'query_result.get() == mRawPtr', file ../../dist/include/xpcom/nsCOMPtr.h, line 594
Whiteboard: [sg:critical?] → [sg:critical?] 1.8 branch only, wfm 1.9
dveditz - is this still sg:critical(?) given that it's for a release we no longer support? I understand keeping it sec-sensitive for people like linux distros who might still be supporting it - just wondering where it should show up in security bug counts.
to verify this bug: 1. save "compiled fil4.class" as "fil4.class" 2. save and open "testcase" in the directory of [1] currently the result is complete hang for me on linux.
Marking as WFM to reflect trunk status, and setting branch flag to reflect branch status.
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: wanted1.8.1.x?
Resolution: --- → WORKSFORME
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: