Crash [@nsCachedStyleData::GetStyleMargin] when zooming page with script

RESOLVED FIXED

Status

()

Core
DOM: CSS Object Model
--
critical
RESOLVED FIXED
10 years ago
5 years ago

People

(Reporter: Paul Nickerson, Unassigned)

Tracking

Trunk
x86
Windows XP
Points:
---
Bug Flags:
blocking1.9 -
wanted1.9.0.x +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:high])

(Reporter)

Updated

10 years ago
Flags: wanted1.9.0.x?
Flags: blocking1.9?
Is this script zooming in/out while it is also changing styles (or something else)? 
I filed 2 bugs, bug 398853 and bug 403763 doing similar stuff. I think I filed some more, but those became worksforme. After that, I kinda gave up filing new ones, since nobody was working on those kind of bugs anyway.
roc, what do you think here?  This sounds scary enough that it should block...
It does sound scary but I don't think we should block on it, especially given that user-initiated zooming doesn't trigger the bug.
-'ing, but if user-initiated zooming can trigger the bug then it needs to be a +..
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9?
Flags: blocking1.9-

Updated

9 years ago
Component: DOM: Views and Formatting → DOM: CSS Object Model
Marking sg:high for now as its a critical bug mitigate by the fact there is no straightforward remote exploit vector.
Whiteboard: [sg:high]
The patch in bug 475128 will likely fix this by changing the underlying problem from a crash into a correctness bug.  I haven't tested, though, and it looks really complicated.
Can someone do the investigation David referred to?  This bug has been added to our Top Security Bugs list and could use some attention.  If bug 475128 fixed this bug then we can knock one off the list.

Comment 10

8 years ago
Since Paul can no longer reproduce, marking as fixed (believed to be fixed by bug 475128).
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.