Investigate mNavigator usage in nsPluginArray and nsMimeTypeArray

RESOLVED FIXED

Status

()

Core
DOM
--
major
RESOLVED FIXED
8 years ago
6 years ago

People

(Reporter: smaug, Unassigned)

Tracking

unspecified
x86
All
Points:
---

Firefox Tracking Flags

(blocking2.0 -, status1.9.2 wanted, status1.9.1 wanted)

Details

(Whiteboard: [sg:audit])

(Reporter)

Description

8 years ago
Using raw pointers is scary!
Whiteboard: [sg:investigate]

Updated

8 years ago
Whiteboard: [sg:investigate] → [sg:audit]
Apparently it is, Sergey Glazunov found at least one sg:critical bug in that code. Is that the only problem there or are there more?
Depends on: 584517
Depends on: 584512
No longer depends on: 584517
We need this "fixed" this round to make sure bug 584517 is the only problem in there. Otherwise we're just pissing away bounties as people file them one-by-one.
blocking1.9.1: --- → .12+
blocking1.9.2: --- → .9+
blocking2.0: --- → ?
status1.9.1: --- → wanted
status1.9.2: --- → wanted

Comment 3

7 years ago
Is there any plans to do this audit before code-freeze this Thursday? I'm going to remove blocking as we wouldn't block shipping on this audit...
blocking1.9.1: .12+ → ---
blocking1.9.2: .9+ → ---
(Reporter)

Comment 4

7 years ago
I could try to audit this tomorrow, if I find a nice solution for Bug 585815
today.
For what it's worth, I looked into this for the patch in bug 584512 . That's why that patch touches the mime type array as well as the plugin array. I'd appreciate smaug double-checking my work though!
(Reporter)

Comment 6

7 years ago
Without looking at Bug 584512 I found the same bug, but not anything else.

Updated

7 years ago
blocking2.0: ? → -

Comment 7

6 years ago
Seems like Blake and Olli are both saying they looked into this. Can we call this fixed, that being the case? Also, can we open this up as there is no specific vulnerability discussed?
Yes.
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.