Closed
Bug 584512
(CVE-2010-2767)
Opened 15 years ago
Closed 15 years ago
nsPluginArray - memory corruption
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
People
(Reporter: serg.glazunov, Assigned: mrbkap)
References
Details
(4 keywords, Whiteboard: [sg:critical?])
Attachments
(2 files, 1 obsolete file)
481 bytes,
text/html
|
Details | |
5.82 KB,
patch
|
jst
:
review+
dveditz
:
approval1.9.2.9+
christian
:
approval1.9.1.12+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.14 Safari/534.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Looks like it's a use-after-free issue.
I think the testcase is self-explaining although it's quite weak - it takes a lot of time to trigger the crash.
Reproducible: Always
http://crash-stats.mozilla.com/report/index/4b3b731c-511c-484c-a13f-ff27b2100804
Also crashes 4.0b2.
Reporter | ||
Comment 1•15 years ago
|
||
Updated•15 years ago
|
Status: UNCONFIRMED → NEW
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
status1.9.1:
--- → ?
status1.9.2:
--- → ?
Component: Security → DOM
Ever confirmed: true
OS: Windows 7 → All
Product: Firefox → Core
QA Contact: firefox → general
Hardware: x86 → All
Whiteboard: [sg:critical?]
Updated•15 years ago
|
Updated•15 years ago
|
Comment 2•15 years ago
|
||
mrbkap thinks he has a patch
Assignee | ||
Comment 3•15 years ago
|
||
This should do it -- we need to ensure that we notify our weak references about stuff going away. I'll file a followup bug after this lands on getting rid of the manual refcounting.
Comment 4•15 years ago
|
||
Comment on attachment 462981 [details] [diff] [review]
Proposed fix
>+ if (mMimeTypeArray)
>+ mMimeTypeArray->Invalidate();
s/mMimeTypeArray/mMimeTypes/g
Assignee | ||
Comment 5•15 years ago
|
||
Attachment #462981 -
Attachment is obsolete: true
Attachment #463008 -
Flags: review?(jst)
Attachment #462981 -
Flags: review?(jst)
Updated•15 years ago
|
Attachment #463008 -
Flags: review?(jst) → review+
Comment 6•15 years ago
|
||
Let's get this into the branches.
blocking1.9.1: ? → .12+
blocking1.9.2: ? → .9+
Updated•15 years ago
|
blocking2.0: ? → beta4+
Assignee | ||
Updated•15 years ago
|
Attachment #463008 -
Flags: approval1.9.2.9?
Comment 7•15 years ago
|
||
Pushed to mozilla-central.
http://hg.mozilla.org/mozilla-central/rev/fe1b3c35fa9d
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Comment on attachment 463008 [details] [diff] [review]
Oops, yes
a=LegNeato for 1.9.2.9.
This needs to be landed as soon as possible. Does the same apply to 1.9.1?
Updated•15 years ago
|
Attachment #463008 -
Flags: approval1.9.2.9? → approval1.9.2.9+
Assignee | ||
Comment 9•15 years ago
|
||
Comment on attachment 463008 [details] [diff] [review]
Oops, yes
Note: this patch applies cleanly after s|dom/base|dom/src/base|g
Attachment #463008 -
Flags: approval1.9.1.12?
Comment 10•15 years ago
|
||
Comment on attachment 463008 [details] [diff] [review]
Oops, yes
a=LegNeato for 1.9.1.12
Attachment #463008 -
Flags: approval1.9.1.12? → approval1.9.1.12+
Assignee | ||
Comment 11•15 years ago
|
||
Assignee | ||
Comment 12•15 years ago
|
||
Comment 13•15 years ago
|
||
Verified with attached testcase in 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.12pre) Gecko/20100817 Shiretoko/3.5.12pre ( .NET CLR 3.5.30729) and in 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9pre) Gecko/20100817 Namoroka/3.6.9pre ( .NET CLR 3.5.30729).
Keywords: verified1.9.1,
verified1.9.2
Updated•14 years ago
|
Alias: CVE-2010-2767
Updated•14 years ago
|
Group: core-security
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•