Closed Bug 584512 (CVE-2010-2767) Opened 14 years ago Closed 14 years ago

nsPluginArray - memory corruption

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- beta4+
status2.0 --- wanted
blocking1.9.2 --- .9+
status1.9.2 --- .9-fixed
blocking1.9.1 --- .12+
status1.9.1 --- .12-fixed

People

(Reporter: serg.glazunov, Assigned: mrbkap)

References

Details

(4 keywords, Whiteboard: [sg:critical?])

Attachments

(2 files, 1 obsolete file)

testcase
481 bytes, text/html
Details
Oops, yes
5.82 KB, patch
jst
: review+
dveditz
: approval1.9.2.9+
christian
: approval1.9.1.12+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.14 Safari/534.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 Looks like it's a use-after-free issue. I think the testcase is self-explaining although it's quite weak - it takes a lot of time to trigger the crash. Reproducible: Always http://crash-stats.mozilla.com/report/index/4b3b731c-511c-484c-a13f-ff27b2100804 Also crashes 4.0b2.
Attached file testcase
Status: UNCONFIRMED → NEW
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
status1.9.1: --- → ?
status1.9.2: --- → ?
status2.0: --- → ?
Component: Security → DOM
Ever confirmed: true
OS: Windows 7 → All
Product: Firefox → Core
QA Contact: firefox → general
Hardware: x86 → All
Whiteboard: [sg:critical?]
Keywords: crash, testcase
mrbkap thinks he has a patch
Blocks: 544875
Attached patch Proposed fix (obsolete) — Splinter Review
This should do it -- we need to ensure that we notify our weak references about stuff going away. I'll file a followup bug after this lands on getting rid of the manual refcounting.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #462981 - Flags: review?(jst)
Comment on attachment 462981 [details] [diff] [review] Proposed fix >+ if (mMimeTypeArray) >+ mMimeTypeArray->Invalidate(); s/mMimeTypeArray/mMimeTypes/g
Attached patch Oops, yesSplinter Review
Attachment #462981 - Attachment is obsolete: true
Attachment #463008 - Flags: review?(jst)
Attachment #462981 - Flags: review?(jst)
Attachment #463008 - Flags: review?(jst) → review+
Let's get this into the branches.
blocking1.9.1: ? → .12+
blocking1.9.2: ? → .9+
blocking2.0: ? → beta4+
Attachment #463008 - Flags: approval1.9.2.9?
Pushed to mozilla-central. http://hg.mozilla.org/mozilla-central/rev/fe1b3c35fa9d
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Comment on attachment 463008 [details] [diff] [review] Oops, yes a=LegNeato for 1.9.2.9. This needs to be landed as soon as possible. Does the same apply to 1.9.1?
Attachment #463008 - Flags: approval1.9.2.9? → approval1.9.2.9+
Comment on attachment 463008 [details] [diff] [review] Oops, yes Note: this patch applies cleanly after s|dom/base|dom/src/base|g
Attachment #463008 - Flags: approval1.9.1.12?
Comment on attachment 463008 [details] [diff] [review] Oops, yes a=LegNeato for 1.9.1.12
Attachment #463008 - Flags: approval1.9.1.12? → approval1.9.1.12+
Verified with attached testcase in 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.12pre) Gecko/20100817 Shiretoko/3.5.12pre ( .NET CLR 3.5.30729) and in 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9pre) Gecko/20100817 Namoroka/3.6.9pre ( .NET CLR 3.5.30729).
Keywords: verified1.9.1, verified1.9.2
Alias: CVE-2010-2767
Group: core-security
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: