Last Comment Bug 584512 - (CVE-2010-2767) nsPluginArray - memory corruption
(CVE-2010-2767)
: nsPluginArray - memory corruption
Status: RESOLVED FIXED
[sg:critical?]
: crash, testcase, verified1.9.1, verified1.9.2
Product: Core
Classification: Components
Component: DOM (show other bugs)
: unspecified
: All All
: -- critical (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap)
:
: Andrew Overholt [:overholt]
Mentors:
Depends on:
Blocks: 544875
  Show dependency treegraph
 
Reported: 2010-08-04 14:43 PDT by Sergey Glazunov
Modified: 2010-09-27 18:19 PDT (History)
13 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
beta4+
wanted
.9+
.9-fixed
.12+
.12-fixed


Attachments
testcase (481 bytes, text/html)
2010-08-04 14:45 PDT, Sergey Glazunov
no flags Details
Proposed fix (5.83 KB, patch)
2010-08-04 16:44 PDT, Blake Kaplan (:mrbkap)
no flags Details | Diff | Splinter Review
Oops, yes (5.82 KB, patch)
2010-08-04 17:49 PDT, Blake Kaplan (:mrbkap)
jst: review+
dveditz: approval1.9.2.9+
christian: approval1.9.1.12+
Details | Diff | Splinter Review

Description Sergey Glazunov 2010-08-04 14:43:51 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.14 Safari/534.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8

Looks like it's a use-after-free issue.
I think the testcase is self-explaining although it's quite weak - it takes a lot of time to trigger the crash.

Reproducible: Always




http://crash-stats.mozilla.com/report/index/4b3b731c-511c-484c-a13f-ff27b2100804

Also crashes 4.0b2.
Comment 1 Sergey Glazunov 2010-08-04 14:45:16 PDT
Created attachment 462935 [details]
testcase
Comment 2 Daniel Veditz [:dveditz] 2010-08-04 15:28:14 PDT
mrbkap thinks he has a patch
Comment 3 Blake Kaplan (:mrbkap) 2010-08-04 16:44:22 PDT
Created attachment 462981 [details] [diff] [review]
Proposed fix

This should do it -- we need to ensure that we notify our weak references about stuff going away. I'll file a followup bug after this lands on getting rid of the manual refcounting.
Comment 4 Reed Loden [:reed] (use needinfo?) 2010-08-04 17:32:22 PDT
Comment on attachment 462981 [details] [diff] [review]
Proposed fix

>+  if (mMimeTypeArray)
>+    mMimeTypeArray->Invalidate();

s/mMimeTypeArray/mMimeTypes/g
Comment 5 Blake Kaplan (:mrbkap) 2010-08-04 17:49:18 PDT
Created attachment 463008 [details] [diff] [review]
Oops, yes
Comment 6 Daniel Veditz [:dveditz] 2010-08-06 10:17:28 PDT
Let's get this into the branches.
Comment 7 Johnny Stenback (:jst, jst@mozilla.com) 2010-08-12 22:27:22 PDT
Pushed to mozilla-central.

http://hg.mozilla.org/mozilla-central/rev/fe1b3c35fa9d
Comment 8 christian 2010-08-12 23:46:29 PDT
Comment on attachment 463008 [details] [diff] [review]
Oops, yes

a=LegNeato for 1.9.2.9.
This needs to be landed as soon as possible. Does the same apply to 1.9.1?
Comment 9 Blake Kaplan (:mrbkap) 2010-08-16 12:51:18 PDT
Comment on attachment 463008 [details] [diff] [review]
Oops, yes

Note: this patch applies cleanly after s|dom/base|dom/src/base|g
Comment 10 christian 2010-08-16 12:51:43 PDT
Comment on attachment 463008 [details] [diff] [review]
Oops, yes

a=LegNeato for 1.9.1.12
Comment 11 Blake Kaplan (:mrbkap) 2010-08-16 13:53:32 PDT
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/a962fcafdd3e
Comment 12 Blake Kaplan (:mrbkap) 2010-08-16 13:55:32 PDT
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/addd2db5f27d
Comment 13 Al Billings [:abillings] 2010-08-17 15:54:29 PDT
Verified with attached testcase in 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.12pre) Gecko/20100817 Shiretoko/3.5.12pre ( .NET CLR 3.5.30729) and in 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9pre) Gecko/20100817 Namoroka/3.6.9pre ( .NET CLR 3.5.30729).

Note You need to log in before you can comment on or make changes to this bug.