Bug 584512 (CVE-2010-2767)

nsPluginArray - memory corruption

RESOLVED FIXED

Status

()

defect
--
critical
RESOLVED FIXED
9 years ago
3 months ago

People

(Reporter: serg.glazunov, Assigned: mrbkap)

Tracking

(4 keywords)

unspecified
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 beta4+, status2.0 wanted, blocking1.9.2 .9+, status1.9.2 .9-fixed, blocking1.9.1 .12+, status1.9.1 .12-fixed)

Details

(Whiteboard: [sg:critical?])

Attachments

(2 attachments, 1 obsolete attachment)

Reporter

Description

9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.14 Safari/534.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8

Looks like it's a use-after-free issue.
I think the testcase is self-explaining although it's quite weak - it takes a lot of time to trigger the crash.

Reproducible: Always




http://crash-stats.mozilla.com/report/index/4b3b731c-511c-484c-a13f-ff27b2100804

Also crashes 4.0b2.
Reporter

Comment 1

9 years ago
Posted file testcase
Status: UNCONFIRMED → NEW
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
status1.9.1: --- → ?
status1.9.2: --- → ?
status2.0: --- → ?
Component: Security → DOM
Ever confirmed: true
OS: Windows 7 → All
Product: Firefox → Core
QA Contact: firefox → general
Hardware: x86 → All
Whiteboard: [sg:critical?]
mrbkap thinks he has a patch
Blocks: 544875
Posted patch Proposed fix (obsolete) — Splinter Review
This should do it -- we need to ensure that we notify our weak references about stuff going away. I'll file a followup bug after this lands on getting rid of the manual refcounting.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #462981 - Flags: review?(jst)
Comment on attachment 462981 [details] [diff] [review]
Proposed fix

>+  if (mMimeTypeArray)
>+    mMimeTypeArray->Invalidate();

s/mMimeTypeArray/mMimeTypes/g
Posted patch Oops, yesSplinter Review
Attachment #462981 - Attachment is obsolete: true
Attachment #463008 - Flags: review?(jst)
Attachment #462981 - Flags: review?(jst)
Attachment #463008 - Flags: review?(jst) → review+
Let's get this into the branches.
blocking1.9.1: ? → .12+
blocking1.9.2: ? → .9+
blocking2.0: ? → beta4+
Attachment #463008 - Flags: approval1.9.2.9?
Pushed to mozilla-central.

http://hg.mozilla.org/mozilla-central/rev/fe1b3c35fa9d
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED

Comment 8

9 years ago
Comment on attachment 463008 [details] [diff] [review]
Oops, yes

a=LegNeato for 1.9.2.9.
This needs to be landed as soon as possible. Does the same apply to 1.9.1?
Attachment #463008 - Flags: approval1.9.2.9? → approval1.9.2.9+
Comment on attachment 463008 [details] [diff] [review]
Oops, yes

Note: this patch applies cleanly after s|dom/base|dom/src/base|g
Attachment #463008 - Flags: approval1.9.1.12?

Comment 10

9 years ago
Comment on attachment 463008 [details] [diff] [review]
Oops, yes

a=LegNeato for 1.9.1.12
Attachment #463008 - Flags: approval1.9.1.12? → approval1.9.1.12+
Verified with attached testcase in 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.12pre) Gecko/20100817 Shiretoko/3.5.12pre ( .NET CLR 3.5.30729) and in 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9pre) Gecko/20100817 Namoroka/3.6.9pre ( .NET CLR 3.5.30729).
Alias: CVE-2010-2767
Group: core-security
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.