Last Comment Bug 584512 - (CVE-2010-2767) nsPluginArray - memory corruption
: nsPluginArray - memory corruption
: crash, testcase, verified1.9.1, verified1.9.2
Product: Core
Classification: Components
Component: DOM (show other bugs)
: unspecified
: All All
: -- critical (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap)
: Andrew Overholt [:overholt]
Depends on:
Blocks: 544875
  Show dependency treegraph
Reported: 2010-08-04 14:43 PDT by Sergey Glazunov
Modified: 2010-09-27 18:19 PDT (History)
13 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (481 bytes, text/html)
2010-08-04 14:45 PDT, Sergey Glazunov
no flags Details
Proposed fix (5.83 KB, patch)
2010-08-04 16:44 PDT, Blake Kaplan (:mrbkap)
no flags Details | Diff | Splinter Review
Oops, yes (5.82 KB, patch)
2010-08-04 17:49 PDT, Blake Kaplan (:mrbkap)
jst: review+
dveditz: approval1.9.2.9+
christian: approval1.9.1.12+
Details | Diff | Splinter Review

Description Sergey Glazunov 2010-08-04 14:43:51 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.14 Safari/534.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv: Gecko/20100722 Firefox/3.6.8

Looks like it's a use-after-free issue.
I think the testcase is self-explaining although it's quite weak - it takes a lot of time to trigger the crash.

Reproducible: Always

Also crashes 4.0b2.
Comment 1 Sergey Glazunov 2010-08-04 14:45:16 PDT
Created attachment 462935 [details]
Comment 2 Daniel Veditz [:dveditz] 2010-08-04 15:28:14 PDT
mrbkap thinks he has a patch
Comment 3 Blake Kaplan (:mrbkap) 2010-08-04 16:44:22 PDT
Created attachment 462981 [details] [diff] [review]
Proposed fix

This should do it -- we need to ensure that we notify our weak references about stuff going away. I'll file a followup bug after this lands on getting rid of the manual refcounting.
Comment 4 Reed Loden [:reed] (use needinfo?) 2010-08-04 17:32:22 PDT
Comment on attachment 462981 [details] [diff] [review]
Proposed fix

>+  if (mMimeTypeArray)
>+    mMimeTypeArray->Invalidate();

Comment 5 Blake Kaplan (:mrbkap) 2010-08-04 17:49:18 PDT
Created attachment 463008 [details] [diff] [review]
Oops, yes
Comment 6 Daniel Veditz [:dveditz] 2010-08-06 10:17:28 PDT
Let's get this into the branches.
Comment 7 Johnny Stenback (:jst, 2010-08-12 22:27:22 PDT
Pushed to mozilla-central.
Comment 8 christian 2010-08-12 23:46:29 PDT
Comment on attachment 463008 [details] [diff] [review]
Oops, yes

a=LegNeato for
This needs to be landed as soon as possible. Does the same apply to 1.9.1?
Comment 9 Blake Kaplan (:mrbkap) 2010-08-16 12:51:18 PDT
Comment on attachment 463008 [details] [diff] [review]
Oops, yes

Note: this patch applies cleanly after s|dom/base|dom/src/base|g
Comment 10 christian 2010-08-16 12:51:43 PDT
Comment on attachment 463008 [details] [diff] [review]
Oops, yes

a=LegNeato for
Comment 11 Blake Kaplan (:mrbkap) 2010-08-16 13:53:32 PDT
Comment 12 Blake Kaplan (:mrbkap) 2010-08-16 13:55:32 PDT
Comment 13 Al Billings [:abillings] 2010-08-17 15:54:29 PDT
Verified with attached testcase in 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20100817 Shiretoko/3.5.12pre ( .NET CLR 3.5.30729) and in 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20100817 Namoroka/3.6.9pre ( .NET CLR 3.5.30729).

Note You need to log in before you can comment on or make changes to this bug.