Closed Bug 588929 (CVE-2010-3180) Opened 9 years ago Closed 9 years ago

Use after free - nsBarProp

Categories

(Core :: DOM: Core & HTML, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- final+
blocking1.9.2 --- .11+
status1.9.2 --- .11-fixed
blocking1.9.1 --- .14+
status1.9.1 --- .14-fixed

People

(Reporter: serg.glazunov, Assigned: smaug)

References

Details

(Whiteboard: [sg:critical?])

Attachments

(4 files)

Reproduced on 4.0b5pre and 3.6.8.
The repro contains this:

  w = open(1, 1, 1);
  o = w.locationbar;
  w.close();
  
  s = '';
  setInterval('s += o.visible', 50);

http://crash-stats.mozilla.com/report/index/1b83dc24-cdb7-4435-838d-643822100819
Attached file testcase
Assignee: nobody → Olli.Pettay
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
Whiteboard: [sg:critical]
Just FYI, this is a "regression" from <tbogard@aol.net> 2000-02-08 05:38.
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---
blocking2.0: ? → ---
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
Attached patch patchSplinter Review
This is the simplest fix I could think of. And better to make those
nsBarProp methods not throw.
Attachment #467554 - Flags: superreview?(mrbkap)
Attachment #467554 - Flags: review?(jst)
Other, not quite as simple would be to have a weak reference (not raw) to
DOMWindow, and get browserchrome from it.
Attachment #467554 - Flags: superreview?(mrbkap) → superreview+
Is this related to bug 575102?
If this gets reviewed and can land today it will make 3.6.9/3.5.12. If not, it will have to wait for the next release. Please ask for landing approval when/if it gets ready today. Thanks!
Attachment #467554 - Flags: review?(jst) → review+
blocking2.0: ? → final+
blocking1.9.1: ? → .13+
blocking1.9.2: ? → .10+
Attachment #467554 - Flags: approval2.0?
Attachment #467554 - Flags: approval2.0?
http://hg.mozilla.org/mozilla-central/rev/7de93c31c0f2
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Attached patch for 1.9.2Splinter Review
Attachment #475069 - Flags: approval1.9.2.10?
Attached patch for 1.9.1Splinter Review
Attachment #475070 - Flags: approval1.9.1.13?
Comment on attachment 475069 [details] [diff] [review]
for 1.9.2

Approved for 1.9.2.11, a=dveditz for release-drivers
Attachment #475069 - Flags: approval1.9.2.11? → approval1.9.2.11+
Comment on attachment 475070 [details] [diff] [review]
for 1.9.1

Approved for 1.9.1.14, a=dveditz for release-drivers
Attachment #475070 - Flags: approval1.9.1.14? → approval1.9.1.14+
Alias: CVE-2010-3180
Whiteboard: [sg:critical] → [sg:critical?]
Group: core-security
Flags: sec-bounty+
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.