Last Comment Bug 588929 - (CVE-2010-3180) Use after free - nsBarProp
(CVE-2010-3180)
: Use after free - nsBarProp
Status: RESOLVED FIXED
[sg:critical?]
:
Product: Core
Classification: Components
Component: DOM (show other bugs)
: Trunk
: All All
: -- critical (vote)
: ---
Assigned To: Olli Pettay [:smaug]
:
Mentors:
Depends on:
Blocks: 575102
  Show dependency treegraph
 
Reported: 2010-08-19 13:20 PDT by Sergey Glazunov
Modified: 2014-09-04 09:38 PDT (History)
9 users (show)
rforbes: sec‑bounty+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
final+
.11+
.11-fixed
.14+
.14-fixed


Attachments
testcase (240 bytes, text/html)
2010-08-19 13:24 PDT, Sergey Glazunov
no flags Details
patch (2.96 KB, patch)
2010-08-19 14:53 PDT, Olli Pettay [:smaug]
jst: review+
mrbkap: superreview+
Details | Diff | Splinter Review
for 1.9.2 (2.84 KB, patch)
2010-09-14 06:41 PDT, Olli Pettay [:smaug]
dveditz: approval1.9.2.11+
Details | Diff | Splinter Review
for 1.9.1 (2.88 KB, patch)
2010-09-14 06:43 PDT, Olli Pettay [:smaug]
dveditz: approval1.9.1.14+
Details | Diff | Splinter Review

Description Sergey Glazunov 2010-08-19 13:20:47 PDT
Reproduced on 4.0b5pre and 3.6.8.
The repro contains this:

  w = open(1, 1, 1);
  o = w.locationbar;
  w.close();
  
  s = '';
  setInterval('s += o.visible', 50);

http://crash-stats.mozilla.com/report/index/1b83dc24-cdb7-4435-838d-643822100819
Comment 1 Sergey Glazunov 2010-08-19 13:24:11 PDT
Created attachment 467523 [details]
testcase
Comment 3 Olli Pettay [:smaug] 2010-08-19 14:08:03 PDT
Just FYI, this is a "regression" from <tbogard@aol.net> 2000-02-08 05:38.
Comment 4 Olli Pettay [:smaug] 2010-08-19 14:53:11 PDT
Created attachment 467554 [details] [diff] [review]
patch

This is the simplest fix I could think of. And better to make those
nsBarProp methods not throw.
Comment 5 Olli Pettay [:smaug] 2010-08-19 14:55:07 PDT
Other, not quite as simple would be to have a weak reference (not raw) to
DOMWindow, and get browserchrome from it.
Comment 6 Martijn Wargers [:mwargers] (not working for Mozilla) 2010-08-19 16:41:56 PDT
Is this related to bug 575102?
Comment 7 christian 2010-08-20 10:30:00 PDT
If this gets reviewed and can land today it will make 3.6.9/3.5.12. If not, it will have to wait for the next release. Please ask for landing approval when/if it gets ready today. Thanks!
Comment 8 Olli Pettay [:smaug] 2010-08-25 07:12:12 PDT
http://hg.mozilla.org/mozilla-central/rev/7de93c31c0f2
Comment 9 Olli Pettay [:smaug] 2010-09-14 06:41:09 PDT
Created attachment 475069 [details] [diff] [review]
for 1.9.2
Comment 10 Olli Pettay [:smaug] 2010-09-14 06:43:24 PDT
Created attachment 475070 [details] [diff] [review]
for 1.9.1
Comment 11 Daniel Veditz [:dveditz] 2010-09-17 11:33:44 PDT
Comment on attachment 475069 [details] [diff] [review]
for 1.9.2

Approved for 1.9.2.11, a=dveditz for release-drivers
Comment 12 Daniel Veditz [:dveditz] 2010-09-17 11:33:58 PDT
Comment on attachment 475070 [details] [diff] [review]
for 1.9.1

Approved for 1.9.1.14, a=dveditz for release-drivers

Note You need to log in before you can comment on or make changes to this bug.