Closed Bug 588929 (CVE-2010-3180) Opened 15 years ago Closed 15 years ago

Use after free - nsBarProp

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- final+
blocking1.9.2 --- .11+
status1.9.2 --- .11-fixed
blocking1.9.1 --- .14+
status1.9.1 --- .14-fixed

People

(Reporter: serg.glazunov, Assigned: smaug)

References

Details

(Keywords: reporter-external, Whiteboard: [sg:critical?])

Attachments

(4 files)

testcase
240 bytes, text/html
Details
patch
2.96 KB, patch
jst
: review+
mrbkap
: superreview+
Details | Diff | Splinter Review
for 1.9.2
2.84 KB, patch
dveditz
: approval1.9.2.11+
Details | Diff | Splinter Review
for 1.9.1
2.88 KB, patch
dveditz
: approval1.9.1.14+
Details | Diff | Splinter Review
Reproduced on 4.0b5pre and 3.6.8. The repro contains this: w = open(1, 1, 1); o = w.locationbar; w.close(); s = ''; setInterval('s += o.visible', 50); http://crash-stats.mozilla.com/report/index/1b83dc24-cdb7-4435-838d-643822100819
Attached file testcase
Assignee: nobody → Olli.Pettay
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
Whiteboard: [sg:critical]
Just FYI, this is a "regression" from <tbogard@aol.net> 2000-02-08 05:38.
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---
blocking2.0: ? → ---
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
Attached patch patchSplinter Review
This is the simplest fix I could think of. And better to make those nsBarProp methods not throw.
Attachment #467554 - Flags: superreview?(mrbkap)
Attachment #467554 - Flags: review?(jst)
Other, not quite as simple would be to have a weak reference (not raw) to DOMWindow, and get browserchrome from it.
Attachment #467554 - Flags: superreview?(mrbkap) → superreview+
Is this related to bug 575102?
If this gets reviewed and can land today it will make 3.6.9/3.5.12. If not, it will have to wait for the next release. Please ask for landing approval when/if it gets ready today. Thanks!
Attachment #467554 - Flags: review?(jst) → review+
blocking2.0: ? → final+
blocking1.9.1: ? → .13+
blocking1.9.2: ? → .10+
Attachment #467554 - Flags: approval2.0?
Attachment #467554 - Flags: approval2.0?
Blocks: 575102
http://hg.mozilla.org/mozilla-central/rev/7de93c31c0f2
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Attached patch for 1.9.2Splinter Review
Attachment #475069 - Flags: approval1.9.2.10?
Attached patch for 1.9.1Splinter Review
Attachment #475070 - Flags: approval1.9.1.13?
Comment on attachment 475069 [details] [diff] [review] for 1.9.2 Approved for 1.9.2.11, a=dveditz for release-drivers
Attachment #475069 - Flags: approval1.9.2.11? → approval1.9.2.11+
Comment on attachment 475070 [details] [diff] [review] for 1.9.1 Approved for 1.9.1.14, a=dveditz for release-drivers
Attachment #475070 - Flags: approval1.9.1.14? → approval1.9.1.14+
Alias: CVE-2010-3180
Whiteboard: [sg:critical] → [sg:critical?]
Group: core-security
Flags: sec-bounty+
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: