Crash [@ JSObject::isWrapper] with InstallTrigger, Iterator, E4X

RESOLVED DUPLICATE of bug 660517

Status

()

Core
XPConnect
--
critical
RESOLVED DUPLICATE of bug 660517
7 years ago
6 years ago

People

(Reporter: Jesse Ruderman, Assigned: mrbkap)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
x86_64
Mac OS X
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 660517])

Attachments

(2 attachments)

(Reporter)

Description

7 years ago
Created attachment 540015 [details]
testcase (crashes Firefox when loaded)

This is a null deref, but anything involving InstallTrigger (chrome-content interaction) and wrappers is scary.
(Reporter)

Comment 1

7 years ago
Created attachment 540016 [details]
stack trace
moz_bug_r_a4 has had success messing with InstallTrigger, cc'ing him here.
Blake, this in and of itself doesn't look exploitable. Or do you see something here that looks scary?
Assignee: nobody → mrbkap
(Assignee)

Updated

7 years ago
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 660517
Whiteboard: [sg:dupe 660517]
Group: core-security
You need to log in before you can comment on or make changes to this bug.