Closed
Bug 701806
Opened 13 years ago
Closed 13 years ago
Crash [@0x0 | txStylesheetCompiler::flushCharacters]
Categories
(Core :: XSLT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 702466
People
(Reporter: aki.helin, Unassigned)
References
()
Details
(Whiteboard: [sg:dupe 702466])
Attachments
(1 file)
342 bytes,
image/svg+xml
|
Details |
Opening the attached SVG causes a crash with null IP. The SVG uses XSL transforms. I'm reporting this as a potential security issue even though the crash is a null, because some common ways to get a null IP (e.g. stack buffer overflow) are more likely exploitable than run-of-the-mill null reads. Crash traces (from 64-bit Debian 6.0.3): 8.0 - https://crash-stats.mozilla.com/report/index/bp-c39ae37b-3dfe-4cf0-8f66-257cc2111111 9.0 beta - https://crash-stats.mozilla.com/report/index/bp-ff091148-d992-4daa-a7d5-985e42111111
Added URL to the same testcase because loading the attached testcase gives "Error loading stylesheet: An unknown error has occurred (805303f4)". Works via the link here.
Comment 2•13 years ago
|
||
Don't like forward duping, but bug 702466 looks like the same thing and already has some developers and analysis on it.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 702466]
Updated•13 years ago
|
Component: General → XSLT
Product: Firefox → Core
QA Contact: general → xslt
Version: 8 Branch → Trunk
Comment 6•12 years ago
|
||
This problem has been assigned CVE-2012-0449 (over in bug 702466, but since this was the first report wanted to make sure it was noted here, too).
Updated•12 years ago
|
Group: core-security
Updated•11 years ago
|
Flags: sec-bounty+
You need to log in
before you can comment on or make changes to this bug.
Description
•