Closed Bug 752221 Opened 14 years ago Closed 13 years ago

Crash in XPCNativeScriptableInfo::GetFlags()

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
15 Branch
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: ax330d, Assigned: bholley)

Details

(Keywords: sec-high, Whiteboard: [asan][sg:high])

Attachments

(3 files)

PoC triggering the crash
614 bytes, application/octet-stream
Details
ASan log, opt-build crash
3.75 KB, text/plain
Details
ASan log, try-build crash
11.82 KB, text/plain
Details
There is a crash in XPCNativeScriptableInfo::GetFlags() when adopting nodes. Test-case was tested on own Firefox 15.0a1 opt-build (db1f131884de) - crashes with stack-buffer-overflow. Also was tested on try-build 15.0a1 (http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/decoder@own-hero.net-6d976534074e/try-linux64-debug/) - there is a regular crash.
Confirmed this. On a regular debug build, this shows up as a near-null crash: https://crash-stats.mozilla.com/report/index/c459471d-caa2-4785-bf5f-e960f2120505 However, if ASan previously reported this as stack-based memory safety violation then it's probably not a simple null deref.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: nobody → general
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
QA Contact: untriaged → general
Assignee: general → nobody
Component: JavaScript Engine → DOM
QA Contact: general → general
Assignee: nobody → bobbyholley+bmo
Keywords: sec-high
Whiteboard: [asan][sg:high]
Loading the testcase here in a current debug build doesn't trigger a crash for me. Is this reproducible on trunk? We've recently fixed various bugs related to adoptNode and such.
Yep, I cannot reproduce this one on build 264f0a7a878c anymore.
Resolving WFM. Please reopen if anyone can reproduce.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
Group: core-security
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: