Closed Bug 772346 (CVE-2012-3958) Opened 13 years ago Closed 13 years ago

Heap-use-after-free in nsHTMLEditRules::DeleteNonTableElements

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla16
Tracking Flags:
Tracking Status
firefox14 --- unaffected
firefox15 + fixed
firefox16 + fixed
firefox-esr10 --- unaffected

People

(Reporter: inferno, Assigned: ehsan.akhgari)

References

Details

(4 keywords, Whiteboard: [asan][fixed by bug 775552 for Firefox 15][advisory-tracking+])

Attachments

(1 file)

Patch (v1)
830 bytes, patch
roc
: review+
lsblakk
: approval-mozilla-beta+
Details | Diff | Splinter Review
Reproduces on trunk. My repro is ugly but reproduces reliably on my local machine. I will attach something here once i get a better minimized repro. I debugged and didnt see a reason to wait for filing. Some of the stack frames are missing b/w #0 and #1 since this is an optimized build. But GetPreviousSibling() in #0 [see nsHTMLEditRules::DeleteNonTableElements] tells that the stale child is being accessed. It looks like raw ptr issue probably coming from http://hg.mozilla.org/mozilla-central/diff/270ac87cffba/editor/libeditor/html/nsHTMLEditRules.cpp#l1.85. When i changed to nsCOMPtr and recompiled, crash stopped. ================================================================= ==19766== ERROR: AddressSanitizer heap-use-after-free on address 0x7fc1cdd689b8 at pc 0x7fc20556baa8 bp 0x7fff36485200 sp 0x7fff364851f8 READ of size 8 at 0x7fc1cdd689b8 thread T0 #0 0x7fc20556baa8 in nsINode::GetPreviousSibling() const firefox/src/modules/zlib/src/inffast.c:0 #1 0x7fc2062f5dc0 in nsHTMLEditRules::WillDoAction(mozilla::Selection*, nsRulesInfo*, bool*, bool*) firefox/src/editor/libeditor/html/nsHTMLEditRules.cpp:577 #2 0x7fc20618d040 in nsPlaintextEditor::DeleteSelection(short, short) firefox/src/editor/libeditor/text/nsPlaintextEditor.cpp:657 #3 0x7fc2062f6468 in nsHTMLEditRules::WillInsertText(nsEditor::OperationID, mozilla::Selection*, bool*, bool*, nsAString_internal const*, nsAString_internal*, int) firefox/src/editor/libeditor/html/nsHTMLEditRules.cpp:1260 #4 0x7fc2062f5ca3 in nsHTMLEditRules::WillDoAction(mozilla::Selection*, nsRulesInfo*, bool*, bool*) firefox/src/editor/libeditor/html/nsHTMLEditRules.cpp:570 #5 0x7fc20618d5ec in nsPlaintextEditor::InsertText(nsAString_internal const&) firefox/src/editor/libeditor/text/nsPlaintextEditor.cpp:700 #6 0x7fc2061c3c67 in nsInsertPlaintextCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) firefox/src/editor/libeditor/base/nsEditorCommands.cpp:834 #7 0x7fc2069858a9 in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) firefox/src/embedding/components/commandhandler/src/nsControllerCommandTable.cpp:175 #8 0x7fc20697ec11 in nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) firefox/src/embedding/components/commandhandler/src/nsBaseCommandController.cpp:153 #9 0x7fc2069824f7 in nsCommandManager::DoCommand(char const*, nsICommandParams*, nsIDOMWindow*) firefox/src/embedding/components/commandhandler/src/nsCommandManager.cpp:238 #10 0x7fc205de5469 in nsHTMLDocument::ExecCommand(nsAString_internal const&, bool, nsAString_internal const&, bool*) firefox/src/content/html/document/src/nsHTMLDocument.cpp:3218 #11 0x7fc20721b125 in NS_InvokeByIndex_P firefox/src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:164 #12 0x7fc2066bdce8 in CallMethodHelper::Invoke() firefox/src/js/xpconnect/src/XPCWrappedNative.cpp:3071 #13 0x7fc2066cbfee in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) firefox/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1474 #14 0x7fc207b2807f in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) firefox/src/js/src/jscntxtinlines.h:400 #15 0x7fc207b1de9e in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) firefox/src/js/src/jsinterp.cpp:2465 #16 0x7fc207b09315 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) firefox/src/js/src/jsinterp.cpp:299 #17 0x7fc207b29467 in js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) firefox/src/js/src/jsinterp.cpp:482 #18 0x7fc207b297f1 in js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) firefox/src/js/src/jsinterp.cpp:519 #19 0x7fc207a3a713 in EvaluateUCScriptForPrincipalsCommon(JSContext*, JSObject*, JSPrincipals*, JSPrincipals*, unsigned short const*, unsigned int, char const*, unsigned int, JS::Value*, JSVersion) firefox/src/js/src/jsapi.cpp:5370 #20 0x7fc207a3a9d9 in JS_EvaluateUCScriptForPrincipalsVersionOrigin firefox/src/js/src/jsapi.cpp:5407 #21 0x7fc205f23907 in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) firefox/src/dom/base/nsJSEnvironment.cpp:1466 #22 0x7fc205f7eece in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) firefox/src/dom/base/nsGlobalWindow.cpp:9519 #23 0x7fc205f6e285 in nsGlobalWindow::RunTimeout(nsTimeout*) firefox/src/dom/base/nsGlobalWindow.cpp:9783 #24 0x7fc205f7e378 in nsGlobalWindow::TimerCallback(nsITimer*, void*) firefox/src/dom/base/nsGlobalWindow.cpp:10055 #25 0x7fc2071f9094 in nsTimerImpl::Fire() firefox/src/xpcom/threads/nsTimerImpl.cpp:473 #26 0x7fc2071f95e6 in nsTimerEvent::Run() firefox/src/xpcom/threads/nsTimerImpl.cpp:559 #27 0x7fc2071ef654 in nsThread::ProcessNextEvent(bool, bool*) firefox/src/xpcom/threads/nsThread.cpp:624 #28 0x7fc20716061d in NS_ProcessNextEvent_P(nsIThread*, bool) firefox/src/objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:217 #29 0x7fc206f5fd48 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) firefox/src/ipc/glue/MessagePump.cpp:82 #30 0x7fc20726091f in MessageLoop::Run() firefox/src/ipc/chromium/src/base/message_loop.cc:176 #31 0x7fc206d6f73e in nsBaseAppShell::Run() firefox/src/widget/xpwidgets/nsBaseAppShell.cpp:165 #32 0x7fc205171943 in XREMain::XRE_main(int, char**, nsXREAppData const*) firefox/src/toolkit/xre/nsAppRunner.cpp:3864 #33 0x7fc205172272 in XRE_main firefox/src/toolkit/xre/nsAppRunner.cpp:3940 #34 0x409e93 in do_main(int, char**) firefox/src/browser/app/nsBrowserApp.cpp:160 #35 0x40957d in main firefox/src/browser/app/nsBrowserApp.cpp:330 #36 0x7fc20c9a2c4d in ?? ??:0 0x7fc1cdd689b8 is located 56 bytes inside of 120-byte region [0x7fc1cdd68980,0x7fc1cdd689f8) freed by thread T0 here: #0 0x425a42 in free ??:0 #1 0x7fc205b17a9b in nsNodeUtils::LastRelease(nsINode*) firefox/src/content/base/src/nsNodeUtils.cpp:252 #2 0x7fc205ad86df in nsGenericDOMDataNode::Release() firefox/src/content/base/src/nsGenericDOMDataNode.cpp:113 #3 0x7fc2063169ad in nsHTMLEditRules::DeleteNonTableElements(nsINode*) firefox/src/editor/libeditor/html/nsHTMLEditRules.cpp:2824 #4 0x7fc2062f5dc0 in nsHTMLEditRules::WillDoAction(mozilla::Selection*, nsRulesInfo*, bool*, bool*) firefox/src/editor/libeditor/html/nsHTMLEditRules.cpp:577 #5 0x7fc20618d040 in nsPlaintextEditor::DeleteSelection(short, short) firefox/src/editor/libeditor/text/nsPlaintextEditor.cpp:657 #6 0x7fc2062f6468 in nsHTMLEditRules::WillInsertText(nsEditor::OperationID, mozilla::Selection*, bool*, bool*, nsAString_internal const*, nsAString_internal*, int) firefox/src/editor/libeditor/html/nsHTMLEditRules.cpp:1260 #7 0x7fc2062f5ca3 in nsHTMLEditRules::WillDoAction(mozilla::Selection*, nsRulesInfo*, bool*, bool*) firefox/src/editor/libeditor/html/nsHTMLEditRules.cpp:570 #8 0x7fc20618d5ec in nsPlaintextEditor::InsertText(nsAString_internal const&) firefox/src/editor/libeditor/text/nsPlaintextEditor.cpp:700 #9 0x7fc2061c3c67 in nsInsertPlaintextCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) firefox/src/editor/libeditor/base/nsEditorCommands.cpp:834 #10 0x7fc2069858a9 in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) firefox/src/embedding/components/commandhandler/src/nsControllerCommandTable.cpp:175 #11 0x7fc20697ec11 in nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) firefox/src/embedding/components/commandhandler/src/nsBaseCommandController.cpp:153 #12 0x7fc2069824f7 in nsCommandManager::DoCommand(char const*, nsICommandParams*, nsIDOMWindow*) firefox/src/embedding/components/commandhandler/src/nsCommandManager.cpp:238 #13 0x7fc205de5469 in nsHTMLDocument::ExecCommand(nsAString_internal const&, bool, nsAString_internal const&, bool*) firefox/src/content/html/document/src/nsHTMLDocument.cpp:3218 #14 0x7fc20721b125 in NS_InvokeByIndex_P firefox/src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:164 #15 0x7fc2066bdce8 in CallMethodHelper::Invoke() firefox/src/js/xpconnect/src/XPCWrappedNative.cpp:3071 #16 0x7fc2066cbfee in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) firefox/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1474 #17 0x7fc207b2807f in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) firefox/src/js/src/jscntxtinlines.h:400 #18 0x7fc207b1de9e in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) firefox/src/js/src/jsinterp.cpp:2465 #19 0x7fc207b09315 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) firefox/src/js/src/jsinterp.cpp:299 #20 0x7fc207b29467 in js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) firefox/src/js/src/jsinterp.cpp:482 #21 0x7fc207b297f1 in js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) firefox/src/js/src/jsinterp.cpp:519 #22 0x7fc207a3a713 in EvaluateUCScriptForPrincipalsCommon(JSContext*, JSObject*, JSPrincipals*, JSPrincipals*, unsigned short const*, unsigned int, char const*, unsigned int, JS::Value*, JSVersion) firefox/src/js/src/jsapi.cpp:5370 #23 0x7fc207a3a9d9 in JS_EvaluateUCScriptForPrincipalsVersionOrigin firefox/src/js/src/jsapi.cpp:5407 #24 0x7fc205f23907 in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) firefox/src/dom/base/nsJSEnvironment.cpp:1466 #25 0x7fc205f7eece in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) firefox/src/dom/base/nsGlobalWindow.cpp:9519 #26 0x7fc205f6e285 in nsGlobalWindow::RunTimeout(nsTimeout*) firefox/src/dom/base/nsGlobalWindow.cpp:9783 #27 0x7fc205f7e378 in nsGlobalWindow::TimerCallback(nsITimer*, void*) firefox/src/dom/base/nsGlobalWindow.cpp:10055 #28 0x7fc2071f9094 in nsTimerImpl::Fire() firefox/src/xpcom/threads/nsTimerImpl.cpp:473 #29 0x7fc2071f95e6 in nsTimerEvent::Run() firefox/src/xpcom/threads/nsTimerImpl.cpp:559 previously allocated by thread T0 here: #0 0x425b02 in __interceptor_malloc ??:0 #1 0x7fc209fd13f0 in moz_xmalloc firefox/src/memory/mozalloc/mozalloc.cpp:54 #2 0x7fc205a3f31d in nsContentUtils::SetNodeTextContent(nsIContent*, nsAString_internal const&, bool) firefox/src/content/base/src/nsContentUtils.cpp:4310 #3 0x7fc20677c151 in nsIDOMNode_SetTextContent(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, int, JS::Value*) firefox/src/objdir-ff-asan/js/xpconnect/src/dom_quickstubs.cpp:5665 #4 0x7fc207b64928 in js::CallJSPropertyOpSetter(JSContext*, int (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, int, JS::Value*), JS::Handle<JSObject*>, JS::Handle<long>, int, JS::Value*) firefox/src/js/src/jscntxtinlines.h:460 #5 0x7fc207b695f1 in js::baseops::SetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, unsigned int, JS::Value*, int) firefox/src/js/src/jsobj.cpp:4924 #6 0x7fc207b2d620 in js::SetPropertyOperation(JSContext*, unsigned char*, JS::Value const&, JS::Value const&) firefox/src/js/src/jsinterpinlines.h:353 #7 0x7fc207b0bbb8 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) firefox/src/js/src/jsinterp.cpp:2378 #8 0x7fc207b09315 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) firefox/src/js/src/jsinterp.cpp:299 #9 0x7fc207b29467 in js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) firefox/src/js/src/jsinterp.cpp:482 #10 0x7fc207b297f1 in js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) firefox/src/js/src/jsinterp.cpp:519 #11 0x7fc207a3a713 in EvaluateUCScriptForPrincipalsCommon(JSContext*, JSObject*, JSPrincipals*, JSPrincipals*, unsigned short const*, unsigned int, char const*, unsigned int, JS::Value*, JSVersion) firefox/src/js/src/jsapi.cpp:5370 #12 0x7fc207a3a9d9 in JS_EvaluateUCScriptForPrincipalsVersionOrigin firefox/src/js/src/jsapi.cpp:5407 #13 0x7fc205f23907 in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) firefox/src/dom/base/nsJSEnvironment.cpp:1466 #14 0x7fc205f7eece in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) firefox/src/dom/base/nsGlobalWindow.cpp:9519 #15 0x7fc205f6e285 in nsGlobalWindow::RunTimeout(nsTimeout*) firefox/src/dom/base/nsGlobalWindow.cpp:9783 #16 0x7fc205f7e378 in nsGlobalWindow::TimerCallback(nsITimer*, void*) firefox/src/dom/base/nsGlobalWindow.cpp:10055 #17 0x7fc2071f9094 in nsTimerImpl::Fire() firefox/src/xpcom/threads/nsTimerImpl.cpp:473 #18 0x7fc2071f95e6 in nsTimerEvent::Run() firefox/src/xpcom/threads/nsTimerImpl.cpp:559 #19 0x7fc2071ef654 in nsThread::ProcessNextEvent(bool, bool*) firefox/src/xpcom/threads/nsThread.cpp:624 #20 0x7fc20716061d in NS_ProcessNextEvent_P(nsIThread*, bool) firefox/src/objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:217 #21 0x7fc206f5fd48 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) firefox/src/ipc/glue/MessagePump.cpp:82 #22 0x7fc20726091f in MessageLoop::Run() firefox/src/ipc/chromium/src/base/message_loop.cc:176 #23 0x7fc206d6f73e in nsBaseAppShell::Run() firefox/src/widget/xpwidgets/nsBaseAppShell.cpp:165 #24 0x7fc205171943 in XREMain::XRE_main(int, char**, nsXREAppData const*) firefox/src/toolkit/xre/nsAppRunner.cpp:3864 ==19766== ABORTING Stats: 254M malloced (344M for red zones) by 1006225 calls Stats: 61M realloced by 90383 calls Stats: 199M freed by 740263 calls Stats: 96M really freed by 201732 calls Stats: 528M (135231 full pages) mmaped in 132 calls mmaps by size class: 8:704469; 9:81910; 10:24570; 11:20470; 12:5120; 13:4608; 14:1792; 15:512; 16:640; 17:160; 18:208; 19:48; 20:16; mallocs by size class: 8:829738; 9:109453; 10:28229; 11:24936; 12:5172; 13:4924; 14:2120; 15:516; 16:683; 17:171; 18:222; 19:45; 20:16; frees by size class: 8:588569; 9:95710; 10:23943; 11:20926; 12:3996; 13:3894; 14:1904; 15:444; 16:595; 17:151; 18:78; 19:40; 20:13; rfrees by size class: 8:144710; 9:31877; 10:10454; 11:10832; 12:1184; 13:698; 14:1154; 15:224; 16:419; 17:82; 18:51; 19:37; 20:10; Stats: malloc large: 454 small slow: 3904 Shadow byte and word: 0x1ff839bad137: fd 0x1ff839bad130: fd fd fd fd fd fd fd fd More shadow bytes: 0x1ff839bad110: 00 00 00 fb fb fb fb fb 0x1ff839bad118: fb fb fb fb fb fb fb fb 0x1ff839bad120: fa fa fa fa fa fa fa fa 0x1ff839bad128: fa fa fa fa fa fa fa fa =>0x1ff839bad130: fd fd fd fd fd fd fd fd 0x1ff839bad138: fd fd fd fd fd fd fd fd 0x1ff839bad140: fa fa fa fa fa fa fa fa 0x1ff839bad148: fa fa fa fa fa fa fa fa 0x1ff839bad150: fd fd fd fd fd fd fd fd
Whiteboard: [asan]
Yet another regression to not-follow-xpcom rules?
Attached patch Patch (v1)Splinter Review
Assignee: nobody → ehsan
Status: NEW → ASSIGNED
Attachment #640732 - Flags: review?(roc)
Component: General → Editor
Product: Firefox → Core
Looks like this needs to be marked Resolved :)
mozilla-inbound is our integrtion branch which gets merged to mozilla-central a few times a day. We usually mark bugs as fixed when the patch lands on mozilla-central. This should probably happen some time tomorrow for this bug. :-)
GReat! good to know ....:)
And voilà! :-) https://hg.mozilla.org/mozilla-central/rev/32b6c83aeac5
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
status-firefox16: --- → fixed
Resolution: --- → FIXED
This code is probably wrong anyway, for the same reason as in bug 767684. It now says for (nsCOMPtr<nsIContent> child = aNode->GetLastChild(); child; child = child->GetPreviousSibling()) { nsresult rv = DeleteNonTableElements(child); NS_ENSURE_SUCCESS(rv, rv); } But DeleteNonTableElements(child) might remove child, so GetPreviousSibling will incorrectly return null. Changing it back to the way it was should both fix the use-after-free and make it correctly affect all children: for (PRInt32 i = aNode->GetChildCount() - 1; i >= 0; --i) { nsresult rv = DeleteNonTableElements(aNode->GetChildAt(i)); NS_ENSURE_SUCCESS(rv, rv); } Anyway, this is likely a regression from bug 755264, and probably affects 15. I can't tell, because there's no test-case here (ugly or otherwise). Do we want to backport this?
Blocks: 755264
tracking-firefox15: --- → ?
(In reply to :Aryeh Gregor from comment #8) > This code is probably wrong anyway, for the same reason as in bug 767684. > It now says > > for (nsCOMPtr<nsIContent> child = aNode->GetLastChild(); > child; > child = child->GetPreviousSibling()) { > nsresult rv = DeleteNonTableElements(child); > NS_ENSURE_SUCCESS(rv, rv); > } > > But DeleteNonTableElements(child) might remove child, so GetPreviousSibling > will incorrectly return null. Changing it back to the way it was should > both fix the use-after-free and make it correctly affect all children: > > for (PRInt32 i = aNode->GetChildCount() - 1; i >= 0; --i) { > nsresult rv = DeleteNonTableElements(aNode->GetChildAt(i)); > NS_ENSURE_SUCCESS(rv, rv); > } > > Anyway, this is likely a regression from bug 755264, and probably affects > 15. I can't tell, because there's no test-case here (ugly or otherwise). > Do we want to backport this? Good point. For Aurora, I'd rather us back out bug 755264. Can you please attach a patch for that? Thanks!
(In reply to Ehsan Akhgari [:ehsan] from comment #9) > Good point. For Aurora, I'd rather us back out bug 755264. Can you please > attach a patch for that? Thanks! Sure. FWIW, this extra bug was fixed by bug 772332 part 1, which is on m-i and may or may not make it to Aurora.
(In reply to :Aryeh Gregor from comment #10) > (In reply to Ehsan Akhgari [:ehsan] from comment #9) > > Good point. For Aurora, I'd rather us back out bug 755264. Can you please > > attach a patch for that? Thanks! > > Sure. FWIW, this extra bug was fixed by bug 772332 part 1, which is on m-i > and may or may not make it to Aurora. It didn't, as it got backed out!
Filed bug 775552. The patch no longer backs out cleanly.
(In reply to :Aryeh Gregor from comment #12) > Filed bug 775552. The patch no longer backs out cleanly. Is there more work to be done here to resolve for FF15? I think bug 775552 just set us up to apply cleanly, correct?
(In reply to Alex Keybl [:akeybl] from comment #13) > (In reply to :Aryeh Gregor from comment #12) > > Filed bug 775552. The patch no longer backs out cleanly. > > Is there more work to be done here to resolve for FF15? I think bug 775552 > just set us up to apply cleanly, correct? Hmm, I think we need the patch in bug 775552 to land on beta as well. I'll nominate it right now.
Comment on attachment 640732 [details] [diff] [review] Patch (v1) [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 755264 User impact if declined: sec-critical Testing completed (on m-c, etc.): has baked on Nightly and Aurora Risk to taking this patch (and alternatives if risky): this has very minimal risk String or UUID changes made by this patch: none
Attachment #640732 - Flags: approval-mozilla-beta?
Comment on attachment 640732 [details] [diff] [review] Patch (v1) Low risk, approving for beta.
Attachment #640732 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
I was about to land this and I realized that this has been fixed on beta by bug 775552 landing there. So I'm going to mark this as such.
status-firefox15: affectedfixed
Depends on: 775552
Whiteboard: [asan] → [asan][fixed by bug 775552 for Firefox 15]
Whiteboard: [asan][fixed by bug 775552 for Firefox 15] → [asan][fixed by bug 775552 for Firefox 15][advisory-tracking+]
Alias: CVE-2012-3958
Group: core-security
Keywords: csec-uaf
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: