Closed Bug 776213 (CVE-2012-1976) Opened 12 years ago Closed 12 years ago

Heap-use-after-free in nsHTMLSelectElement::SubmitNamesValues

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla17
Tracking Flags:
Tracking Status
firefox14 --- wontfix
firefox15 + fixed
firefox16 + fixed
firefox17 + fixed
firefox-esr10 15+ fixed

People

(Reporter: inferno, Assigned: mccr8)

References

Details

(4 keywords, Whiteboard: [asan][advisory-tracking+][qa?])

Attachments

(2 files)

Testcase
482 bytes, text/html
Details
hold onto sortedControls
1.56 KB, patch
smaug
: review+
lsblakk
: approval-mozilla-aurora+
lsblakk
: approval-mozilla-beta+
lsblakk
: approval-mozilla-esr10+
Details | Diff | Splinter Review 
Reproduces on trunk. Repro reproduced once (but got it under a fully symbolized build). As i have a better testcase, I will add it here. 

=================================================================
==2410== ERROR: AddressSanitizer heap-use-after-free on address 0x7f19a99a1280 at pc 0x7f19d6751fef bp 0x7fff085f3390 sp 0x7fff085f3388
READ of size 8 at 0x7f19a99a1280 thread T0
    #0 0x7f19d6751fef in nsHTMLSelectElement::SubmitNamesValues(nsFormSubmission*) src/content/html/content/src/nsHTMLSelectElement.cpp:1747
    #1 0x7f19d6752c9f in non-virtual thunk to nsHTMLSelectElement::SubmitNamesValues(nsFormSubmission*) asn1cmn.c:0
    #2 0x7f19d635feb2 in nsHTMLFormElement::WalkFormElements(nsFormSubmission*) src/content/html/content/src/nsHTMLFormElement.cpp:983
    #3 0x7f19d635be9a in nsHTMLFormElement::BuildSubmission(nsFormSubmission**, nsEvent*) src/content/html/content/src/nsHTMLFormElement.cpp:772
    #4 0x7f19d635ab79 in nsHTMLFormElement::DoSubmit(nsEvent*) src/content/html/content/src/nsHTMLFormElement.cpp:706
    #5 0x7f19d6353d19 in nsHTMLFormElement::DoSubmitOrReset(nsEvent*, int) src/content/html/content/src/nsHTMLFormElement.cpp:657
    #6 0x7f19d635360b in nsHTMLFormElement::Submit() src/content/html/content/src/nsHTMLFormElement.cpp:391
    #7 0x7f19d635400c in non-virtual thunk to nsHTMLFormElement::Submit() asn1cmn.c:0
    #8 0x7f19da2aa1b1 in nsIDOMHTMLFormElement_Submit(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/js/xpconnect/src/dom_quickstubs.cpp:14382
    #9 0x7f19e5566587 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:382
    #10 0x7f19e54dd593 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2426
    #11 0x7f19e5464725 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) src/js/src/jsinterp.cpp:302
    #12 0x7f19e55669a9 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:356
    #13 0x7f19e4e9c430 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:119
    #14 0x7f19e556bb0d in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:388
    #15 0x7f19e4d470d9 in JS_CallFunctionValue src/js/src/jsapi.cpp:5572
    #16 0x7f19d7225bf5 in nsJSContext::CallEventHandler(nsISupports*, JSObject*, JSObject*, nsIArray*, nsIVariant**) src/dom/base/nsJSEnvironment.cpp:1891
    #17 0x7f19d79c6ca6 in nsJSEventListener::HandleEvent(nsIDOMEvent*) src/dom/src/events/nsJSEventListener.cpp:188
    #18 0x7f19d5e24bb3 in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsIDOMEventTarget*, unsigned int, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:794
    #19 0x7f19d5e2607a in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:867
    #20 0x7f19d5fd4c97 in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.h:144
    #21 0x7f19d5fc3936 in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned int, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:185
    #22 0x7f19d5fc149c in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:313
    #23 0x7f19d5fc6fb0 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) src/content/events/src/nsEventDispatcher.cpp:634
    #24 0x7f19d367419f in DocumentViewerImpl::LoadComplete(unsigned int) src/layout/base/nsDocumentViewer.cpp:1017
    #25 0x7f19db0e5dd8 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned int) src/docshell/base/nsDocShell.cpp:6294
    #26 0x7f19db0ddae1 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) src/docshell/base/nsDocShell.cpp:6125
    #27 0x7f19db0decd5 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) asn1cmn.c:0
    #28 0x7f19db1e4fd4 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, unsigned int) src/uriloader/base/nsDocLoader.cpp:1352
    #29 0x7f19db1e29e5 in nsDocLoader::doStopDocumentLoad(nsIRequest*, unsigned int) src/uriloader/base/nsDocLoader.cpp:930
    #30 0x7f19db1dbc38 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:822
    #31 0x7f19db1e01bc in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) src/uriloader/base/nsDocLoader.cpp:704
    #32 0x7f19db1e1d0d in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) asn1cmn.c:0
    #33 0x7f19d2042e89 in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, unsigned int) src/netwerk/base/src/nsLoadGroup.cpp:698
    #34 0x7f19d510bd94 in nsDocument::DoUnblockOnload() src/content/base/src/nsDocument.cpp:7189
    #35 0x7f19d510b821 in nsDocument::UnblockOnload(bool) src/content/base/src/nsDocument.cpp:7132
    #36 0x7f19d701ed84 in nsBindingManager::DoProcessAttachedQueue() src/content/xbl/src/nsBindingManager.cpp:990
    #37 0x7f19d70390f9 in nsRunnableMethodImpl<void (nsBindingManager::*)(), true>::Run() src/../../../dist/include/nsThreadUtils.h:349
    #38 0x7f19de8eb8fd in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:625
    #39 0x7f19de57a6ad in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:217
    #40 0x7f19dd519ce6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
    #41 0x7f19deb9db9a in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:209
    #42 0x7f19deb9d9e3 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:202
    #43 0x7f19deb9d8c8 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:176
    #44 0x7f19dca23c8e in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:165
    #45 0x7f19db676eb8 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:257
    #46 0x7f19d1e04d20 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3787
    #47 0x7f19d1e0b6c2 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3864
    #48 0x7f19d1e0eb92 in XRE_main src/toolkit/xre/nsAppRunner.cpp:3940
    #49 0x40c28f in do_main(int, char**) src/browser/app/nsBrowserApp.cpp:160
    #50 0x409cbd in main src/browser/app/nsBrowserApp.cpp:298
    #51 0x7f19ee9c3c4d in ?? ??:0
0x7f19a99a1280 is located 0 bytes inside of 232-byte region [0x7f19a99a1280,0x7f19a99a1368)
freed by thread T0 here:
    #0 0x4a4392 in free ??:0
    #1 0x7f19eb84f5c3 in moz_free src/memory/mozalloc/mozalloc.cpp:49
    #2 0x7f19d6720436 in ~nsHTMLSelectElement src/content/html/content/src/nsHTMLSelectElement.cpp:134
    #3 0x7f19d541237d in nsNodeUtils::LastRelease(nsINode*) src/content/base/src/nsNodeUtils.cpp:252
    #4 0x7f19d52e8e4f in nsGenericElement::Release() src/content/base/src/nsGenericElement.cpp:3509
    #5 0x7f19d6721884 in nsHTMLSelectElement::Release() src/content/html/content/src/nsHTMLSelectElement.cpp:146
    #6 0x7f19de57d1db in nsXPCOMCycleCollectionParticipant::UnrootImpl(void*) src/objdir-ff-asan-sym/xpcom/build/nsCycleCollectionParticipant.cpp:37
    #7 0x7f19de9a21ec in nsCycleCollector::CollectWhite(nsICycleCollectorListener*) src/xpcom/base/nsCycleCollector.cpp:2305
    #8 0x7f19de9a9ef6 in nsCycleCollector::FinishCollection(nsICycleCollectorListener*) src/xpcom/base/nsCycleCollector.cpp:2845
    #9 0x7f19de9af388 in nsCycleCollectorRunner::Collect(bool, nsCycleCollectorResults*, nsICycleCollectorListener*) src/xpcom/base/nsCycleCollector.cpp:3147
    #10 0x7f19de9ae095 in nsCycleCollector_collect(bool, nsCycleCollectorResults*, nsICycleCollectorListener*) src/xpcom/base/nsCycleCollector.cpp:3236
    #11 0x7f19d72017f5 in nsJSContext::CycleCollectNow(nsICycleCollectorListener*, int, bool) src/dom/base/nsJSEnvironment.cpp:3072
    #12 0x7f19d72463f2 in CCTimerFired(nsITimer*, void*) src/dom/base/nsJSEnvironment.cpp:3263
    #13 0x7f19de927692 in nsTimerImpl::Fire() src/xpcom/threads/nsTimerImpl.cpp:474
    #14 0x7f19de9292cc in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:558
    #15 0x7f19de8eb8fd in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:625
    #16 0x7f19de57a6ad in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:217
    #17 0x7f19db58e826 in nsXULWindow::ShowModal() src/xpfe/appshell/src/nsXULWindow.cpp:378
    #18 0x7f19db571732 in nsContentTreeOwner::ShowAsModal() src/xpfe/appshell/src/nsContentTreeOwner.cpp:529
    #19 0x7f19db5718ac in non-virtual thunk to nsContentTreeOwner::ShowAsModal() asn1cmn.c:0
    #20 0x7f19db39a4eb in nsWindowWatcher::OpenWindowJSInternal(nsIDOMWindow*, char const*, char const*, char const*, bool, nsIArray*, bool, nsIDOMWindow**) src/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:996
    #21 0x7f19db390b71 in nsWindowWatcher::OpenWindow(nsIDOMWindow*, char const*, char const*, char const*, nsISupports*, nsIDOMWindow**) src/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:381
    #22 0x7f19dc80e8b1 in nsNSSDialogHelper::openDialog(nsIDOMWindow*, char const*, nsISupports*, bool) src/security/manager/pki/src/nsNSSDialogHelper.cpp:44
    #23 0x7f19dc7f391b in nsNSSDialogs::DisplayGeneratingKeypairInfo(nsIInterfaceRequestor*, nsIKeygenThread*) src/security/manager/pki/src/nsNSSDialogs.cpp:457
    #24 0x7f19dc7f3af7 in non-virtual thunk to nsNSSDialogs::DisplayGeneratingKeypairInfo(nsIInterfaceRequestor*, nsIKeygenThread*) asn1cmn.c:0
    #25 0x7f19dba35f05 in nsKeygenFormProcessor::GetPublicKey(nsAString_internal&, nsAString_internal&, nsString&, nsAString_internal&, nsAString_internal&) src/security/manager/ssl/src/nsKeygenHandler.cpp:658
    #26 0x7f19dba3a053 in nsKeygenFormProcessor::ProcessValue(nsIDOMHTMLElement*, nsAString_internal const&, nsAString_internal&) src/security/manager/ssl/src/nsKeygenHandler.cpp:800
    #27 0x7f19d675196e in nsHTMLSelectElement::SubmitNamesValues(nsFormSubmission*) src/content/html/content/src/nsHTMLSelectElement.cpp:1771
    #28 0x7f19d6752c9f in non-virtual thunk to nsHTMLSelectElement::SubmitNamesValues(nsFormSubmission*) asn1cmn.c:0
    #29 0x7f19d635feb2 in nsHTMLFormElement::WalkFormElements(nsFormSubmission*) src/content/html/content/src/nsHTMLFormElement.cpp:983
previously allocated by thread T0 here:
    #0 0x4a4452 in __interceptor_malloc ??:0
    #1 0x7f19eb84f717 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54
    #2 0x7f19d671ecd9 in NS_NewHTMLSelectElement(already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) src/content/html/content/src/nsHTMLSelectElement.cpp:104
    #3 0x7f19d69f70ce in CreateHTMLElement(unsigned int, already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) src/content/html/document/src/nsHTMLContentSink.cpp:497
    #4 0x7f19d69f7990 in NS_NewHTMLElement(nsIContent**, already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) src/content/html/document/src/nsHTMLContentSink.cpp:480
    #5 0x7f19d53e3978 in NS_NewElement(nsIContent**, already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) src/content/base/src/nsNameSpaceManager.cpp:201
    #6 0x7f19d84a2b55 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) src/parser/html/nsHtml5TreeOperation.cpp:340
    #7 0x7f19d84c3806 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:566
    #8 0x7f19d84ff746 in nsHtml5ExecutorFlusher::Run() src/parser/html/nsHtml5StreamParser.cpp:127
    #9 0x7f19de8eb8fd in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:625
    #10 0x7f19de57a6ad in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:217
    #11 0x7f19dd519ce6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
    #12 0x7f19deb9db9a in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:209
    #13 0x7f19deb9d9e3 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:202
    #14 0x7f19deb9d8c8 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:176
    #15 0x7f19dca23c8e in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:165
    #16 0x7f19db676eb8 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:257
    #17 0x7f19d1e04d20 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3787
    #18 0x7f19d1e0b6c2 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3864
    #19 0x7f19d1e0eb92 in XRE_main src/toolkit/xre/nsAppRunner.cpp:3940
    #20 0x40c28f in do_main(int, char**) src/browser/app/nsBrowserApp.cpp:160
    #21 0x409cbd in main src/browser/app/nsBrowserApp.cpp:298
    #22 0x7f19ee9c3c4d in ?? ??:0
==2410== ABORTING
Stats: 222M malloced (260M for red zones) by 614296 calls
Stats: 50M realloced by 30116 calls
Stats: 191M freed by 382570 calls
Stats: 58M really freed by 173153 calls
Stats: 464M (118841 full pages) mmaped in 116 calls
  mmaps   by size class: 8:425958; 9:57337; 10:65520; 11:20470; 12:4096; 13:3072; 14:1536; 15:384; 16:640; 17:160; 18:224; 19:48; 20:12;
  mallocs by size class: 8:452010; 9:59723; 10:72170; 11:20208; 12:3653; 13:3340; 14:1706; 15:411; 16:629; 17:148; 18:238; 19:47; 20:13;
  frees   by size class: 8:237578; 9:50565; 10:68846; 11:17073; 12:2672; 13:3053; 14:1487; 15:360; 16:531; 17:134; 18:218; 19:43; 20:10;
  rfrees  by size class: 8:129647; 9:23124; 10:8778; 11:8941; 12:816; 13:545; 14:723; 15:159; 16:342; 17:52; 18:21; 19:4; 20:1;
Stats: malloc large: 446 small slow: 2990
Shadow byte and word:
  0x1fe335334250: fd
  0x1fe335334250: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1fe335334230: fa fa fa fa fa fa fa fa
  0x1fe335334238: fa fa fa fa fa fa fa fa
  0x1fe335334240: fa fa fa fa fa fa fa fa
  0x1fe335334248: fa fa fa fa fa fa fa fa
=>0x1fe335334250: fd fd fd fd fd fd fd fd
  0x1fe335334258: fd fd fd fd fd fd fd fd
  0x1fe335334260: fd fd fd fd fd fd fd fd
  0x1fe335334268: fd fd fd fd fd fd fd fd
  0x1fe335334270: fa fa fa fa fa fa fa fa
Some comments::

1. freed element is nsHTMLSelectElement
2. the call triggering the free is nsHTMLSelectElement::SubmitNamesValues(nsFormSubmission*)  line nsHTMLSelectElement.cpp:1771 'keyGenProcessor->ProcessValue(this, name, tmp);'
3. use/crash happens at nsHTMLSelectElement::SubmitNamesValues(nsFormSubmission*) line nsHTMLSelectElement.cpp:1747. since 1747 < 1771. it is probably happening at the next iteration of loop here

971 nsHTMLFormElement::WalkFormElements(nsFormSubmission* aFormSubmission)
972 {
973   nsTArray<nsGenericHTMLFormElement*> sortedControls;
.........
980   PRUint32 len = sortedControls.Length();
981   for (PRUint32 i = 0; i < len; ++i) {
982     // Tell the control to submit its name/value pairs to the submission
983     sortedControls[i]->SubmitNamesValues(aFormSubmission);
984   }

Probably coming from use of a weak-ptr array of node pointers :(
Component: General → DOM: Core & HTML
Product: Firefox → Core
That would be a regression from bug 347165.
I will gladly take that bug if there is a test case provided.
Keywords: testcase-wanted
Attached file Testcase 
let the testcase run for 30 sec. it should crash. for me, i could reproduce on both my windows and linux boxes.
Keywords: testcase-wantedtestcase
Wanting to assign Mounir this one but he's on vacay...
I'll take it.
Assignee: nobody → khuey
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #7)
> I'll take it.

Thanks, really appreciated :)
If you are not done with it on the 5th, feel free to assign it to me.
Blocks: 347165
Assignee: khuey → continuation
Is the current thinking that a fix in time for FF15's release would be too risky?
tracking-firefox15: --- → ?
tracking-firefox16: ?+
It is possibly to fix this in a very safe, but a bit ugly way.
(manually addref/release the items in the array. That approach is used elsewhere.)
This just implements smaug's suggestion, which is also used with GetSortedControls in nsHTMLFormElement::CheckFormValidity.  Which suggests that it is bad to return a weakly-referenced array from it. ;)

I was able to reproduce the crash almost immediately on OSX without the patch, and it didn't crash after about 4 minutes with the patch.
Attachment #647264 - Flags: review?(bugs)
Attachment #647264 - Flags: review?(bugs) → review+
Whiteboard: [asan]
If we're going to try the safe & ugly way,
tracking-firefox-esr10: --- → 15+
Continuing that thought...

If we're going to try to land this to 15 the safe & ugly way we will also need to make sure it can land in ESR10 at the same time and that the risk is low in both.  I'd feel most comfortable getting this into our next beta if possible (beta 4) so by next Monday, August 6th.
Yes, I went with the simple approach that matches what is done elsewhere.  This function hasn't changed in two years so it will be no problem to backport.  I'll nominate it in a few days assume it doesn't magically blow up.
https://hg.mozilla.org/mozilla-central/rev/ec5a657c9751
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Comment on attachment 647264 [details] [diff] [review]
hold onto sortedControls

[Approval Request Comment]
Bug caused by (feature/regressing bug #): something pre-10
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: possible exploits
Testing completed (on m-c, etc.): It has been on m-c for about a week.
Fix Landed on Version: 17.
Risk to taking this patch (and alternatives if risky): low, it just follows a simple pattern for keeping things alive slightly longer.
String or UUID changes made by this patch: none
Attachment #647264 - Flags: approval-mozilla-esr10?
Attachment #647264 - Flags: approval-mozilla-beta?
Attachment #647264 - Flags: approval-mozilla-aurora?
(In reply to Andrew McCreight [:mccr8] from comment #17)
> Bug caused by (feature/regressing bug #): something pre-10

Ah, right.  Bug 347165.
Attachment #647264 - Flags: approval-mozilla-esr10?
Attachment #647264 - Flags: approval-mozilla-esr10+
Attachment #647264 - Flags: approval-mozilla-beta?
Attachment #647264 - Flags: approval-mozilla-beta+
Attachment #647264 - Flags: approval-mozilla-aurora?
Attachment #647264 - Flags: approval-mozilla-aurora+
Whiteboard: [asan] → [asan][advisory-tracking+]
Should the attached testcase be added to the testsuite?
Whiteboard: [asan][advisory-tracking+] → [asan][advisory-tracking+][qa?]
It isn't really a test we can use as a test case.  It could be manually tested, though.  Just run it for a minute and see if the browser crashes.
Alias: CVE-2012-1976
Group: core-security
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: