If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

rendering SVG cause EXCEPTION_ACCESS_VIOLATION_READ with addon NoScript

RESOLVED FIXED in Firefox 17

Status

()

Core
SVG
--
critical
RESOLVED FIXED
5 years ago
3 years ago

People

(Reporter: Julien DÉCHARNE, Unassigned)

Tracking

({crash, csectype-framepoisoning})

16 Branch
mozilla19
x86
Windows 7
crash, csectype-framepoisoning
Points:
---
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(firefox17 fixed, firefox18 fixed, firefox-esr10 unaffected, firefox-esr17 fixed)

Details

(Whiteboard: [adv-main17-][adv-esr17-], crash signature, URL)

(Reporter)

Description

5 years ago
STEP TO REPRODUCE :

    Disable / Uninstall NoScript or start with fresh profile
    load http://www.w3c.org/Graphics/SVG/
    Enable or Install NoScript
    Restart for completing installation
    load http://www.w3c.org/Graphics/SVG/ (no segfault : page load from cache)
    Clean FF cache
    Restart
    load http://www.w3c.org/Graphics/SVG/ (FF will segfault)

other URLs that do trigger bug : none for the moment

URLs that don't trigger bug :

    http://www.w3c.org/
    http://www.w3c.org/Graphics/
    http://www.w3c.org/Graphics/WebCGM
    http://www.w3c.org/Graphics/PNG/
    (many others, of course)

Confirmed on Windows Seven, see crash report :
https://crash-stats.mozilla.com/report/index/bp-ec363a2e-b834-4b85-bbc3-fd0452120826

Comment 1

5 years ago
It might be a dupe of bug 762494.
Severity: normal → critical
Status: UNCONFIRMED → NEW
Crash Signature: [@ nsLineBox::IndexOf(nsIFrame*)]
Ever confirmed: true
Keywords: crash
OS: Linux → Windows 7
Hardware: x86_64 → x86
Target Milestone: mozilla14 → ---
Version: 14 Branch → 16 Branch
Hiding because bug 762494 and bug 789719 are core-security.
Group: core-security
Depends on: 789719
Can someone retest this please? The fix in bug 807213 has now landed for 19, 18 and 17 and may well have fixed this.
Keywords: csec-framepoisoning
Based on the stack trace in the crash report in comment 0 bug 786740 will have fixed this. This is basically a duplicate of bug 792857.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED

Updated

5 years ago
status-firefox17: --- → fixed
status-firefox18: --- → fixed
Target Milestone: --- → mozilla19
status-firefox-esr10: --- → unaffected
status-firefox-esr17: --- → fixed
Whiteboard: [adv-main17-][adv-esr17-]
Group: core-security
Flags: sec-bounty-
You need to log in before you can comment on or make changes to this bug.