Closed
Bug 787777
Opened 12 years ago
Closed 12 years ago
use-after-free in nsDocumentOpenInfo::DispatchContent
Categories
(Core :: General, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 787778
People
(Reporter: miaubiz, Unassigned)
Details
(Whiteboard: [sg:dupe 787778])
Attachments
(1 file)
216 bytes,
text/plain
|
Details |
when I open this <html> <head> <script> window.onload = function() { window.document.x.src='a' } </script> </head> <body> <embed name="x" src="http://mozilla.org"> </embed> </body> </html> I get this: ================================================================= ==24242== ERROR: AddressSanitizer heap-use-after-free on address 0x7fffc5b03d98 at pc 0x7ffff0da8d98 bp 0x7fffffff9730 sp 0x7fffffff9728 READ of size 8 at 0x7fffc5b03d98 thread T0 #0 0x7ffff0da8d98 in nsCOMPtr_base::assign_assuming_AddRef(nsISupports*) /builds/slave/try-lnx64/build/xpcom/build/../glue/nsCOMPtr.h:436 #1 0x7ffff005516e in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /builds/slave/try-lnx64/build/uriloader/base/nsURILoader.cpp:375 #2 0x7ffff005487b in nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) /builds/slave/try-lnx64/build/uriloader/base/nsURILoader.cpp:263 0x7fffc5b03d98 is located 24 bytes inside of 72-byte region [0x7fffc5b03d80,0x7fffc5b03dc8) freed by thread T0 here: #0 0x42ae21 in free ??:0 #1 0x7ffff0053f88 in nsAutoRefCnt::operator=(unsigned int) /builds/slave/try-lnx64/build/../../dist/include/mozilla/mozalloc.h:224 #2 0x7ffff0eaf825 in NS_InvokeByIndex_P /builds/slave/try-lnx64/build/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:165 works on linux + m-c, linux + aurora and osx + m-c atleast.
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Updated•10 years ago
|
Group: core-security
Whiteboard: [sg:dupe 787778]
You need to log in
before you can comment on or make changes to this bug.
Description
•