Last Comment Bug 790164 - PresShell::DispatchTouchEvent should keep contentPresShell alive while using it
: PresShell::DispatchTouchEvent should keep contentPresShell alive while using it
regression from 732052
: csectype-uaf, regression, sec-critical
Product: Core
Classification: Components
Component: Layout (show other bugs)
: unspecified
: x86 Linux
: -- normal (vote)
: mozilla18
Assigned To: Wesley Johnston (:wesj)
: Jet Villegas (:jet)
Depends on:
Blocks: 732052
  Show dependency treegraph
Reported: 2012-09-11 00:27 PDT by Olli Pettay [:smaug]
Modified: 2012-09-24 15:39 PDT (History)
7 users (show)
ryanvm: in‑testsuite-
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Patch (71 bytes, patch)
2012-09-11 10:23 PDT, Wesley Johnston (:wesj)
no flags Details | Diff | Splinter Review
Patch v2 (978 bytes, patch)
2012-09-11 10:24 PDT, Wesley Johnston (:wesj)
bugs: review+
akeybl: approval‑mozilla‑aurora+
akeybl: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description Olli Pettay [:smaug] 2012-09-11 00:27:19 PDT
I mentioned the problem few times in review comments, yet we have now an sg:crit bug ;)
Comment 1 Wesley Johnston (:wesj) 2012-09-11 10:23:50 PDT
Created attachment 660146 [details] [diff] [review]
Comment 2 Wesley Johnston (:wesj) 2012-09-11 10:24:28 PDT
Created attachment 660147 [details] [diff] [review]
Patch v2

Whoops. Sorry about that :(
Comment 3 Olli Pettay [:smaug] 2012-09-11 12:37:52 PDT
Comment on attachment 660147 [details] [diff] [review]
Patch v2

No need to assign nullptr.
Comment 5 Wesley Johnston (:wesj) 2012-09-11 13:35:46 PDT
Comment on attachment 660147 [details] [diff] [review]
Patch v2

I assume we want to move this forward.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 732052
User impact if declined: Security risks if the presShell is destroyed by the touch event.
Testing completed (on m-c, etc.): landed on mc today (9/11/12)
Risk to taking this patch (and alternatives if risky): Low risk.
String or UUID changes made by this patch: None.
Comment 6 Ryan VanderMeulen [:RyanVM] 2012-09-11 18:53:17 PDT
Comment 7 Alex Keybl [:akeybl] 2012-09-12 15:24:38 PDT
sec-critical regression in FF16 - approved for landing on branches.

Note You need to log in before you can comment on or make changes to this bug.