Closed Bug 790164 Opened 11 years ago Closed 11 years ago

PresShell::DispatchTouchEvent should keep contentPresShell alive while using it

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla18
Tracking Flags:
Tracking Status
firefox15 --- unaffected
firefox16 + fixed
firefox17 + fixed
firefox18 + fixed
firefox-esr10 --- unaffected

People

(Reporter: smaug, Assigned: wesj)

References

Details

(Keywords: csectype-uaf, regression, sec-critical, Whiteboard: regression from 732052)

Attachments

(1 file, 1 obsolete file)

Patch v2
978 bytes, patch
smaug
: review+
akeybl
: approval-mozilla-aurora+
akeybl
: approval-mozilla-beta+
Details | Diff | Splinter Review 
I mentioned the problem few times in review comments, yet we have now an sg:crit bug ;)
https://bugzilla.mozilla.org/show_bug.cgi?id=732052#c44
status-firefox-esr10: --- → unaffected
status-firefox15: --- → unaffected
status-firefox16: --- → affected
status-firefox17: --- → affected
status-firefox18: --- → affected
Keywords: sec-critical
Whiteboard: regression from 732052
Attached patch Patch (obsolete) — Splinter Review 
Assignee: nobody → wjohnston

        Attachment #660146 -
        Flags: review?(bugs)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch v2Splinter Review
      

    


  
Whoops. Sorry about that :(

        Attachment #660146 -
        Attachment is obsolete: true

        Attachment #660146 -
        Flags: review?(bugs)

        Attachment #660147 -
        Flags: review?(bugs)

    
    

    
  
Comment on attachment 660147 [details] [diff] [review]
Patch v2

No need to assign nullptr.

        Attachment #660147 -
        Flags: review?(bugs) → review+

    
    

    
  
Comment on attachment 660147 [details] [diff] [review]
Patch v2

I assume we want to move this forward.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 732052
User impact if declined: Security risks if the presShell is destroyed by the touch event.
Testing completed (on m-c, etc.): landed on mc today (9/11/12)
Risk to taking this patch (and alternatives if risky): Low risk.
String or UUID changes made by this patch: None.

        Attachment #660147 -
        Flags: approval-mozilla-beta?

        Attachment #660147 -
        Flags: approval-mozilla-aurora?

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/89e726e160e5
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite-
Resolution: --- → FIXED
Target Milestone: --- → mozilla18

    
    

    
  
sec-critical regression in FF16 - approved for landing on branches.

          tracking-firefox16:
          ?+

          tracking-firefox17:
          ?+

          tracking-firefox18:
          ?+
Keywords: regression

    
  

        Attachment #660147 -
        Flags: approval-mozilla-beta?

        Attachment #660147 -
        Flags: approval-mozilla-beta+

        Attachment #660147 -
        Flags: approval-mozilla-aurora?

        Attachment #660147 -
        Flags: approval-mozilla-aurora+
Blocks: 732052
Group: core-security
Keywords: csec-uaf

          You need to log in
          before you can comment on or make changes to this bug.