Closed
Bug 790856
Opened 9 years ago
Closed 9 years ago
Window resize accessed a dangling DocumentViewerImpl
Categories
(Core :: DOM: Navigation, defect)
Tracking
()
People
(Reporter: jruderman, Assigned: smaug)
References
Details
(Keywords: csectype-uaf, sec-critical, Whiteboard: [asan][advisory-tracking+][qa-])
Attachments
(2 files)
11.87 KB,
text/plain
|
Details | |
1.02 KB,
patch
|
bzbarsky
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
akeybl
:
approval-mozilla-release-
akeybl
:
approval-mozilla-esr10+
|
Details | Diff | Splinter Review |
I wasn't able to reproduce this. Can you figure it out from the stacks, and knowing that the fuzzer was opening and closing windows?
Assignee | ||
Comment 1•9 years ago
|
||
Probably.
Assignee | ||
Comment 2•9 years ago
|
||
if (mPreviousViewer) mPreviousViewer->SetBounds(aBounds); looks suspicious. We call set bounds on the previous viewer, and at least in theory that could end up doing stuff which sets mPreviousViewer null.
Assignee | ||
Comment 3•9 years ago
|
||
Jesse, want to try this? Though, if reproducing is hard, verifying the fix can be difficult.
Attachment #660748 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 5•9 years ago
|
||
If my patch fixes the problem, then everything after 2.0 or something.
![]() |
||
Comment 6•9 years ago
|
||
Comment on attachment 660748 [details] [diff] [review] patch r=me
Attachment #660748 -
Flags: review?(bzbarsky) → review+
Assignee | ||
Comment 7•9 years ago
|
||
Comment on attachment 660748 [details] [diff] [review] patch [Approval Request Comment] User impact if declined: possible crash Fix Landed on Version: NA Risk to taking this patch (and alternatives if risky): Should be super-safe String or UUID changes made by this patch: NA [Approval Request Comment] Regression caused by (bug #): Bug 290991 User impact if declined: Possible crashes Testing completed (on m-c, etc.): NA
Attachment #660748 -
Flags: approval-mozilla-release?
Attachment #660748 -
Flags: approval-mozilla-esr10?
Attachment #660748 -
Flags: approval-mozilla-beta?
Attachment #660748 -
Flags: approval-mozilla-aurora?
Comment 8•9 years ago
|
||
Comment on attachment 660748 [details] [diff] [review] patch [Triage Comment] Approving for all unreleased branches given this is sec-critical.
Attachment #660748 -
Flags: approval-mozilla-release?
Attachment #660748 -
Flags: approval-mozilla-release-
Attachment #660748 -
Flags: approval-mozilla-esr10?
Attachment #660748 -
Flags: approval-mozilla-esr10+
Attachment #660748 -
Flags: approval-mozilla-beta?
Attachment #660748 -
Flags: approval-mozilla-beta+
Attachment #660748 -
Flags: approval-mozilla-aurora?
Attachment #660748 -
Flags: approval-mozilla-aurora+
Updated•9 years ago
|
status-firefox-esr10:
--- → affected
status-firefox15:
--- → wontfix
status-firefox16:
--- → affected
status-firefox17:
--- → affected
status-firefox18:
--- → affected
Assignee | ||
Comment 9•9 years ago
|
||
Oh, did I accidentally ask a? for release. Wasn't going to.
Comment 11•9 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #3) > Created attachment 660748 [details] [diff] [review] > patch > > Jesse, want to try this? Though, if reproducing is hard, verifying the > fix can be difficult. Tested your patch, it indeed fixes the crash.
Updated•9 years ago
|
tracking-firefox-esr10:
--- → ?
tracking-firefox16:
--- → +
tracking-firefox17:
--- → +
tracking-firefox18:
--- → +
Comment 12•9 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #9) > Oh, did I accidentally ask a? for release. Wasn't going to. Given the verification, please land asap on all branches. Thanks!
Updated•9 years ago
|
Assignee | ||
Comment 13•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/48c4938eaf57 https://hg.mozilla.org/releases/mozilla-aurora/rev/c039da3793f7 https://hg.mozilla.org/releases/mozilla-beta/rev/5013b57e5c40 https://hg.mozilla.org/releases/mozilla-esr10/rev/62ad5b34715d
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Target Milestone: --- → mozilla18
Updated•9 years ago
|
Whiteboard: [asan] → [asan][advisory-tracking+]
Whiteboard: [asan][advisory-tracking+] → [asan][advisory-tracking+][qa-]
Updated•8 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•