Closed
Bug 792378
Opened 12 years ago
Closed 12 years ago
Read after free in nsPermissionManager::AddInternal
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 787717
People
(Reporter: jseward, Unassigned)
References
Details
(Keywords: regression, sec-critical, Whiteboard: [sg:dupe 787717])
TEST_PATH=dom/browser-element/mochitest/test_browserElement_inproc_Alert.html Invalid read of size 1 at 0x6CE2402: nsPermissionManager::AddInternal(nsIPrincipal*, nsCString const&, unsigned int, long, unsigned int, long, nsPermissionManager::NotifyOperationType, nsPermissionManager::DBOperationType) (nsPermissionManager.cpp:743) by 0x6CE30F1: nsPermissionManager::RemoveFromPrincipal(nsIPrincipal*, char const*) (nsPermissionManager.cpp:810) by 0x700174F: NS_InvokeByIndex_P (xptcinvoke_x86_64_unix.cpp:164) by 0x6A8937A: XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (XPCWrappedNative.cpp:3105) by 0x6A9026F: XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) (XPCWrappedNativeJSOps.cpp:1469) by 0x7542428: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:372) by 0x753C200: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2454) by 0x7541FCA: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:324) by 0x75425A0: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jsinterp.cpp:378) by 0x7542B01: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.h:119) by 0x74C1B6D: JS_CallFunctionValue (jsapi.cpp:5906) by 0x657D2D4: nsFrameMessageManager::ReceiveMessage(nsISupports*, nsAString_internal const&, bool, mozilla::dom::StructuredCloneData const*, JSObject*, InfallibleTArray<nsString>*, JSContext*) (nsFrameMessageManager.cpp:567) Address 0x1f3b2e3c is 28 bytes inside a block of size 32 free'd at 0x402A7DE: free (vg_replace_malloc.c:446) by 0x6FB7801: PL_DHashTableRawRemove (pldhash.cpp:684) by 0x6CE26A9: nsPermissionManager::AddInternal(nsIPrincipal*, nsCString const&, unsigned int, long, unsigned int, long, nsPermissionManager::NotifyOperationType, nsPermissionManager::DBOperationType) (nsTHashtable.h:211) by 0x6CE30F1: nsPermissionManager::RemoveFromPrincipal(nsIPrincipal*, char const*) (nsPermissionManager.cpp:810) by 0x700174F: NS_InvokeByIndex_P (xptcinvoke_x86_64_unix.cpp:164) by 0x6A8937A: XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (XPCWrappedNative.cpp:3105) by 0x6A9026F: XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) (XPCWrappedNativeJSOps.cpp:1469) by 0x7542428: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:372) by 0x753C200: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2454) by 0x7541FCA: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:324) by 0x75425A0: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jsinterp.cpp:378) by 0x7542B01: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.h:119)
Comment 2•12 years ago
|
||
Assigned to Mounir to confirm the dupe.
Assignee: nobody → mounir
Keywords: sec-critical
Comment 3•12 years ago
|
||
Julian, now that bug 787717 is fixed, could you check if you still see this issue?
Comment 4•12 years ago
|
||
Julian handing this to you for investigation regarding comment 3 :)
Assignee: mounir → jseward
Comment 5•12 years ago
|
||
Julian, can you confirm that this is fixed? Thanks.
Reporter | ||
Comment 6•12 years ago
|
||
Yes, I think this is fixed. I can't repro it any more. Sorry to be slow.
Updated•12 years ago
|
Assignee: jseward → nobody
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Updated•12 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•