Closed Bug 792378 Opened 12 years ago Closed 12 years ago

Read after free in nsPermissionManager::AddInternal

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 787717

People

(Reporter: jseward, Unassigned)

References

Details

(Keywords: regression, sec-critical, Whiteboard: [sg:dupe 787717]) 

TEST_PATH=dom/browser-element/mochitest/test_browserElement_inproc_Alert.html

Invalid read of size 1
   at 0x6CE2402: nsPermissionManager::AddInternal(nsIPrincipal*, nsCString const&, unsigned int, long, unsigned int, long, nsPermissionManager::NotifyOperationType, nsPermissionManager::DBOperationType) (nsPermissionManager.cpp:743)
   by 0x6CE30F1: nsPermissionManager::RemoveFromPrincipal(nsIPrincipal*, char const*) (nsPermissionManager.cpp:810)
   by 0x700174F: NS_InvokeByIndex_P (xptcinvoke_x86_64_unix.cpp:164)
   by 0x6A8937A: XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (XPCWrappedNative.cpp:3105)
   by 0x6A9026F: XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) (XPCWrappedNativeJSOps.cpp:1469)
   by 0x7542428: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:372)
   by 0x753C200: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2454)
   by 0x7541FCA: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:324)
   by 0x75425A0: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jsinterp.cpp:378)
   by 0x7542B01: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.h:119)
   by 0x74C1B6D: JS_CallFunctionValue (jsapi.cpp:5906)
   by 0x657D2D4: nsFrameMessageManager::ReceiveMessage(nsISupports*, nsAString_internal const&, bool, mozilla::dom::StructuredCloneData const*, JSObject*, InfallibleTArray<nsString>*, JSContext*) (nsFrameMessageManager.cpp:567)

 Address 0x1f3b2e3c is 28 bytes inside a block of size 32 free'd
   at 0x402A7DE: free (vg_replace_malloc.c:446)
   by 0x6FB7801: PL_DHashTableRawRemove (pldhash.cpp:684)
   by 0x6CE26A9: nsPermissionManager::AddInternal(nsIPrincipal*, nsCString const&, unsigned int, long, unsigned int, long, nsPermissionManager::NotifyOperationType, nsPermissionManager::DBOperationType) (nsTHashtable.h:211)
   by 0x6CE30F1: nsPermissionManager::RemoveFromPrincipal(nsIPrincipal*, char const*) (nsPermissionManager.cpp:810)
   by 0x700174F: NS_InvokeByIndex_P (xptcinvoke_x86_64_unix.cpp:164)
   by 0x6A8937A: XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (XPCWrappedNative.cpp:3105)
   by 0x6A9026F: XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) (XPCWrappedNativeJSOps.cpp:1469)
   by 0x7542428: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:372)
   by 0x753C200: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2454)
   by 0x7541FCA: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:324)
   by 0x75425A0: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jsinterp.cpp:378)
   by 0x7542B01: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.h:119)
Likely a duplicate of bug 787717.
Depends on: 787717
Assigned to Mounir to confirm the dupe.
Assignee: nobody → mounir
Keywords: sec-critical
Julian, now that bug 787717 is fixed, could you check if you still see this issue?
Julian handing this to you for investigation regarding comment 3 :)
Assignee: mounir → jseward
Julian, can you confirm that this is fixed?  Thanks.
Yes, I think this is fixed.  I can't repro it any more.  Sorry to be slow.
Assignee: jseward → nobody
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Group: core-security
Keywords: regression
Whiteboard: [sg:dupe 787717]
You need to log in before you can comment on or make changes to this bug.