Heap-use-after-free in nsINode::GetBoolFlag

RESOLVED FIXED in Firefox 20

Status

()

defect
RESOLVED FIXED
7 years ago
5 years ago

People

(Reporter: ax330d, Assigned: smontagu)

Tracking

(4 keywords)

20 Branch
mozilla20
x86_64
All
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +
in-testsuite +

Firefox Tracking Flags

(firefox19 unaffected, firefox20 fixed, firefox-esr10 unaffected, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: [asan][adv-main20-])

Attachments

(3 attachments)

Reporter

Description

7 years ago
ASan detected heap-use-after free while running attached test-case. One have to wait ~3 seconds until crash. 

Crashes both for Linux and Windows. ASan log for rev 3c3a8eed0578.
Reporter

Comment 1

7 years ago
Posted file ASan log
Reporter

Updated

7 years ago
Keywords: testcase
This feels like a dup.
It looks similar-ish to bug 815500.
Yeah, I was thinking that bug couldn't find the right bug.
Assignee

Comment 5

7 years ago
Apparently not a dupe of bug 815500, nor bug 815276, since it still crashes in a build with the patches from those bugs.
Assignee: nobody → smontagu
Assignee

Comment 6

7 years ago
Posted patch PatchSplinter Review
When appending a new textnode to an element which already has its direction determined by some other textnode, we weren't removing the entry in nsTextNodeDirectionalityMap for the old textnode.
Attachment #686694 - Flags: review?(peterv)
Attachment #686694 - Attachment is patch: true
Component: Untriaged → Layout: Text
Product: Firefox → Core
Whiteboard: [asan]
is this a Fx20 regression from bug 548206 like bug 815500 and bug 815477? Or is it an older pre-existing problem?
Assignee

Updated

7 years ago
Blocks: 819014
Assignee

Comment 9

7 years ago
(In reply to Daniel Veditz [:dveditz] from comment #8)
> is this a Fx20 regression from bug 548206 like bug 815500 and bug 815477?

Yes
Simon is there someone else who could review this patch? I get the feeling Peter is swamped.
Attachment #686694 - Flags: review?(peterv) → review+
https://hg.mozilla.org/mozilla-central/rev/263bc2e3481f
https://hg.mozilla.org/mozilla-central/rev/25d2aefdca37
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
Blocks: DirAuto
Keywords: regression
Flags: sec-bounty? → sec-bounty+
Duplicate of this bug: 819014
marking unaffected for 19 & both esrs as per comment 9
Whiteboard: [asan] → [asan][adv-main20+]
Whiteboard: [asan][adv-main20+] → [asan][adv-main20-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.