Closed
Bug 816253
Opened 13 years ago
Closed 13 years ago
Heap-use-after-free in nsINode::GetBoolFlag
Categories
(Core :: Layout: Text and Fonts, defect)
Tracking
()
RESOLVED
FIXED
mozilla20
| Tracking | Status | |
|---|---|---|
| firefox19 | --- | unaffected |
| firefox20 | --- | fixed |
| firefox-esr10 | --- | unaffected |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: ax330d, Assigned: smontagu)
References
Details
(5 keywords, Whiteboard: [asan][adv-main20-])
Attachments
(3 files)
ASan detected heap-use-after free while running attached test-case. One have to wait ~3 seconds until crash.
Crashes both for Linux and Windows. ASan log for rev 3c3a8eed0578.
|
Reporter | |
Comment 1•13 years ago
|
||
|
||
Comment 2•13 years ago
|
||
This feels like a dup.
|
||
Comment 3•13 years ago
|
||
It looks similar-ish to bug 815500.
|
|
||
Comment 4•13 years ago
|
||
Yeah, I was thinking that bug couldn't find the right bug.
|
Assignee | |
Comment 5•13 years ago
|
||
Apparently not a dupe of bug 815500, nor bug 815276, since it still crashes in a build with the patches from those bugs.
Assignee: nobody → smontagu
|
||
Updated•13 years ago
|
Flags: sec-bounty?
|
|
Assignee | |
Comment 6•13 years ago
|
||
When appending a new textnode to an element which already has its direction determined by some other textnode, we weren't removing the entry in nsTextNodeDirectionalityMap for the old textnode.
Attachment #686694 -
Flags: review?(peterv)
|
|
Assignee | |
Comment 7•13 years ago
|
||
|
||
Updated•13 years ago
|
Attachment #686694 -
Attachment is patch: true
|
||
Updated•13 years ago
|
Component: Untriaged → Layout: Text
Keywords: csec-uaf,
sec-critical
Product: Firefox → Core
Whiteboard: [asan]
|
|
||
Comment 8•13 years ago
|
||
is this a Fx20 regression from bug 548206 like bug 815500 and bug 815477? Or is it an older pre-existing problem?
|
|
Assignee | |
Comment 9•13 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #8)
> is this a Fx20 regression from bug 548206 like bug 815500 and bug 815477?
Yes
|
||
Comment 10•13 years ago
|
||
Simon is there someone else who could review this patch? I get the feeling Peter is swamped.
|
||
Updated•13 years ago
|
Attachment #686694 -
Flags: review?(peterv) → review+
|
|
Assignee | |
Comment 11•13 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/263bc2e3481f
https://hg.mozilla.org/integration/mozilla-inbound/rev/25d2aefdca37
Flags: in-testsuite+
|
||
Comment 12•13 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/263bc2e3481f
https://hg.mozilla.org/mozilla-central/rev/25d2aefdca37
Status: NEW → RESOLVED
Closed: 13 years ago
status-firefox20:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
|
|
||
Updated•13 years ago
|
Blocks: DirAuto
Keywords: regression
|
|
||
Updated•13 years ago
|
Flags: sec-bounty? → sec-bounty+
|
||
Comment 15•13 years ago
|
||
marking unaffected for 19 & both esrs as per comment 9
status-firefox-esr10:
--- → unaffected
status-firefox19:
--- → unaffected
status-firefox-esr17:
--- → unaffected
|
||
Updated•13 years ago
|
status-b2g18:
--- → unaffected
|
||
Updated•13 years ago
|
Whiteboard: [asan] → [asan][adv-main20+]
|
|
||
Updated•13 years ago
|
Whiteboard: [asan][adv-main20+] → [asan][adv-main20-]
|
|
||
Updated•12 years ago
|
Group: core-security
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•