Closed
Bug 824641
Opened 12 years ago
Closed 12 years ago
heap-use-after-free in nsCSSFrameConstructor::ProcessRestyledFrames
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla20
People
(Reporter: MatsPalmgren_bugz, Assigned: MatsPalmgren_bugz)
References
Details
(Keywords: csectype-uaf, regression)
Attachments
(1 file)
|
1.83 KB,
patch
|
roc
:
review+
|
Details | Diff | Splinter Review |
STR: load layout/base/crashtests/460389-1.html in an ASan build compiled
with -DDEBUG_TRACEMALLOC_PRESARENA
The heap-use-after-free occurs when accessing frame->GetContent() on line
8115 in nsCSSFrameConstructor::ProcessRestyledFrames :
8115 if (frame && frame->GetContent() != content) {
8116 // XXXbz this is due to image maps messing with the primary frame of
8117 // <area>s. See bug 135040. Remove this block once that's fixed.
8118 frame = nullptr;
8119 if (!(hint & nsChangeHint_ReconstructFrame)) {
8120 continue;
8121 }
8122 }
8123
8124 // skip any frame that has been destroyed due to a ripple effect
8125 if (frame) {
8126 if (!propTable->Get(frame, ChangeListProperty()))
8127 continue;
8128 }
The block on line 8124 needs to come before any use of 'frame'.
I think it's harmless in normal builds since a destroyed frame is
retained in the pres shell arena, so we'll read a poison value which
is unlikely to be equal to 'content' and set 'frame' to null on line
8118, and falling through here with a null 'frame' should be safe.
|
Assignee | |
Comment 1•12 years ago
|
||
Attachment #695663 -
Flags: review?(roc)
|
|
Assignee | |
Comment 2•12 years ago
|
||
|
|
Assignee | |
Comment 3•12 years ago
|
||
Looks like a regression from this cset:
http://hg.mozilla.org/mozilla-central/rev/328c67561b8b
Blocks: 437142
Keywords: regression
Attachment #695663 -
Flags: review?(roc) → review+
|
|
Assignee | |
Comment 4•12 years ago
|
||
|
||
Comment 5•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
|
||
Updated•8 years ago
|
Keywords: csectype-uaf
You need to log in
before you can comment on or make changes to this bug.
Description
•