Closed Bug 824643 Opened 7 years ago Closed 7 years ago

heap-use-after-free in nsTreeBodyFrame::UpdateScrollbars

Categories

(Core :: XUL, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla20
Tracking Status
firefox19 --- affected
firefox20 --- fixed
firefox21 --- fixed
firefox-esr17 --- wontfix
b2g18 --- wontfix

People

(Reporter: mats, Assigned: mats)

Details

(Keywords: csectype-framepoisoning, csectype-uaf, sec-other, Whiteboard: [adv-main20+])

Attachments

(1 file)

STR: load layout/xul/base/src/tree/src/409807-1.xul in an ASan build compiled
with -DDEBUG_TRACEMALLOC_PRESARENA

   871  nsTreeBodyFrame::UpdateScrollbars(const ScrollParts& aParts)
   872  {
   873    nscoord rowHeightAsPixels = nsPresContext::AppUnitsToIntCSSPixels(mRowHeight);
   874  
   875    if (aParts.mVScrollbar) {
   876      nsAutoString curPos;
   877      curPos.AppendInt(mTopRowIndex*rowHeightAsPixels);
   878      aParts.mVScrollbarContent->
   879        SetAttr(kNameSpaceID_None, nsGkAtoms::curpos, curPos, true);
   880    }
   881  
   882    if (aParts.mHScrollbar) {
   883      nsAutoString curPos;
   884      curPos.AppendInt(mHorzPosition);
   885      aParts.mHScrollbarContent->
   886        SetAttr(kNameSpaceID_None, nsGkAtoms::curpos, curPos, true);
   887    }
   888  }

The SetAttr causes the frame to be destroyed, so we'll read some poisoned
value for this->mHorzPosition on line 884.  aParts.mHScrollbarContent
is a strong ref.  It looks harmless at first glance, but filing the
bug as Security-Sensitive just in case.
http://hg.mozilla.org/mozilla-central/rev/4ab11d8ed73b
Target Milestone: --- → mozilla20
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
is this a frame-poisoned DoS or should we try to get this fix on older branches as well?
Whiteboard: [adv-main20+]
Group: core-security
You need to log in before you can comment on or make changes to this bug.