Closed Bug 824643 Opened 12 years ago Closed 12 years ago

heap-use-after-free in nsTreeBodyFrame::UpdateScrollbars

Categories

(Core :: XUL, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla20
Tracking Status
firefox19 --- affected
firefox20 --- fixed
firefox21 --- fixed
firefox-esr17 --- wontfix
b2g18 --- wontfix

People

(Reporter: MatsPalmgren_bugz, Assigned: MatsPalmgren_bugz)

Details

(Keywords: csectype-framepoisoning, csectype-uaf, sec-other, Whiteboard: [adv-main20+])

Attachments

(1 file)

STR: load layout/xul/base/src/tree/src/409807-1.xul in an ASan build compiled with -DDEBUG_TRACEMALLOC_PRESARENA 871 nsTreeBodyFrame::UpdateScrollbars(const ScrollParts& aParts) 872 { 873 nscoord rowHeightAsPixels = nsPresContext::AppUnitsToIntCSSPixels(mRowHeight); 874 875 if (aParts.mVScrollbar) { 876 nsAutoString curPos; 877 curPos.AppendInt(mTopRowIndex*rowHeightAsPixels); 878 aParts.mVScrollbarContent-> 879 SetAttr(kNameSpaceID_None, nsGkAtoms::curpos, curPos, true); 880 } 881 882 if (aParts.mHScrollbar) { 883 nsAutoString curPos; 884 curPos.AppendInt(mHorzPosition); 885 aParts.mHScrollbarContent-> 886 SetAttr(kNameSpaceID_None, nsGkAtoms::curpos, curPos, true); 887 } 888 } The SetAttr causes the frame to be destroyed, so we'll read some poisoned value for this->mHorzPosition on line 884. aParts.mHScrollbarContent is a strong ref. It looks harmless at first glance, but filing the bug as Security-Sensitive just in case.
Keywords: sec-audit
Target Milestone: --- → mozilla20
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
is this a frame-poisoned DoS or should we try to get this fix on older branches as well?
I believe it's frame-poisoned.
Whiteboard: [adv-main20+]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: