Closed
Bug 824643
Opened 12 years ago
Closed 12 years ago
heap-use-after-free in nsTreeBodyFrame::UpdateScrollbars
Categories
(Core :: XUL, defect)
Core
XUL
Tracking
()
RESOLVED
FIXED
mozilla20
People
(Reporter: MatsPalmgren_bugz, Assigned: MatsPalmgren_bugz)
Details
(Keywords: csectype-framepoisoning, csectype-uaf, sec-other, Whiteboard: [adv-main20+])
Attachments
(1 file)
1.28 KB,
patch
|
roc
:
review+
|
Details | Diff | Splinter Review |
STR: load layout/xul/base/src/tree/src/409807-1.xul in an ASan build compiled
with -DDEBUG_TRACEMALLOC_PRESARENA
871 nsTreeBodyFrame::UpdateScrollbars(const ScrollParts& aParts)
872 {
873 nscoord rowHeightAsPixels = nsPresContext::AppUnitsToIntCSSPixels(mRowHeight);
874
875 if (aParts.mVScrollbar) {
876 nsAutoString curPos;
877 curPos.AppendInt(mTopRowIndex*rowHeightAsPixels);
878 aParts.mVScrollbarContent->
879 SetAttr(kNameSpaceID_None, nsGkAtoms::curpos, curPos, true);
880 }
881
882 if (aParts.mHScrollbar) {
883 nsAutoString curPos;
884 curPos.AppendInt(mHorzPosition);
885 aParts.mHScrollbarContent->
886 SetAttr(kNameSpaceID_None, nsGkAtoms::curpos, curPos, true);
887 }
888 }
The SetAttr causes the frame to be destroyed, so we'll read some poisoned
value for this->mHorzPosition on line 884. aParts.mHScrollbarContent
is a strong ref. It looks harmless at first glance, but filing the
bug as Security-Sensitive just in case.
Assignee | ||
Comment 1•12 years ago
|
||
Attachment #695668 -
Flags: review?(roc)
Attachment #695668 -
Flags: review?(roc) → review+
Assignee | ||
Comment 2•12 years ago
|
||
Assignee | ||
Comment 3•12 years ago
|
||
status-firefox20:
--- → fixed
Target Milestone: --- → mozilla20
Assignee | ||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment 4•12 years ago
|
||
is this a frame-poisoned DoS or should we try to get this fix on older branches as well?
status-b2g18:
--- → affected
status-firefox19:
--- → affected
status-firefox21:
--- → fixed
status-firefox-esr17:
--- → affected
I believe it's frame-poisoned.
Updated•12 years ago
|
Updated•12 years ago
|
Updated•12 years ago
|
Whiteboard: [adv-main20+]
Updated•10 years ago
|
Group: core-security
Updated•8 years ago
|
Keywords: csectype-uaf
You need to log in
before you can comment on or make changes to this bug.
Description
•