Last Comment Bug 826163 - (CVE-2013-1677) Out-of-bound read in gfxSkipCharsIterator::SetOffsets
(CVE-2013-1677)
: Out-of-bound read in gfxSkipCharsIterator::SetOffsets
Status: RESOLVED FIXED
[asan][adv-main21+]
: crash, regression, rtl, sec-moderate, testcase
Product: Core
Classification: Components
Component: Layout: Text (show other bugs)
: Trunk
: x86_64 All
: -- normal (vote)
: mozilla21
Assigned To: Simon Montagu :smontagu
:
Mentors:
Depends on:
Blocks: CVE-2013-1676 827192
  Show dependency treegraph
 
Reported: 2013-01-02 22:35 PST by Abhishek Arya
Modified: 2013-11-26 17:40 PST (History)
8 users (show)
smontagu: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
unaffected
+
wontfix
+
fixed
unaffected
unaffected


Attachments
Testcase (4.74 KB, text/html)
2013-01-02 22:35 PST, Abhishek Arya
no flags Details
Reapply bug 722137 (1.58 KB, patch)
2013-01-31 05:49 PST, Simon Montagu :smontagu
roc: review+
dveditz: sec‑approval+
Details | Diff | Review
Testcase for checkin (after the bug is opened) (5.70 KB, patch)
2013-01-31 05:49 PST, Simon Montagu :smontagu
no flags Details | Diff | Review

Description Abhishek Arya 2013-01-02 22:35:36 PST
Created attachment 697345 [details]
Testcase

Reproduces on trunk.

>==20823== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f2a4ada32cc at pc 0x7f2a7fc58c4c bp 0x7fff9bb19a10 sp 0x7fff9bb19a08
>READ of size 4 at 0x7f2a4ada32cc thread T0
>    #0 0x7f2a7fc58c4b in gfxSkipCharsIterator::SetOffsets(unsigned int, bool) src/gfx/thebes/gfxSkipChars.cpp:91
>    #1 0x7f2a71fedf14 in gfxSkipCharsIterator::SetOriginalOffset(int) src/../../../dist/include/gfxSkipChars.h:232
>    #2 0x7f2a728d57a8 in nsTextFrame::ReflowText(nsLineLayout&, int, nsRenderingContext*, bool, nsHTMLReflowMetrics&, unsigned int&) src/layout/generic/nsTextFrameThebes.cpp:7877
>    #3 0x7f2a726cfc69 in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) src/layout/generic/nsLineLayout.cpp:847
>    #4 0x7f2a7269fc7d in nsInlineFrame::ReflowInlineFrame(nsPresContext*, nsHTMLReflowState const&, nsInlineFrame::InlineReflowState&, nsIFrame*, unsigned int&) src/layout/generic/nsInlineFrame.cpp:680
>    #5 0x7f2a7269cc36 in nsInlineFrame::ReflowFrames(nsPresContext*, nsHTMLReflowState const&, nsInlineFrame::InlineReflowState&, nsHTMLReflowMetrics&, unsigned int&) src/layout/generic/nsInlineFrame.cpp:543
>    #6 0x7f2a72699856 in nsInlineFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsInlineFrame.cpp:395
>    #7 0x7f2a726cf77d in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) src/layout/generic/nsLineLayout.cpp:840
>    #8 0x7f2a7238d9b2 in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:3725
>    #9 0x7f2a72387fd6 in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:3522
>    #10 0x7f2a7237abea in nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3376
>    #11 0x7f2a72369ecb in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2483
>    #12 0x7f2a72350be8 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) src/layout/generic/nsBlockFrame.cpp:2000
>    #13 0x7f2a72343dd4 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1043
>    #14 0x7f2a723d2921 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) src/layout/generic/nsBlockReflowContext.cpp:268
>    #15 0x7f2a72374ec6 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3101
>    #16 0x7f2a72369bea in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2480
>    #17 0x7f2a72350be8 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) src/layout/generic/nsBlockFrame.cpp:2000
>    #18 0x7f2a72343dd4 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1043
>    #19 0x7f2a724327cd in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:953
>    #20 0x7f2a725fd5a7 in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsCanvasFrame.cpp:493
>    #21 0x7f2a724327cd in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:953
>    #22 0x7f2a72576746 in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) src/layout/generic/nsGfxScrollFrame.cpp:433
>    #23 0x7f2a7257af47 in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) src/layout/generic/nsGfxScrollFrame.cpp:533
>    #24 0x7f2a7257f397 in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsGfxScrollFrame.cpp:774
>    #25 0x7f2a724327cd in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:953
>    #26 0x7f2a72971a8b in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsViewportFrame.cpp:202
>    #27 0x7f2a72090215 in PresShell::DoReflow(nsIFrame*, bool) src/layout/base/nsPresShell.cpp:7558
>    #28 0x7f2a720c0a6d in PresShell::ProcessReflowCommands(bool) src/layout/base/nsPresShell.cpp:7699
>    #29 0x7f2a720bf13d in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/nsPresShell.cpp:3907
>    #30 0x7f2a720bd4d3 in PresShell::FlushPendingNotifications(mozFlushType) src/layout/base/nsPresShell.cpp:3757
>    #31 0x7f2a71eb687f in nsDocumentViewer::LoadComplete(tag_nsresult) src/layout/base/nsDocumentViewer.cpp:990
>    #32 0x7f2a7a48bb7e in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, tag_nsresult) src/docshell/base/nsDocShell.cpp:6514
>    #33 0x7f2a7a48344b in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) src/docshell/base/nsDocShell.cpp:6342
>    #34 0x7f2a7a4843cb in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) src/docshell/base/nsDocShell.cpp:6349
>    #35 0x7f2a7a59707f in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, tag_nsresult) src/uriloader/base/nsDocLoader.cpp:1305
>    #36 0x7f2a7a594632 in nsDocLoader::doStopDocumentLoad(nsIRequest*, tag_nsresult) src/uriloader/base/nsDocLoader.cpp:885
>    #37 0x7f2a7a58d8fe in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:775
>    #38 0x7f2a7a591f95 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) src/uriloader/base/nsDocLoader.cpp:659
>    #39 0x7f2a7a5937cb in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) src/uriloader/base/nsDocLoader.cpp:663
>    #40 0x7f2a6ff667c1 in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, tag_nsresult) src/netwerk/base/src/nsLoadGroup.cpp:676
>    #41 0x7f2a73ae0290 in nsDocument::DoUnblockOnload() src/content/base/src/nsDocument.cpp:7361
>    #42 0x7f2a73adfe41 in nsDocument::UnblockOnload(bool) src/content/base/src/nsDocument.cpp:7303
>    #43 0x7f2a73a88cb3 in nsDocument::DispatchContentLoadedEvents() src/content/base/src/nsDocument.cpp:4280
>    #44 0x7f2a73b83272 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() src/../../../dist/include/nsThreadUtils.h:367
>    #45 0x7f2a7f4d1c3f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
>    #46 0x7f2a7f146495 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:237
>    #47 0x7f2a7cb7cadc in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
>    #48 0x7f2a7f7c35f2 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215
>    #49 0x7f2a7f7c3429 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208
>    #50 0x7f2a7f7c32fe in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182
>    #51 0x7f2a7bf6f317 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
>    #52 0x7f2a7aa9b575 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288
>    #53 0x7f2a6fce5284 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823
>    #54 0x7f2a6fceae6a in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890
>    #55 0x7f2a6fcedc30 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4088
>    #56 0x41dad6 in do_main(int, char**) src/browser/app/nsBrowserApp.cpp:174
>    #57 0x41b2f0 in main src/browser/app/nsBrowserApp.cpp:279
>    #58 0x7f2a90abb76c in
>0x7f2a4ada32cc is located 0 bytes to the right of 204-byte region [0x7f2a4ada3200,0x7f2a4ada32cc)
>allocated by thread T0 here:
>    #0 0x40fbd2 in __interceptor_malloc
>    #1 0x7f2a91ad8604 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54
>    #2 0x7f2a7fc567c8 in operator new[](unsigned long) src/../../dist/include/mozilla/mozalloc.h:212
>    #3 0x7f2a7fc567c8 in gfxSkipChars::BuildShortcuts() src/gfx/thebes/gfxSkipChars.cpp:25
>    #4 0x7f2a7fb582bf in gfxSkipChars::TakeFrom(gfxSkipChars*) src/gfx/thebes/gfxSkipChars.h:106
>    #5 0x7f2a7fb57af3 in gfxTextRun::gfxTextRun(gfxTextRunFactory::Parameters const*, unsigned int, gfxFontGroup*, unsigned int) src/gfx/thebes/gfxFont.cpp:4568
>    #6 0x7f2a7fb3a5db in gfxTextRun::Create(gfxTextRunFactory::Parameters const*, unsigned int, gfxFontGroup*, unsigned int) src/gfx/thebes/gfxFont.cpp:4551
>    #7 0x7f2a7fb3dc84 in gfxFontGroup::MakeTextRun(unsigned char const*, unsigned int, gfxTextRunFactory::Parameters const*, unsigned int) src/gfx/thebes/gfxFont.cpp:3592
>    #8 0x7f2a72840dab in gfxTextRun* MakeTextRun<unsigned char>(unsigned char const*, unsigned int, gfxFontGroup*, gfxTextRunFactory::Parameters const*, unsigned int) src/layout/generic/nsTextFrameThebes.cpp:555
>    #9 0x7f2a72835bc5 in BuildTextRunsScanner::BuildTextRunForFrames(void*) src/layout/generic/nsTextFrameThebes.cpp:2052
>    #10 0x7f2a7282ab47 in BuildTextRunsScanner::FlushFrames(bool, bool) src/layout/generic/nsTextFrameThebes.cpp:1411
>    #11 0x7f2a7283a6fe in BuildTextRunsScanner::ScanFrame(nsIFrame*) src/layout/generic/nsTextFrameThebes.cpp:1603
>    #12 0x7f2a7283b145 in BuildTextRunsScanner::ScanFrame(nsIFrame*) src/layout/generic/nsTextFrameThebes.cpp:1643
>    #13 0x7f2a7284e807 in BuildTextRuns(gfxContext*, nsTextFrame*, nsIFrame*, nsLineList_iterator const*, nsTextFrame::TextRunType) src/layout/generic/nsTextFrameThebes.cpp:1314
>    #14 0x7f2a72849f2c in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, gfxContext*, nsIFrame*, nsLineList_iterator const*, unsigned int*) src/layout/generic/nsTextFrameThebes.cpp:2468
>    #15 0x7f2a728d4339 in nsTextFrame::ReflowText(nsLineLayout&, int, nsRenderingContext*, bool, nsHTMLReflowMetrics&, unsigned int&) src/layout/generic/nsTextFrameThebes.cpp:7816
>    #16 0x7f2a726cfc69 in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) src/layout/generic/nsLineLayout.cpp:847
>    #17 0x7f2a7269fc7d in nsInlineFrame::ReflowInlineFrame(nsPresContext*, nsHTMLReflowState const&, nsInlineFrame::InlineReflowState&, nsIFrame*, unsigned int&) src/layout/generic/nsInlineFrame.cpp:680
>    #18 0x7f2a7269cc36 in nsInlineFrame::ReflowFrames(nsPresContext*, nsHTMLReflowState const&, nsInlineFrame::InlineReflowState&, nsHTMLReflowMetrics&, unsigned int&) src/layout/generic/nsInlineFrame.cpp:543
>    #19 0x7f2a72699856 in nsInlineFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsInlineFrame.cpp:395
>    #20 0x7f2a726cf77d in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) src/layout/generic/nsLineLayout.cpp:840
>    #21 0x7f2a7238d9b2 in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:3725
>    #22 0x7f2a72387fd6 in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:3522
>    #23 0x7f2a7237abea in nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3376
>    #24 0x7f2a72369ecb in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2483
>    #25 0x7f2a72350be8 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) src/layout/generic/nsBlockFrame.cpp:2000
>    #26 0x7f2a72343dd4 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1043
>    #27 0x7f2a723d2921 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) src/layout/generic/nsBlockReflowContext.cpp:268
>    #28 0x7f2a72374ec6 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3101
>    #29 0x7f2a72369bea in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2480
>    #30 0x7f2a72350be8 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) src/layout/generic/nsBlockFrame.cpp:2000
>Shadow bytes around the buggy address:
>  0x1fe5495b4600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1fe5495b4610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1fe5495b4620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1fe5495b4630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1fe5495b4640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>=>0x1fe5495b4650: 00 00 00 00 00 00 00 00 00[04]fb fb fb fb fb fb
>  0x1fe5495b4660: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>  0x1fe5495b4670: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>  0x1fe5495b4680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1fe5495b4690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1fe5495b46a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>Shadow byte legend (one shadow byte represents 8 application bytes):
>  Addressable:           00
>  Partially addressable: 01 02 03 04 05 06 07
>  Heap left redzone:     fa
>  Heap righ redzone:     fb
>  Freed Heap region:     fd
>  Stack left redzone:    f1
>  Stack mid redzone:     f2
>  Stack right redzone:   f3
>  Stack partial redzone: f4
>  Stack after return:    f5
>  Stack use after scope: f8
>  Global redzone:        f9
>  Global init order:     f6
>  Poisoned by user:      f7
>  ASan internal:         fe
>Stats: 250M malloced (538M for red zones) by 403569 calls
>Stats: 47M realloced by 24065 calls
>Stats: 225M freed by 283304 calls
>Stats: 113M really freed by 208600 calls
>Stats: 612M (612M-0M) mmaped; 153 maps, 0 unmaps
>  mmaps   by size class: 10:253890; 11:12282; 12:3072; 13:1536; 14:1280; 15:256; 16:1152; 17:1280; 18:48; 19:40; 20:24;
>  mallocs by size class: 10:374083; 11:19834; 12:2763; 13:1873; 14:1627; 15:435; 16:1456; 17:1366; 18:70; 19:40; 20:22;
>  frees   by size class: 10:258335; 11:17089; 12:1638; 13:1639; 14:1453; 15:310; 16:1376; 17:1349; 18:58; 19:38; 20:19;
>  rfrees  by size class: 10:193497; 11:10852; 12:866; 13:748; 14:834; 15:188; 16:977; 17:607; 18:26; 19:4; 20:1;
>Stats: malloc large: 1498 small slow: 4502
>Stats: StackDepot: 0 ids; 0M mapped
>==20823== ABORTING
>
Comment 1 Daniel Veditz [:dveditz] 2013-01-09 10:48:09 PST
more fallout from
Comment 2 Simon Montagu :smontagu 2013-01-10 12:04:35 PST
Bisecting with mozilla-central-debug nightlies, the history seems to be a bit complicated. I start seeing an assertion 
Invalid offset: 'aOffset <= mSkipChars->mCharCount', file ../../../gfx/thebes/gfxSkipChars.cpp, line 60
in the range http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=edd45de440ba&tochange=8a30e07815ff, which could be bug 818454.

The crash starts in the range 
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d8ca3e1c469e&tochange=20d1a5916ef6, which could be bug 825871 or bug 825875.
Comment 3 Simon Montagu :smontagu 2013-01-10 12:11:55 PST
Jonathan, I think this is more likely your beat than mine.
Comment 4 Simon Montagu :smontagu 2013-01-30 07:59:08 PST
Taking back
Comment 5 Simon Montagu :smontagu 2013-01-31 05:49:27 PST
Created attachment 708543 [details] [diff] [review]
Reapply bug 722137

So I think we should fix this by reapplying the patch from bug 722137, and re-patch bug 818454 (see also comments in bug 827192)
Comment 6 Simon Montagu :smontagu 2013-01-31 05:49:57 PST
Created attachment 708544 [details] [diff] [review]
Testcase for checkin (after the bug is opened)
Comment 7 Simon Montagu :smontagu 2013-02-05 23:58:08 PST
Comment on attachment 708543 [details] [diff] [review]
Reapply bug 722137

[Security approval request comment]
How easily could an exploit be constructed based on the patch? Not at all, as far as I can see.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No

Which older supported branches are affected by this flaw? 20 (aurora)

If not all supported branches, which bug introduced the flaw? Bug 818454

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Yes

How likely is this patch to cause regressions; how much testing does it need? This area of code has been vulnerable to regressions before (bug 722137, bug 698335). Fuzzing has been effective in finding regressions.
Comment 8 Daniel Veditz [:dveditz] 2013-02-11 10:58:01 PST
Comment on attachment 708543 [details] [diff] [review]
Reapply bug 722137

sec-approval+
Comment 10 Ed Morley [:emorley] 2013-02-12 10:52:58 PST
https://hg.mozilla.org/mozilla-central/rev/5446bea9ddf6
Comment 11 Lukas Blakk [:lsblakk] use ?needinfo 2013-03-08 15:36:22 PST
This needs to be nominated for beta uplift (if low risk) prior to this coming Tuesday when we go to build on beta 5.
Comment 12 Robert Kaiser (not working on stability any more) 2013-03-12 13:31:18 PDT
This is marked tracking+ for 20, which is closing its doors soon. Simon, any plans on uplift?
Comment 13 Simon Montagu :smontagu 2013-03-12 13:46:43 PDT
I don't think this is low-risk enough for beta, especially since there is a knock-on effect: taking this will regress bug 818454, so we would need to take the latest patch from there as well.
Comment 15 Wes Kocher (:KWierso) 2013-11-26 17:40:25 PST
https://hg.mozilla.org/mozilla-central/rev/011b4926b2d5

Note You need to log in before you can comment on or make changes to this bug.