"ASSERTION: Bad type!" with <applet>

RESOLVED WORKSFORME

Status

()

Core
Plug-ins
P2
critical
RESOLVED WORKSFORME
5 years ago
26 days ago

People

(Reporter: Jesse Ruderman, Assigned: gfritzsche)

Tracking

(Blocks: 1 bug, {assertion, sec-moderate, testcase})

Trunk
x86_64
Mac OS X
assertion, sec-moderate, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Created attachment 714594 [details]
testcase (takes about a minute)

###!!! ASSERTION: Bad type!: 'actor->Type() == Proxy', file dom/plugins/ipc/PluginScriptableObjectChild.cpp, line 63

I have the "Java Plugin" shim that comes with Mac OS X 10.8, but not Java.  So the plugin is just trying to draw a "Missing Java" thing, repeatedly.
(Reporter)

Comment 1

5 years ago
Created attachment 714595 [details]
stack
Bug 840216 is another bug having to do with the "Java Plugin shim".
See Also: → bug 840216
(Assignee)

Comment 3

5 years ago
(In reply to Jesse Ruderman from comment #0)
> ###!!! ASSERTION: Bad type!: 'actor->Type() == Proxy', file
> dom/plugins/ipc/PluginScriptableObjectChild.cpp, line 63

This might have the same or a similar trigger as what we're seeing in bug 824069 - the PluginScriptableObjectChild being used was already deallocated, triggering a collection of weird behaviours around the ScriptableObjectChild.
Priority: -- → P2
(Assignee)

Updated

5 years ago
Assignee: nobody → georg.fritzsche
Blocks: 823559
Georg, can you suggest a security rating for this?
(Assignee)

Comment 5

5 years ago
(In reply to Al Billings [:abillings] from comment #4)
> Georg, can you suggest a security rating for this?

Going over the severity rating description in the wiki i'd think sec-low to sec-moderate:
Apparently a Java bug leading to a bad state in the plugin-container which should be rather hard to use in a controlled exploit.

But i am familiar with the security approaches here, so please take that with a grain of salt.
Keywords: sec-moderate
(Reporter)

Comment 6

5 years ago
WFM.  (I let the testcase run for a few minutes, using a Tinderbox build built from 126563fd3ba1.)

In bug 841916 comment 13, Georg suggested that bug 831768 might have fixed this.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WORKSFORME
(Assignee)

Updated

5 years ago
Depends on: 831768

Updated

2 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.