Closed Bug 841914 Opened 11 years ago Closed 11 years ago

"ASSERTION: Bad type!" with <applet>

Categories

(Core Graveyard :: Plug-ins, defect, P2)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86_64
macOS
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: jruderman, Assigned: gfritzsche)

References

Details

(Keywords: assertion, sec-moderate, testcase)

Attachments

(2 files)

testcase (takes about a minute)
488 bytes, text/html
Details
stack
2.62 KB, text/plain
Details 
###!!! ASSERTION: Bad type!: 'actor->Type() == Proxy', file dom/plugins/ipc/PluginScriptableObjectChild.cpp, line 63

I have the "Java Plugin" shim that comes with Mac OS X 10.8, but not Java.  So the plugin is just trying to draw a "Missing Java" thing, repeatedly.
Attached file stack 

    
    

    
  
Bug 840216 is another bug having to do with the "Java Plugin shim".
See Also:  → 840216

    
    

    
  
(In reply to Jesse Ruderman from comment #0)
> ###!!! ASSERTION: Bad type!: 'actor->Type() == Proxy', file
> dom/plugins/ipc/PluginScriptableObjectChild.cpp, line 63

This might have the same or a similar trigger as what we're seeing in bug 824069 - the PluginScriptableObjectChild being used was already deallocated, triggering a collection of weird behaviours around the ScriptableObjectChild.
Priority: -- → P2

    
  
Assignee: nobody → georg.fritzsche
Blocks: 823559

    
    

    
  
Georg, can you suggest a security rating for this?

    
    

    
  
(In reply to Al Billings [:abillings] from comment #4)
> Georg, can you suggest a security rating for this?

Going over the severity rating description in the wiki i'd think sec-low to sec-moderate:
Apparently a Java bug leading to a bad state in the plugin-container which should be rather hard to use in a controlled exploit.

But i am familiar with the security approaches here, so please take that with a grain of salt.

    
    

    
  
WFM.  (I let the testcase run for a few minutes, using a Tinderbox build built from 126563fd3ba1.)

In bug 841916 comment 13, Georg suggested that bug 831768 might have fixed this.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME

    
  
Depends on: 831768

    
  
Group: core-security → core-security-release
Group: core-security-release

    
  
Product: Core → Core Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: