Closed
Bug 842089
Opened 12 years ago
Closed 12 years ago
Crash with event listeners on mozCaptureStream()
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
VERIFIED
FIXED
mozilla22
Tracking | Status | |
---|---|---|
firefox19 | --- | unaffected |
firefox20 | --- | unaffected |
firefox21 | + | verified |
firefox22 | + | verified |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: jruderman, Assigned: roc)
References
Details
(4 keywords)
Attachments
(2 files)
224 bytes,
text/html
|
Details | |
1.02 KB,
patch
|
bzbarsky
:
review+
bajaj
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
For the last day or so, I've been getting lots of assertions/crashes involving mozCaptureStream() and event listeners. Here's one of them.
Comment 1•12 years ago
|
||
It might be related to bug 842079.
Comment 2•12 years ago
|
||
I don't understand this. mozCaptureStream returns nsIDOMMediaStream object, and that isn't
an EventTarget - as far as I see. Yet we try to handle it as an EventTarget?
Updated•12 years ago
|
Keywords: regressionwindow-wanted
Comment 3•12 years ago
|
||
> mozCaptureStream returns nsIDOMMediaStream object, and that isn't
> an EventTarget - as far as I see.
You may be looking in the wrong place (like mxr for mozilla-central). It doesn't seem to show the code after bug 837034 happened.
The WebIDL checked in for that bug has:
>+interface MediaStream : EventTarget {
but the C++ class has:
>+class DOMMediaStream : public nsIDOMMediaStream,
>+ public nsWrapperCache
which is very much not inheriting from EventTarget. So the EventTarget things end up on the proto chain, reinterpret_cast to EventTarget, call virtual methods, and we get this security bug.
Comment 4•12 years ago
|
||
Our MDC page for MediaStream doesn't seem to have any useful spec links, so I can't tell whether it's correct that this is an EventTarget or not. If it is, then it needs to actually do EventTarget bits...
Updated•12 years ago
|
tracking-firefox21:
--- → ?
Flags: needinfo?(rjesup)
Comment 5•12 years ago
|
||
Using the wrong vtable sounds bad, so marking sec-critical.
Assignee | ||
Comment 6•12 years ago
|
||
We don't implement any EventTarget stuff yet, so I guess we just need to remove EventTarget from MediaStream.webidl.
Comment 7•12 years ago
|
||
Or inherit from nsDOMEventTargetHelper get all the EventTarget bits working, yes. For 21, changing the WebIDL is probably safer.
Assignee | ||
Comment 8•12 years ago
|
||
It seems to me that this kind of mistake should cause a build failure.
Assignee | ||
Comment 9•12 years ago
|
||
Attachment #715004 -
Flags: review?(bzbarsky)
Comment 10•12 years ago
|
||
Comment on attachment 715004 [details] [diff] [review]
fix
r=me
> It seems to me that this kind of mistake should cause a build failure.
Yeah.
I might in fact be able to turn this into a build failure, and some related problems into runtime fatal asserts that will always trigger (we have some asserts along those lines, but they only trigger in certain limited cases which don't apply here). I'll poke at that on Tuesday.
Attachment #715004 -
Flags: review?(bzbarsky) → review+
Updated•12 years ago
|
Assignee: nobody → roc
OS: Mac OS X → All
Hardware: x86_64 → All
Comment 11•12 years ago
|
||
(In reply to Boris Zbarsky (:bz) from comment #3)
> You may be looking in the wrong place (like mxr for mozilla-central). It
> doesn't seem to show the code after bug 837034 happened.
Uh, indeed. mxr hasn't still been updated...
Comment 12•12 years ago
|
||
> I might in fact be able to turn this into a build failure
Filed bug 842561.
Updated•12 years ago
|
Updated•12 years ago
|
status-b2g18:
--- → unaffected
status-firefox19:
--- → unaffected
status-firefox22:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-firefox22:
--- → +
Comment 14•12 years ago
|
||
Pushed http://hg.mozilla.org/integration/mozilla-inbound/rev/21d3ff83095f because otherwise bug 842561 was going to turn the tree red.
Comment 15•12 years ago
|
||
Comment on attachment 715004 [details] [diff] [review]
fix
[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 837034
User impact if declined: Probably-exploitable crashes
Testing completed (on m-c, etc.): Passes tests
Risk to taking this patch (and alternatives if risky): Very very low risk
String or UUID changes made by this patch: None
Attachment #715004 -
Flags: review-
Attachment #715004 -
Flags: review+
Attachment #715004 -
Flags: approval-mozilla-aurora?
Updated•12 years ago
|
Flags: needinfo?(rjesup)
Comment 16•12 years ago
|
||
bz: did you mean to r- the patch you r+'d and also at the same time propose it for Aurora uplift?
Comment 17•12 years ago
|
||
Comment on attachment 715004 [details] [diff] [review]
fix
No, didn't mean to change the state of the "r". ;)
Attachment #715004 -
Flags: review- → review+
Reporter | ||
Comment 18•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Target Milestone: --- → mozilla22
Updated•12 years ago
|
Attachment #715004 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 19•12 years ago
|
||
Comment 21•12 years ago
|
||
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #20)
> Flagging for verification in Firefox 21 and 22.
Kamil, can you please help us with verifying this bug?
Comment 22•12 years ago
|
||
Reproduced the issue using the following build (M-C):
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013-02-22-03-11-33-mozilla-central/
Reproduced the issue using the following build (Aurora):
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013-02-22-11-12-54-mozilla-aurora/
Once I reproduced the problems, went through the following builds to make sure the issue has been fixed:
Went through the attached testcase using the latest M-C build (Passed):
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013-03-12-03-10-46-mozilla-central/
Went through the attached testcase using the latest Aurora build (Passed):
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013-03-12-04-20-13-mozilla-aurora/
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Updated•12 years ago
|
Group: core-security
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•