Closed Bug 844403 Opened 9 years ago Closed 9 years ago

Heap-use-after-free in mozilla::image::VectorImage::CancelAllListeners

Categories

(Core :: ImageLib, defect)

x86_64
Windows 7
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla22
Tracking Status
firefox21 --- unaffected
firefox22 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: inferno, Assigned: seth)

References

Details

(5 keywords, Whiteboard: [adv-main22-])

Attachments

(3 files, 1 obsolete file)

Attached file Testcase
==18126== ERROR: AddressSanitizer: heap-use-after-free on address 0x6028002a14d0 at pc 0x7f8d08dd6022 bp 0x7fff595b6f30 sp 0x7fff595b6f28
READ of size 8 at 0x6028002a14d0 thread T0
    #0 0x7f8d08dd6021 in nsRefPtr<mozilla::image::SVGParseCompleteListener>::get() const /usr/local/google/home/aarya/firefox/src/../../dist/include/nsAutoPtr.h:1009
    #1 0x7f8d08dd1b49 in nsRefPtr<mozilla::image::SVGParseCompleteListener>::operator mozilla::image::SVGParseCompleteListener*() const /usr/local/google/home/aarya/firefox/src/../../dist/include/nsAutoPtr.h:1022
    #2 0x7f8d08dd199c in mozilla::image::VectorImage::CancelAllListeners() /usr/local/google/home/aarya/firefox/src/image/src/VectorImage.cpp:905
    #3 0x7f8d08dd26fd in mozilla::image::VectorImage::OnSVGDocumentLoaded() /usr/local/google/home/aarya/firefox/src/image/src/VectorImage.cpp:923
    #4 0x7f8d08dd4e3f in mozilla::image::SVGLoadEventListener::HandleEvent(nsIDOMEvent*) /usr/local/google/home/aarya/firefox/src/image/src/VectorImage.cpp:191
    #5 0x7f8d0bea3315 in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsIDOMEventTarget*, nsCxPusher*) /usr/local/google/home/aarya/firefox/src/content/events/src/nsEventListenerManager.cpp:923
    #6 0x7f8d0bea4b27 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, nsEventStatus*, nsCxPusher*) /usr/local/google/home/aarya/firefox/src/content/events/src/nsEventListenerManager.cpp:990
    #7 0x7f8d0c09705a in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, nsEventStatus*, nsCxPusher*) /usr/local/google/home/aarya/firefox/src/content/events/src/nsEventListenerManager.h:278
    #8 0x7f8d0c08620c in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, bool, nsCxPusher*) /usr/local/google/home/aarya/firefox/src/content/events/src/nsEventDispatcher.cpp:181
    #9 0x7f8d0c084473 in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, nsDispatchingCallback*, bool, nsCxPusher*) /usr/local/google/home/aarya/firefox/src/content/events/src/nsEventDispatcher.cpp:310
    #10 0x7f8d0c08c1a7 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) /usr/local/google/home/aarya/firefox/src/content/events/src/nsEventDispatcher.cpp:678
    #11 0x7f8d0c08e9f9 in nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /usr/local/google/home/aarya/firefox/src/content/events/src/nsEventDispatcher.cpp:738
    #12 0x7f8d0b374a85 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /usr/local/google/home/aarya/firefox/src/content/base/src/nsINode.cpp:1100
    #13 0x7f8d0ae5ee30 in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool, bool*) /usr/local/google/home/aarya/firefox/src/content/base/src/nsContentUtils.cpp:3551
    #14 0x7f8d0ae5e104 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool*) /usr/local/google/home/aarya/firefox/src/content/base/src/nsContentUtils.cpp:3521
    #15 0x7f8d0c0808d2 in nsAsyncDOMEvent::Run() /usr/local/google/home/aarya/firefox/src/content/events/src/nsAsyncDOMEvent.cpp:40
    #16 0x7f8d17c85d6f in nsThread::ProcessNextEvent(bool, bool*) /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThread.cpp:627
    #17 0x7f8d178f7ad5 in NS_ProcessNextEvent_P(nsIThread*, bool) /usr/local/google/home/aarya/firefox/src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
    #18 0x7f8d1421e00c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /usr/local/google/home/aarya/firefox/src/ipc/glue/MessagePump.cpp:82
    #19 0x7f8d17f7c562 in MessageLoop::RunInternal() /usr/local/google/home/aarya/firefox/src/ipc/chromium/src/base/message_loop.cc:215
    #20 0x7f8d17f7c399 in MessageLoop::RunHandler() /usr/local/google/home/aarya/firefox/src/ipc/chromium/src/base/message_loop.cc:208
    #21 0x7f8d17f7c26e in MessageLoop::Run() /usr/local/google/home/aarya/firefox/src/ipc/chromium/src/base/message_loop.cc:182
    #22 0x7f8d135dc6d7 in nsBaseAppShell::Run() /usr/local/google/home/aarya/firefox/src/widget/xpwidgets/nsBaseAppShell.cpp:163
    #23 0x7f8d120d9f65 in nsAppStartup::Run() /usr/local/google/home/aarya/firefox/src/toolkit/components/startup/nsAppStartup.cpp:288
    #24 0x7f8d07262174 in XREMain::XRE_mainRun() /usr/local/google/home/aarya/firefox/src/toolkit/xre/nsAppRunner.cpp:3871
    #25 0x7f8d07267d5a in XREMain::XRE_main(int, char**, nsXREAppData const*) /usr/local/google/home/aarya/firefox/src/toolkit/xre/nsAppRunner.cpp:3938
    #26 0x7f8d0726ab30 in XRE_main /usr/local/google/home/aarya/firefox/src/toolkit/xre/nsAppRunner.cpp:4141
    #27 0x422994 in do_main(int, char**, nsIFile*) /usr/local/google/home/aarya/firefox/src/browser/app/nsBrowserApp.cpp:224
    #28 0x41f7c2 in main /usr/local/google/home/aarya/firefox/src/browser/app/nsBrowserApp.cpp:522
    #29 0x7f8d2aaea76c in
    #30 0x41eed4 in
0x6028002a14d0 is located 80 bytes inside of 128-byte region [0x6028002a1480,0x6028002a1500)
freed by thread T0 here:
    #0 0x413ae2 in __interceptor_free
    #1 0x7f8d28764499 in moz_free /usr/local/google/home/aarya/firefox/src/memory/mozalloc/mozalloc.cpp:48
    #2 0x7f8d08dc2090 in operator delete(void*) /usr/local/google/home/aarya/firefox/src/../../dist/include/mozilla/mozalloc.h:225
    #3 0x7f8d08dc2090 in mozilla::image::VectorImage::~VectorImage() /usr/local/google/home/aarya/firefox/src/image/src/VectorImage.cpp:304
    #4 0x7f8d08dc0ba5 in mozilla::image::VectorImage::Release() /usr/local/google/home/aarya/firefox/src/image/src/VectorImage.cpp:283
    #5 0x7f8d08e8a64f in nsRefPtr<mozilla::image::Image>::~nsRefPtr() /usr/local/google/home/aarya/firefox/src/../../dist/include/nsAutoPtr.h:880
    #6 0x7f8d08e75839 in nsRefPtr<mozilla::image::Image>::~nsRefPtr() /usr/local/google/home/aarya/firefox/src/../../dist/include/nsAutoPtr.h:878
    #7 0x7f8d08e75668 in imgRequest::~imgRequest() /usr/local/google/home/aarya/firefox/src/image/src/imgRequest.cpp:96
    #8 0x7f8d08e7501f in imgRequest::~imgRequest() /usr/local/google/home/aarya/firefox/src/image/src/imgRequest.cpp:89
    #9 0x7f8d08e732e5 in imgRequest::Release() /usr/local/google/home/aarya/firefox/src/image/src/imgRequest.cpp:69
    #10 0x7f8d08e6466f in nsRefPtr<imgRequest>::~nsRefPtr() /usr/local/google/home/aarya/firefox/src/../../dist/include/nsAutoPtr.h:880
    #11 0x7f8d08dfd3e9 in nsRefPtr<imgRequest>::~nsRefPtr() /usr/local/google/home/aarya/firefox/src/../../dist/include/nsAutoPtr.h:878
    #12 0x7f8d08eb1921 in RequestBehaviour::~RequestBehaviour() /usr/local/google/home/aarya/firefox/src/image/src/imgRequestProxy.cpp:43
    #13 0x7f8d08ea6799 in RequestBehaviour::~RequestBehaviour() /usr/local/google/home/aarya/firefox/src/image/src/imgRequestProxy.cpp:43
    #14 0x7f8d08ea68cf in RequestBehaviour::~RequestBehaviour() /usr/local/google/home/aarya/firefox/src/image/src/imgRequestProxy.cpp:43
    #15 0x7f8d08eb0dc0 in nsAutoPtr<ProxyBehaviour>::~nsAutoPtr() /usr/local/google/home/aarya/firefox/src/../../dist/include/nsAutoPtr.h:77
    #16 0x7f8d08e92f59 in nsAutoPtr<ProxyBehaviour>::~nsAutoPtr() /usr/local/google/home/aarya/firefox/src/../../dist/include/nsAutoPtr.h:76
    #17 0x7f8d08e927ee in imgRequestProxy::~imgRequestProxy() /usr/local/google/home/aarya/firefox/src/image/src/imgRequestProxy.cpp:149
    #18 0x7f8d08e9234f in imgRequestProxy::~imgRequestProxy() /usr/local/google/home/aarya/firefox/src/image/src/imgRequestProxy.cpp:123
    #19 0x7f8d08e8fad5 in imgRequestProxy::Release() /usr/local/google/home/aarya/firefox/src/image/src/imgRequestProxy.cpp:93
    #20 0x7f8d08eafc91 in nsRunnableMethodReceiver<imgRequestProxy, true>::Revoke() /usr/local/google/home/aarya/firefox/src/../../dist/include/nsThreadUtils.h:322
    #21 0x7f8d08eb0169 in nsRunnableMethodReceiver<imgRequestProxy, true>::~nsRunnableMethodReceiver() /usr/local/google/home/aarya/firefox/src/../../dist/include/nsThreadUtils.h:321
    #22 0x7f8d08eaff49 in nsRunnableMethodReceiver<imgRequestProxy, true>::~nsRunnableMethodReceiver() /usr/local/google/home/aarya/firefox/src/../../dist/include/nsThreadUtils.h:321
    #23 0x7f8d08eafe31 in nsRunnableMethodImpl<void (imgRequestProxy::*)(), true>::~nsRunnableMethodImpl() /usr/local/google/home/aarya/firefox/src/../../dist/include/nsThreadUtils.h:351
    #24 0x7f8d08eaf7d9 in nsRunnableMethodImpl<void (imgRequestProxy::*)(), true>::~nsRunnableMethodImpl() /usr/local/google/home/aarya/firefox/src/../../dist/include/nsThreadUtils.h:351
    #25 0x7f8d08eaf90f in nsRunnableMethodImpl<void (imgRequestProxy::*)(), true>::~nsRunnableMethodImpl() /usr/local/google/home/aarya/firefox/src/../../dist/include/nsThreadUtils.h:351
    #26 0x7f8d178f3d25 in nsRunnable::Release() /usr/local/google/home/aarya/firefox/src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:31
    #27 0x7f8d0722b13f in nsCOMPtr_base::~nsCOMPtr_base() /usr/local/google/home/aarya/firefox/src/objdir-ff-asan-sym/media/webrtc/signaling/signaling_ecc/../../../../dist/include/nsCOMPtr.h:410
    #28 0x7f8d072ca67c in nsCOMPtr<nsIRunnable>::~nsCOMPtr() /usr/local/google/home/aarya/firefox/src/../../dist/include/nsCOMPtr.h:449
    #29 0x7f8d072c5dd9 in nsCOMPtr<nsIRunnable>::~nsCOMPtr() /usr/local/google/home/aarya/firefox/src/../../dist/include/nsCOMPtr.h:449
    #30 0x7f8d17c85e6f in nsThread::ProcessNextEvent(bool, bool*) /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThread.cpp:633
previously allocated by thread T0 here:
    #0 0x413bc2 in malloc
    #1 0x7f8d287645e4 in moz_xmalloc /usr/local/google/home/aarya/firefox/src/memory/mozalloc/mozalloc.cpp:54
    #2 0x7f8d08d0b32a in operator new(unsigned long) /usr/local/google/home/aarya/firefox/src/../../dist/include/mozilla/mozalloc.h:201
    #3 0x7f8d08d0b32a in mozilla::image::ImageFactory::CreateVectorImage(nsIRequest*, imgStatusTracker*, nsCString const&, nsIURI*, unsigned int, unsigned int) /usr/local/google/home/aarya/firefox/src/image/src/ImageFactory.cpp:189
    #4 0x7f8d08d09d8b in mozilla::image::ImageFactory::CreateImage(nsIRequest*, imgStatusTracker*, nsCString const&, nsIURI*, bool, unsigned int) /usr/local/google/home/aarya/firefox/src/image/src/ImageFactory.cpp:99
    #5 0x7f8d08e846de in imgRequest::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) /usr/local/google/home/aarya/firefox/src/image/src/imgRequest.cpp:774
    #6 0x7f8d08e360a5 in ProxyListener::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) /usr/local/google/home/aarya/firefox/src/image/src/imgLoader.cpp:2139
    #7 0x7f8d073dbc10 in nsBaseChannel::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) /usr/local/google/home/aarya/firefox/src/netwerk/base/src/nsBaseChannel.cpp:764
    #8 0x7f8d073dc572 in non-virtual thunk to nsBaseChannel::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) /usr/local/google/home/aarya/firefox/src/netwerk/base/src/nsBaseChannel.cpp:772
    #9 0x7f8d0748c408 in nsInputStreamPump::OnStateTransfer() /usr/local/google/home/aarya/firefox/src/netwerk/base/src/nsInputStreamPump.cpp:483
    #10 0x7f8d0748a4dd in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /usr/local/google/home/aarya/firefox/src/netwerk/base/src/nsInputStreamPump.cpp:372
    #11 0x7f8d0748db59 in non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /usr/local/google/home/aarya/firefox/src/netwerk/base/src/nsInputStreamPump.cpp:398
    #12 0x7f8d17b67239 in nsInputStreamReadyEvent::Run() /usr/local/google/home/aarya/firefox/src/xpcom/io/nsStreamUtils.cpp:82
    #13 0x7f8d17c85d6f in nsThread::ProcessNextEvent(bool, bool*) /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThread.cpp:627
    #14 0x7f8d178f7ad5 in NS_ProcessNextEvent_P(nsIThread*, bool) /usr/local/google/home/aarya/firefox/src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
    #15 0x7f8d1421e00c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /usr/local/google/home/aarya/firefox/src/ipc/glue/MessagePump.cpp:82
    #16 0x7f8d17f7c562 in MessageLoop::RunInternal() /usr/local/google/home/aarya/firefox/src/ipc/chromium/src/base/message_loop.cc:215
    #17 0x7f8d17f7c399 in MessageLoop::RunHandler() /usr/local/google/home/aarya/firefox/src/ipc/chromium/src/base/message_loop.cc:208
    #18 0x7f8d17f7c26e in MessageLoop::Run() /usr/local/google/home/aarya/firefox/src/ipc/chromium/src/base/message_loop.cc:182
    #19 0x7f8d135dc6d7 in nsBaseAppShell::Run() /usr/local/google/home/aarya/firefox/src/widget/xpwidgets/nsBaseAppShell.cpp:163
    #20 0x7f8d120d9f65 in nsAppStartup::Run() /usr/local/google/home/aarya/firefox/src/toolkit/components/startup/nsAppStartup.cpp:288
    #21 0x7f8d07262174 in XREMain::XRE_mainRun() /usr/local/google/home/aarya/firefox/src/toolkit/xre/nsAppRunner.cpp:3871
    #22 0x7f8d07267d5a in XREMain::XRE_main(int, char**, nsXREAppData const*) /usr/local/google/home/aarya/firefox/src/toolkit/xre/nsAppRunner.cpp:3938
    #23 0x7f8d0726ab30 in XRE_main /usr/local/google/home/aarya/firefox/src/toolkit/xre/nsAppRunner.cpp:4141
    #24 0x422994 in do_main(int, char**, nsIFile*) /usr/local/google/home/aarya/firefox/src/browser/app/nsBrowserApp.cpp:224
    #25 0x41f7c2 in main /usr/local/google/home/aarya/firefox/src/browser/app/nsBrowserApp.cpp:522
    #26 0x7f8d2aaea76c in
Shadow bytes around the buggy address:
  0x1c0500054240: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x1c0500054250: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x1c0500054260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c0500054270: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c0500054280: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
=>0x1c0500054290: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
  0x1c05000542a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c05000542b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x1c05000542c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c05000542d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x1c05000542e0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==18126== ABORTING
Hmm, VectorImage* mImage; // Raw pointer to owner.
as a member variable. And mImage is never set to null...
And HandleEvent doesn't keep VectorImage alive.
Component: SVG → ImageLib
Blocks: 704059
Keywords: sec-critical
Looks like a regression from bug 704059.  Seth, do you have cycles to take this?

https://developer.mozilla.org/en/Building_Firefox_with_Address_Sanitizer should be helpful w/ making an ASAN build.
Testcase crashes without ASAN.
Taking a look right now.
The problem here is that VectorImage releases its listeners when it's destroyed
but doesn't cancel them. Normally they are always cancelled as part of the image
loading process but if the VectorImage is destroyed within just the wrong span
of time, this never happens, and the handlers end up getting invoked anyway. The
fix is to ensure that the handlers are always cancelled in VectorImage's
destructor if they haven't been cancelled before then.

Proposed patch attached.
Attachment #718172 - Flags: review?(dholbert)
Assignee: nobody → seth
Attachment #718172 - Flags: review?(dholbert) → review+
Duplicate of this bug: 844628
Flags: sec-bounty?
Can we get a test for this?
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
There will be one; I was under the impression that we should wait to land the test until after the fix had propagated out to users for a couple of days. I can go ahead and cook it up now, though.
Since this only ever affected Fx22, I don't think there's any issue with landing the test now. That said, might as well wait until this gets over to inbound and then just land it there.
Sounds good, Ryan. I'll get a test posted shortly.
(In reply to Ryan VanderMeulen [:RyanVM] from comment #12)
> Since this only ever affected Fx22, I don't think there's any issue with landing the test now.

As seth suggested, I think it's best to wait a few days before landing tests (i.e. publishing sample exploit code), to be sure we don't zero-day our nightly users.

This is particularly important when the fix lands on inbound & takes days to make it into a nightly, or (worse) ends up landing & being backed out for breaking something & then doesn't end up re-landing for a week -- in which case, we're kind of in trouble if we've already leaked exploitable test code.

In this case, it already landed on central & it seems unlikely that this will need a backout, so I'd feel comfortable landing the testcase tomorrow afternoon/evening assuming the fix has stuck.
In general, I don't think there's ever been much concern over possibly 0-daying nightly users. In fact, sec-approval is specifically not required for landing fixes that only affect trunk. I can also say from my own experiences that I routinely see tests land with s-s patches, so it's not that uncommon of a practice. But I say all that as a FWIW, ultimately it's your call :)
(sec-approval is a relatively new thing, and it's to make sure you don't zero-day people on other release trains, so it doesn't apply to trunk/nightly by definition)

There's less concern about zero-day'ing nightly users than release users, since they get updates so frequently and they're a relatively small population.  But when it's possible (as it is here), it's nice to err on the safe side and wait on landing the testcase.  (I know not everyone does wait, but I think it's a good best-practice to follow, especially in light of the you-might-get-backed-out scenario from comment 14.)
Here's a test for the fix, based on the test case in this bug, but simplified as much as possible.
Attachment #718220 - Flags: review?(dholbert)
Comment on attachment 718220 [details] [diff] [review]
Add test for correct handling of early destruction of VectorImages.

># HG changeset patch
># User Seth Fowler <seth@mozilla.com>
># Date 1361850069 28800
># Node ID 8b4b41b8e94136bab5c25d31fc4484855cf9426e
># Parent  06935f2db2679c12ba434c01ddf1d0bab62439c2
>Bug 844403 - Add test for correct handling of early destruction of VectorImages. r=dholbert

extreme nit: this commit-message makes it sound like Bug 844403 is primarily about adding a test (when it's really about fixing an issue, and the test is a followup).

I'd suggest "Bug 844403 crashtest - [etc]" or "Bug 844403 followup - [etc]", or even just simply "Add crashtest for Bug 844403. r=dholbert"

>+++ b/image/test/crashtests/844403.html

I'd prefer "844403-1.html". (that's the convention that most of our reftests/crashtests follow)

(remember to update the manifest w/ that change, too)

r=me either way.
Attachment #718220 - Flags: review?(dholbert) → review+
Thanks for the review, Daniel. I'll upload a revised version of the patch shortly, and will push it in before leaving this evening if there are no issues with the fix.
Updated patch. Will push in later tonight.
Attachment #718220 - Attachment is obsolete: true
OK, the patch didn't get landed yesterday due to tree closure, but I just pushed it in.

https://hg.mozilla.org/integration/mozilla-inbound/rev/676545b9b071
Flags: in-testsuite? → in-testsuite+
Pretty sure we can open this up; it's trunk-only, and it's been fixed in nightlies for several days, so any affected users should've been updated to a patched nightly build by now.
Flags: in-testsuite+ → in-testsuite?
Did you change in-testsuite intentionally?
Flags: in-testsuite? → in-testsuite+
nope, that was an accident -- thanks for noticing it, & thanks for fixing it, mccr8!
(In reply to Daniel Holbert [:dholbert] from comment #22)
> Pretty sure we can open this up; it's trunk-only, and it's been fixed in
> nightlies for several days, so any affected users should've been updated to
> a patched nightly build by now.

I sanity-checked this w/ dveditz, and he says this is fine, w/ the caveat that we need to make sure there's an appropriate "sec-*" keyword-rating so that we don't lose track of the fact that this is/was a security bug.  (In this case, smaug already flagged this as sec-critical, so we're good on that front.)

--> Un-hiding.
Group: core-security
Flags: sec-bounty? → sec-bounty+
Whiteboard: [adv-main22-]
You need to log in before you can comment on or make changes to this bug.