Closed
Bug 855174
Opened 11 years ago
Closed 11 years ago
WebVTT use-after-free crash [@mozilla::dom::FragmentOrElement::Release]
Categories
(Core :: Audio/Video, defect)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox21 | --- | unaffected |
| firefox22 | --- | unaffected |
| firefox23 | --- | unaffected |
| firefox24 | --- | disabled |
| firefox25 | --- | disabled |
| firefox26 | --- | disabled |
| firefox27 | --- | disabled |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: posidron, Assigned: rillian)
References
Details
(5 keywords)
Attachments
(2 files)
To reproduce reload the testcase a multiple times (10-30 times) and then let the video play.
alloc: parser/html/nsHtml5TreeOperation.cpp:341
nsCOMPtr<nsINodeInfo> nodeInfo = aBuilder->GetNodeInfoManager()->
GetNodeInfo(name, nullptr, ns, nsIDOMNode::ELEMENT_NODE);
[...]
MOZALLOC_EXPORT_NEW MOZALLOC_INLINE
void* operator new(size_t size) MOZALLOC_THROW_BAD_ALLOC
{
return moz_xmalloc(size);
}
free: content/html/content/src/HTMLTrackElement.cpp:82
HTMLTrackElement::~HTMLTrackElement()
{
}
[...]
void
nsNodeInfo::LastRelease()
{
nsRefPtr<nsNodeInfoManager> kungFuDeathGrip = mOwnerManager;
delete this;
}
re-use: content/base/src/FragmentOrElement.cpp:1716
NS_IMPL_CYCLE_COLLECTING_RELEASE_WITH_DESTROY(FragmentOrElement,
nsNodeUtils::LastRelease(this))
[...]
uint16_t NodeType() const
{
return mInner.mNodeType;
}
Tested with https://github.com/RickEyre/mozilla-central/commit/2e700035398ca49a90338c1f676892af1ebee0c6
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Updated•11 years ago
|
Keywords: sec-critical
|
||
Comment 2•11 years ago
|
||
Ralph can you take this one? Is this only affecting trunk (FF 22)?
|
Assignee | |
Comment 3•11 years ago
|
||
Sure. This bug is against the integration branch at https://github.com/RickEyre/mozilla-central.git. The code in question hasn't landed yet. See bug 833385.
|
|
Reporter | |
Updated•11 years ago
|
Blocks: fuzzing-webvtt
|
||
Comment 4•11 years ago
|
||
I'll mark Fx23 "affected" assuming you'll land bug 833385 in this cycle.
Blocks: 833385
status-b2g18:
--- → unaffected
status-firefox21:
--- → unaffected
status-firefox23:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-firefox22:
+ → ---
tracking-firefox23:
--- → +
Keywords: regression
|
||
Comment 6•11 years ago
|
||
It looks like the relevant code has landed in 24. Ralph, was this fixed when it landed? Or is it still disabled on trunk?
|
||
Updated•11 years ago
|
|
||
Comment 8•11 years ago
|
||
Given the pref is disabled by default on nightly, not tracking at this time.We should verify if the bug exists on version this will be enabled and renominate it if unfixed by then. Also removing the tracking here for Fx23 given it is unaffected.
tracking-firefox23:
+ → ---
tracking-firefox24:
? → ---
|
|
||
Comment 9•11 years ago
|
||
Ralph please update 25 status if you turn this on (bug 887978).
status-firefox25:
--- → disabled
|
|
Assignee | |
Comment 10•11 years ago
|
||
Thanks.
|
||
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
|
|
||
Updated•11 years ago
|
status-firefox26:
--- → disabled
|
||
Updated•11 years ago
|
status-firefox27:
--- → disabled
|
|
Reporter | |
Comment 11•11 years ago
|
||
This is not reproducible anymore. Tested with https://hg.mozilla.org/integration/mozilla-inbound/rev/e56e8fbacb7c
Status: REOPENED → RESOLVED
Closed: 11 years ago → 11 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
Resolution: FIXED → WORKSFORME
|
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•