Closed Bug 861473 Opened 13 years ago Closed 12 years ago

WebVTT Heap Buffer Overflow [mozilla::dom::Element::UnbindFromTree]

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Version:
Other Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox21 --- unaffected
firefox22 --- unaffected
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: rforbes, Assigned: rillian)

References

Details

(5 keywords)

Attachments

(2 files)

testcase
3.40 MB, application/zip
Details
callstack
8.61 KB, text/plain
Details
Attached file testcase
using peach i have found a potential heap buffer overflow. I have included the test case and the callstack.
Attached file callstack
Blocks: 833385
Keywords: regression
-> rillian for triage/investigation
Assignee: nobody → giles
Severity: normal → critical
I cannot reproduce with the current integration branch b17734d3759a20b2c2d290ae1344cb611f214017. Raymond, what revision is this reported against?
Via IRC, rforbes reports testing revision 018ee907ad8eb48e44562c70d588cd6001143220.
I've run an asan build the above revision, plus some patches to resolve compilation problems with clang r176868. I get a use-after-free instead of the overflow, and a clean run with current integration HEAD. Either way it looks like this issue is resolved. :rforbes, can you confirm, please?
looks good to me. i will close the bug.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Thanks, Raymond!
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: