Closed
Bug 861473
Opened 11 years ago
Closed 11 years ago
WebVTT Heap Buffer Overflow [mozilla::dom::Element::UnbindFromTree]
Categories
(Core :: Audio/Video, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox21 | --- | unaffected |
firefox22 | --- | unaffected |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: rforbes, Assigned: rillian)
References
Details
(5 keywords)
Attachments
(2 files)
using peach i have found a potential heap buffer overflow. I have included the test case and the callstack.
Reporter | ||
Comment 1•11 years ago
|
||
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox21:
--- → unaffected
status-firefox22:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Keywords: sec-high
Updated•11 years ago
|
Keywords: regression
Comment 2•11 years ago
|
||
-> rillian for triage/investigation
Assignee: nobody → giles
Severity: normal → critical
Assignee | ||
Comment 3•11 years ago
|
||
I cannot reproduce with the current integration branch b17734d3759a20b2c2d290ae1344cb611f214017. Raymond, what revision is this reported against?
Assignee | ||
Comment 4•11 years ago
|
||
Via IRC, rforbes reports testing revision 018ee907ad8eb48e44562c70d588cd6001143220.
Assignee | ||
Comment 5•11 years ago
|
||
I've run an asan build the above revision, plus some patches to resolve compilation problems with clang r176868. I get a use-after-free instead of the overflow, and a clean run with current integration HEAD. Either way it looks like this issue is resolved. :rforbes, can you confirm, please?
Reporter | ||
Comment 6•11 years ago
|
||
looks good to me. i will close the bug.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Assignee | ||
Comment 7•11 years ago
|
||
Thanks, Raymond!
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
Updated•8 years ago
|
Keywords: csectype-bounds
You need to log in
before you can comment on or make changes to this bug.
Description
•