Closed Bug 861473 Opened 11 years ago Closed 11 years ago

WebVTT Heap Buffer Overflow [mozilla::dom::Element::UnbindFromTree]

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Version:
Other Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox21 --- unaffected
firefox22 --- unaffected
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: rforbes, Assigned: rillian)

References

Details

(5 keywords)

Attachments

(2 files)

testcase
3.40 MB, application/zip
Details
callstack
8.61 KB, text/plain
Details
Attached file testcase 
using peach i have found a potential heap buffer overflow.  I have included the test case and the callstack.
Attached file callstack 
Blocks: 833385
Keywords: regression

    
    

    
  
-> rillian for triage/investigation
Assignee: nobody → giles
Severity: normal → critical

    
    

    
  
I cannot reproduce with the current integration branch b17734d3759a20b2c2d290ae1344cb611f214017.

Raymond, what revision is this reported against?

    
    

    
  
Via IRC, rforbes reports testing revision 018ee907ad8eb48e44562c70d588cd6001143220.

    
    

    
  
I've run an asan build the above revision, plus some patches to resolve compilation problems with clang r176868. I get a use-after-free instead of the overflow, and a clean run with current integration HEAD. Either way it looks like this issue is resolved.

:rforbes, can you confirm, please?

    
    

    
  
looks good to me.  i will close the bug.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED

    
  
Status: RESOLVED → VERIFIED

    
    

    
  
Thanks, Raymond!

    
  
Group: core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: