Closed Bug 969517 Opened 7 years ago Closed 7 years ago
Faulty/ASan: heap-use-after-free of a Layer
Composite that was destroyed by Container Layer::Remove Child
Found by Christoph Diehl's "Faulty" fuzzer, see bug 777067
Summary: Faulty/ASan: heap-use-after-free of a Layer, in ShadowLayerParent::ActorDestroy, that was destroyed by ContainerLayer::RemoveChild → Faulty/ASan: heap-use-after-free of a LayerComposite that was destroyed by ContainerLayer::RemoveChild
Updated the bug title to reflect the invariants between these two ASan sessions, which are likely the same bug.
7 years ago
Fixed by the landing of shadow layer updates validation fixes, bug 970747.
Assignee: nobody → bjacob
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
The bug exists in ESR24 as well, but this is only a security issue with e10s which is not enabled in ESR24, so I wouldn't bother about it. (In the same-process case, if the client here is compromised so it can send evil messages to the parent, then all is already lost, because the client and parent are the same process).
Marking [qa-] for verification, lack of test case.
Marking [qa-] for desktop QA verification. FxOS QA may choose to verify at a later date.
Whiteboard: [adv-main30+] → [adv-main30+][qa-]
as far as I can tell SeaMonkey 2.26 (Gecko 29) is not affected by this bug, hence unaffected.
You need to log in before you can comment on or make changes to this bug.