Closed Bug 1438165 Opened 7 years ago Closed 7 years ago

Incorrect display item arena allocations / deallocations

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla60

Tracking Flags:

Tracking

Status

firefox60

---

fixed

People

(Reporter: mikokm, Assigned: mikokm)

References

Details

Attachments

(1 file)

unique-displayitem-types.diff 7 years ago Miko Mynttinen (deleted), patch	mattwoodrow : review+	Details \| Diff \| Splinter Review

Miko Mynttinen

Assignee

Description

•

7 years ago

Memory management for different size display items that share a type is handled incorrectly.

Miko Mynttinen

Assignee

Updated

•

7 years ago

Group: mozilla-employee-confidential

Daniel Holbert [:dholbert]

Comment 1

•

7 years ago

[Pretty sure you meant to mark this as a "Security-Sensitive Layout Bug" rather than "Employee-Confidential". Both are hidden, but to different groups. --> Fixing.]

Group: mozilla-employee-confidential → layout-core-security

Miko Mynttinen

Assignee

Comment 2

•

7 years ago

Attached patch unique-displayitem-types.diff (deleted) — Details — Splinter Review

Attachment #8951272 - Flags: review?(matt.woodrow)

Miko Mynttinen

Assignee

Comment 3

•

7 years ago

(In reply to Daniel Holbert [:dholbert] from comment #1) > [Pretty sure you meant to mark this as a "Security-Sensitive Layout Bug" > rather than "Employee-Confidential". Both are hidden, but to different > groups. --> Fixing.] I was not completely sure about the security implications of this bug and marked it employee confidential just in case. After examining this further and discussing it with Matt, this is most likely not exploitable at the moment.

Daniel Veditz [:dveditz]

Updated

•

7 years ago

Group: layout-core-security

Matt Woodrow (:mattwoodrow)

Comment 4

•

7 years ago

Comment on attachment 8951272 [details] [diff] [review] unique-displayitem-types.diff Review of attachment 8951272 [details] [diff] [review]: ----------------------------------------------------------------- Please make the assertion in nsDisplayListBuilder::Allocate a MOZ_RELEASE_ASSERT too!

Attachment #8951272 - Flags: review?(matt.woodrow) → review+

Pulsebot

Comment 5

•

7 years ago

Pushed by mikokm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/7faf85adc898 Ensure that all display items have a unique type r=mattwoodrow

Eliza Balazs [:ebalazs_]

Comment 6

•

7 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/7faf85adc898

Status: ASSIGNED → RESOLVED

Closed: 7 years ago

status-firefox60: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla60

Jet Villegas (inactive)

Updated

•

6 years ago

Blocks: 1467514

Jet Villegas (inactive)

Updated

•

6 years ago

No longer blocks: 1467514

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Incorrect display item arena allocations / deallocations

Categories

(Core :: Web Painting, defect)

Tracking

()

People

(Reporter: mikokm, Assigned: mikokm)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Comment 1

Comment 2

Comment 3

Updated

Comment 4

Comment 5

Comment 6

Updated

Updated

Attachment

General

Description

File Name

Content Type