Closed
Bug 588929
(CVE-2010-3180)
Opened 14 years ago
Closed 14 years ago
Use after free - nsBarProp
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
People
(Reporter: serg.glazunov, Assigned: smaug)
References
Details
(Whiteboard: [sg:critical?])
Attachments
(4 files)
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
jst
:
review+
mrbkap
:
superreview+
|
Details | Diff | Splinter Review |
|
(deleted),
patch
|
dveditz
:
approval1.9.2.11+
|
Details | Diff | Splinter Review |
|
(deleted),
patch
|
dveditz
:
approval1.9.1.14+
|
Details | Diff | Splinter Review |
Reproduced on 4.0b5pre and 3.6.8.
The repro contains this:
w = open(1, 1, 1);
o = w.locationbar;
w.close();
s = '';
setInterval('s += o.visible', 50);
http://crash-stats.mozilla.com/report/index/1b83dc24-cdb7-4435-838d-643822100819
|
Reporter | |
Comment 1•14 years ago
|
||
|
Assignee | |
Updated•14 years ago
|
Assignee: nobody → Olli.Pettay
|
||
Comment 2•14 years ago
|
||
this signature shows up in the wild around 10-25 times a day as well. mostly with people on http://www.hulu.com/watch and a few video sites. I mostly see this on 3.6.x releases where active daily user are 1 million+ http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=nsBarProp%3A%3AGetVisibleByFlag&date=08%2F19%2F2010%2013%3A43%3A59&range_value=1&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=nsBarProp%3A%3AGetVisibleByFlag%28int*%2C%20unsigned%20int%29
|
||
Updated•14 years ago
|
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
Whiteboard: [sg:critical]
|
|
Assignee | |
Comment 3•14 years ago
|
||
Just FYI, this is a "regression" from <tbogard@aol.net> 2000-02-08 05:38.
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---
blocking2.0: ? → ---
|
|
Assignee | |
Updated•14 years ago
|
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
|
||
Updated•14 years ago
|
status1.9.1:
--- → wanted
status1.9.2:
--- → wanted
|
|
Assignee | |
Comment 4•14 years ago
|
||
This is the simplest fix I could think of. And better to make those nsBarProp methods not throw.
Attachment #467554 -
Flags: superreview?(mrbkap)
Attachment #467554 -
Flags: review?(jst)
|
|
Assignee | |
Comment 5•14 years ago
|
||
Other, not quite as simple would be to have a weak reference (not raw) to DOMWindow, and get browserchrome from it.
|
||
Updated•14 years ago
|
Attachment #467554 -
Flags: superreview?(mrbkap) → superreview+
|
||
Comment 6•14 years ago
|
||
Is this related to bug 575102?
If this gets reviewed and can land today it will make 3.6.9/3.5.12. If not, it will have to wait for the next release. Please ask for landing approval when/if it gets ready today. Thanks!
|
||
Updated•14 years ago
|
Attachment #467554 -
Flags: review?(jst) → review+
|
|
||
Updated•14 years ago
|
blocking2.0: ? → final+
|
|
Assignee | |
Updated•14 years ago
|
Attachment #467554 -
Flags: approval2.0?
|
|
||
Updated•14 years ago
|
Attachment #467554 -
Flags: approval2.0?
|
|
Assignee | |
Comment 8•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/7de93c31c0f2
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 9•14 years ago
|
||
Attachment #475069 -
Flags: approval1.9.2.10?
|
|
Assignee | |
Comment 10•14 years ago
|
||
Attachment #475070 -
Flags: approval1.9.1.13?
|
|
||
Comment 11•14 years ago
|
||
Comment on attachment 475069 [details] [diff] [review] for 1.9.2 Approved for 1.9.2.11, a=dveditz for release-drivers
Attachment #475069 -
Flags: approval1.9.2.11? → approval1.9.2.11+
|
|
||
Comment 12•14 years ago
|
||
Comment on attachment 475070 [details] [diff] [review] for 1.9.1 Approved for 1.9.1.14, a=dveditz for release-drivers
Attachment #475070 -
Flags: approval1.9.1.14? → approval1.9.1.14+
|
|
Assignee | |
Comment 13•14 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/fad1fb5ed6c0 http://hg.mozilla.org/releases/mozilla-1.9.2/rev/5f928f65382d
|
|
||
Updated•14 years ago
|
Alias: CVE-2010-3180
Whiteboard: [sg:critical] → [sg:critical?]
|
|
||
Updated•14 years ago
|
Attachment #482360 -
Attachment is private: true
|
|
||
Updated•14 years ago
|
Group: core-security
|
|
||
Updated•14 years ago
|
Attachment #482360 -
Attachment description: Bug Bounty Nomination → Bug Bounty Awarded
|
|
||
Updated•14 years ago
|
Attachment #482360 -
Attachment description: Bug Bounty Awarded → Bug Bounty Paid
|
|
||
Updated•14 years ago
|
Attachment #482360 -
Attachment description: Bug Bounty Paid → Bug Bounty Awarded [Paid]
|
||
Updated•11 years ago
|
Flags: sec-bounty+
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•