Closed
Bug 808829
Opened 12 years ago
Closed 12 years ago
WebRTC use-after-free crash [@mozilla::GetUserMediaStreamRunnable::Run]
Categories
(Core :: WebRTC, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 801227
| Tracking | Status | |
|---|---|---|
| firefox16 | --- | unaffected |
| firefox17 | --- | disabled |
| firefox18 | --- | disabled |
| firefox19 | --- | affected |
| firefox-esr10 | --- | unaffected |
| firefox-esr17 | --- | unaffected |
People
(Reporter: posidron, Assigned: anant)
References
Details
(Keywords: crash, sec-critical, testcase)
Attachments
(3 files)
|
(deleted),
text/html
|
Details | |
|
(deleted),
text/plain
|
Details | |
|
(deleted),
patch
|
Details | Diff | Splinter Review |
alloc: dom/media/MediaManager.cpp:804
listeners = new StreamListeners;
free: dom/media/MediaManager.cpp:962
GetActiveWindows()->Remove(aWindowID);
re-use: dom/media/MediaManager.cpp:290
mListeners->AppendElement(listener);
To reproduce refresh the page very often.
Tested with m-c changeset: 112272:ab099c9e1a09
|
Reporter | |
Comment 1•12 years ago
|
||
|
||
Comment 2•12 years ago
|
||
Failure is in getUserMedia; adding anant
|
Assignee | |
Comment 3•12 years ago
|
||
I cannot reproduce this, because I crash on a seemingly different bug.
However, I think I know why this is happening and have attached a tentative fix.
Assignee: nobody → anant
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 4•12 years ago
|
||
The other crash is bug 809637, BTW.
|
|
Reporter | |
Comment 5•12 years ago
|
||
Anant: are you using a ASan build to reproduce this bug?
|
|
Assignee | |
Comment 6•12 years ago
|
||
No, I'm using gmalloc (which appears to the only reliable memory inspection tool on OS X 10.8, since valgrind is not yet supported) which can be used to detect use-after-free.
If you are able to make a build fairly quickly, I'd appreciate it if you could try one with this patch applied!
|
|
Reporter | |
Comment 7•12 years ago
|
||
Anant: https://developer.mozilla.org/en/Building_Firefox_with_Address_Sanitizer
Or the quick way
1) get & build LLVM/Clang: http://cdiehl.pastebin.mozilla.org/1922820
2) .mozconfig (change LLVM_HOME path): http://cdiehl.pastebin.mozilla.org/1922819
|
||
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox16:
--- → unaffected
status-firefox17:
--- → disabled
status-firefox18:
--- → disabled
status-firefox19:
--- → affected
status-firefox-esr17:
--- → unaffected
|
|
||
Comment 8•12 years ago
|
||
This bug will likely be fixed by the patch for bug 801227 (and in fact I think it's a variant of the same bug. Also, that last "listeners = NULL" is irrelevant; it's a local.
I suggest duping against 801227 or make it dependent on that and retest with that fix.
|
|
Assignee | |
Updated•12 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•