Closed
Bug 855174
Opened 12 years ago
Closed 11 years ago
WebVTT use-after-free crash [@mozilla::dom::FragmentOrElement::Release]
Categories
(Core :: Audio/Video, defect)
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox21 | --- | unaffected |
firefox22 | --- | unaffected |
firefox23 | --- | unaffected |
firefox24 | --- | disabled |
firefox25 | --- | disabled |
firefox26 | --- | disabled |
firefox27 | --- | disabled |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: posidron, Assigned: rillian)
References
Details
(5 keywords)
Attachments
(2 files)
To reproduce reload the testcase a multiple times (10-30 times) and then let the video play. alloc: parser/html/nsHtml5TreeOperation.cpp:341 nsCOMPtr<nsINodeInfo> nodeInfo = aBuilder->GetNodeInfoManager()-> GetNodeInfo(name, nullptr, ns, nsIDOMNode::ELEMENT_NODE); [...] MOZALLOC_EXPORT_NEW MOZALLOC_INLINE void* operator new(size_t size) MOZALLOC_THROW_BAD_ALLOC { return moz_xmalloc(size); } free: content/html/content/src/HTMLTrackElement.cpp:82 HTMLTrackElement::~HTMLTrackElement() { } [...] void nsNodeInfo::LastRelease() { nsRefPtr<nsNodeInfoManager> kungFuDeathGrip = mOwnerManager; delete this; } re-use: content/base/src/FragmentOrElement.cpp:1716 NS_IMPL_CYCLE_COLLECTING_RELEASE_WITH_DESTROY(FragmentOrElement, nsNodeUtils::LastRelease(this)) [...] uint16_t NodeType() const { return mInner.mNodeType; } Tested with https://github.com/RickEyre/mozilla-central/commit/2e700035398ca49a90338c1f676892af1ebee0c6
Reporter | ||
Comment 1•12 years ago
|
||
Reporter | ||
Updated•12 years ago
|
Keywords: sec-critical
Assignee | ||
Comment 3•12 years ago
|
||
Sure. This bug is against the integration branch at https://github.com/RickEyre/mozilla-central.git. The code in question hasn't landed yet. See bug 833385.
Reporter | ||
Updated•12 years ago
|
Blocks: fuzzing-webvtt
Comment 4•12 years ago
|
||
I'll mark Fx23 "affected" assuming you'll land bug 833385 in this cycle.
Blocks: 833385
status-b2g18:
--- → unaffected
status-firefox21:
--- → unaffected
status-firefox23:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-firefox22:
+ → ---
tracking-firefox23:
--- → +
Keywords: regression
Comment 6•12 years ago
|
||
It looks like the relevant code has landed in 24. Ralph, was this fixed when it landed? Or is it still disabled on trunk?
Updated•11 years ago
|
Comment 8•11 years ago
|
||
Given the pref is disabled by default on nightly, not tracking at this time.We should verify if the bug exists on version this will be enabled and renominate it if unfixed by then. Also removing the tracking here for Fx23 given it is unaffected.
tracking-firefox23:
+ → ---
tracking-firefox24:
? → ---
Comment 9•11 years ago
|
||
Ralph please update 25 status if you turn this on (bug 887978).
status-firefox25:
--- → disabled
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
Updated•11 years ago
|
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Updated•11 years ago
|
status-firefox26:
--- → disabled
Updated•11 years ago
|
status-firefox27:
--- → disabled
Reporter | ||
Comment 11•11 years ago
|
||
This is not reproducible anymore. Tested with https://hg.mozilla.org/integration/mozilla-inbound/rev/e56e8fbacb7c
Status: REOPENED → RESOLVED
Closed: 11 years ago → 11 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Resolution: FIXED → WORKSFORME
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•