[tbb-bugs] #16495 [Tor Browser]: Tor Browser 5.0a3 crashes on nytimes.com with security level set to "High"
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jul 7 17:48:37 UTC 2015
#16495: Tor Browser 5.0a3 crashes on nytimes.com with security level set to "High"
-------------------------+-------------------------------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status: new
Priority: | Milestone:
critical | Version:
Component: Tor | Keywords: tbb-crash, tbb-5.0a,
Browser | TorBrowserTeam201507
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by mcs):
We found the cause of the crash. The nsIContent::DoGetClasses()
implementation uses static_cast to obtain an nsSVGElement pointer, but if
SVG is disabled the object is a regular XML element... so the cast results
in bad news. The code is here:
http://mxr.mozilla.org/mozilla-esr38/source/dom/base/Element.cpp#155
Kathy and I are working on a fix. We are also looking for other places
where similar casts are used. Our current thinking is that we will change
IsSVG() to return false if SVG is disabled. It would be better to avoid
the cast entirely, but we do not see an easy way to do so (if someone were
to change the svg.in-content.enabled pref. during page load, there is a
chance that the code mentioned above will go down the wrong path even
after we put a fix in place).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16495#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list