[tor-bugs] #16771 [Tor Browser]: TBB 5.5a1 crashes on Google Maps
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Aug 12 00:33:53 UTC 2015
#16771: TBB 5.5a1 crashes on Google Maps
-------------------------+-------------------------------------------------
Reporter: tom | Owner: tbb-team
Type: defect | Status: new
Priority: major | Milestone:
Component: Tor | Version:
Browser | Keywords: tbb-crash, tbb-5.0-regression,
Resolution: | TorBrowserTeam201508
Actual Points: | Parent ID:
Points: |
-------------------------+-------------------------------------------------
Comment (by mikeperry):
Yep, definitely due to our blob isolation code.
Here's some more details from gdb:
{{{
5 nsHostObjectProtocolHandler::RemoveDataEntry (aUri=...,
aIsolationKey=...)
at /home/ubuntu/build/tor-
browser/dom/base/nsHostObjectProtocolHandler.cpp:354
(gdb) print aUri
$1 = (const nsACString_internal &) @0x7f0aa6df0308: {
mData = 0x7f0aa5153748
"blob:https://www.google.fr/55bfbe9f-d716-4445-a462-3957440c69f9", mLength
= 63, mFlags = 5}
(gdb) print aIsolationKey
$2 = (const nsACString_internal &) @0x7ffcdb3bcee0: {mData =
0x7f0a8c698748 "google.fr", mLength = 9, mFlags = 5}
}}}
The calling function is the loop in the nsDocument destructor that clears
out all of the mHostObjectURIs in the origin. According to
mHostObjectURIs->mHdr->mLength, there were two elements in
mHostObjectURIs, and the loop was on the first one (that blob URI).
It looks like the ultimate cause of the crash was that GetDataInfo(aUri)
returned a NULL pointer in nsHostObjectProtocolHandler::RemoveDataEntry,
and then we dereferenced it trying to read info->mFirstPartyHost. However,
because info was optimized out, the code continued a bit deeper into the
string comparison code before crashing.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16771#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list