[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #16495 [Tor Browser]: Tor Browser 5.0a3 crashes on nytimes.com with security level set to "High"

Subject: Re: [tor-bugs] #16495 [Tor Browser]: Tor Browser 5.0a3 crashes on nytimes.com with security level set to "High"
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 07 Jul 2015 17:48:37 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 07 Jul 2015 13:48:48 -0400
In-reply-to: <042.b609b11d4aacb7efd49f114b57c344d1@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <042.b609b11d4aacb7efd49f114b57c344d1@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#16495: Tor Browser 5.0a3 crashes on nytimes.com with security level set to "High"
-------------------------+-------------------------------------------------
     Reporter:  gk       |      Owner:  tbb-team
         Type:  defect   |     Status:  new
     Priority:           |  Milestone:
  critical               |    Version:
    Component:  Tor      |   Keywords:  tbb-crash, tbb-5.0a,
  Browser                |  TorBrowserTeam201507
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------

Comment (by mcs):

 We found the cause of the crash.  The nsIContent::DoGetClasses()
 implementation uses static_cast to obtain an nsSVGElement pointer, but if
 SVG is disabled the object is a regular XML element... so the cast results
 in bad news.  The code is here:
 http://mxr.mozilla.org/mozilla-esr38/source/dom/base/Element.cpp#155

 Kathy and I are working on a fix.  We are also looking for other places
 where similar casts are used.  Our current thinking is that we will change
 IsSVG() to return false if SVG is disabled.  It would be better to avoid
 the cast entirely, but we do not see an easy way to do so (if someone were
 to change the svg.in-content.enabled pref. during page load, there is a
 chance that the code mentioned above will go down the wrong path even
 after we put a fix in place).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16495#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #16495 [Tor Browser]: Tor Browser 5.0a3 crashes on nytimes.com with security level set to "High"
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #10250 [Tor Browser]: Disable RC4 in TBB Firefox
Next by Author: Re: [tor-bugs] #16495 [Tor Browser]: Tor Browser 5.0a3 crashes on nytimes.com with security level set to "High"
Previous by thread: Re: [tor-bugs] #16495 [Tor Browser]: Tor Browser 5.0a3 crashes on nytimes.com with security level set to "High"
Next by thread: Re: [tor-bugs] #16495 [Tor Browser]: Tor Browser 5.0a3 crashes on nytimes.com with security level set to "High"
Index(es):
- Author
- Thread