864023
|
|
ASAN builds crashing on startup
|
Core
|
General
|
nobody
|
REOP
|
---
|
2022-10-10
|
880193
|
|
ASan: alloc-dealloc-mismatch (malloc vs operator delete) in gfx/skia vs. gfx/2d
|
Core
|
Graphics
|
nobody
|
REOP
|
---
|
2022-10-10
|
1018358
|
|
UAF [@ mozilla::WebGLContext::UpdateContextLossStatus] with webgl.disabled
|
Core
|
Graphics: CanvasWebG
|
demo99
|
RESO
|
WORK
|
2023-06-25
|
810626
|
|
WebRTC use-after-free crash [@ mozilla::TransportLayer::SetState]
|
Core
|
WebRTC
|
ekr
|
RESO
|
FIXE
|
2016-12-01
|
820990
|
|
WebRTC use-after-free crash [@mozilla::NrIceCtx::EmitAllCandidates]
|
Core
|
WebRTC: Networking
|
ekr
|
RESO
|
FIXE
|
2013-11-25
|
824893
|
|
Heap-use-after-free in nr_ice_peer_ctx_fire_done
|
Core
|
WebRTC: Networking
|
ekr
|
RESO
|
WORK
|
2017-10-26
|
933582
|
|
Heap-buffer-overflow WRITE in nsSVGTextFrame2::ResolvePositions
|
Core
|
SVG
|
nobody
|
RESO
|
DUPL
|
2016-10-11
|
808546
|
|
WebRTC crash [@nsDOMMediaStream::GetStream]
|
Core
|
WebRTC: Audio/Video
|
rjesup
|
RESO
|
FIXE
|
2014-11-19
|
866525
|
|
ASan: Several tests cause use-after-poison [@ port_ArenaZeroAfterMark] through ASN1 decoder in NSS
|
NSS
|
Libraries
|
wtc
|
RESO
|
FIXE
|
2013-11-04
|
793863
|
|
Signaling code: crash in fsmdef_release
|
Core
|
WebRTC: Signaling
|
ethanhugg
|
RESO
|
FIXE
|
2012-12-08
|
801227
|
|
WebRTC crash [@mozilla::MediaManager::GetUserMedia]
|
Core
|
WebRTC
|
rjesup
|
RESO
|
FIXE
|
2014-11-19
|
834761
|
|
ASan Nightly builds failing "sendchange"
|
Release Engineering
|
General
|
catlee
|
RESO
|
FIXE
|
2018-05-08
|
748423
|
|
LDFLAGS should be honored when building NSS dylibs on Mac
|
NSS
|
Build
|
nobody
|
RESO
|
FIXE
|
2023-11-06
|
942794
|
|
global buffer overflow (read) at nsFloatManager::GetFlowArea, preceded by ###!!! ABORT: bad state: 'floatCount <= mFloats.Length()
|
Core
|
Layout: Floats
|
nobody
|
RESO
|
WORK
|
2022-11-05
|
798802
|
|
mixing webgl and 2d context causes crashes
|
Core
|
Graphics: Canvas2D
|
ajones
|
RESO
|
FIXE
|
2013-04-18
|
885539
|
|
Heap-use-after-free in nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyElements<mozilla::dom::HTMLImageElement*> >::Hdr()
|
Core
|
DOM: Core & HTML
|
amarchesini
|
RESO
|
FIXE
|
2014-07-24
|
1140804
|
|
Use After Free in WorkerPrivate::NotifyFeatures()
|
Core
|
DOM: Workers
|
amarchesini
|
RESO
|
FIXE
|
2017-03-29
|
1166924
|
|
Use After Free in CanonicalizeXPCOMParticipant
|
Core
|
DOM: Workers
|
amarchesini
|
RESO
|
FIXE
|
2017-03-29
|
1360992
|
|
AddressSanitizer: attempting double-free on 0x603000211990 in thread T33 (DOM Worker)
|
Core
|
DOM: Workers
|
amarchesini
|
RESO
|
FIXE
|
2017-05-09
|
788950
|
|
Heap-use-after-free in nsTextEditRules::WillInsert
|
Core
|
DOM: Editor
|
ayg
|
RESO
|
FIXE
|
2014-07-24
|
795708
|
|
Heap-use-after-free in nsEditor::FindNextLeafNode
|
Core
|
DOM: Editor
|
ayg
|
RESO
|
FIXE
|
2014-07-24
|
795804
|
|
Heap-use-after-free in nsTextEditorState::PrepareEditor
|
Core
|
DOM: Editor
|
ayg
|
RESO
|
FIXE
|
2014-07-24
|
805287
|
|
Heap-use-after-free in nsTextEditorState::PrepareEditor
|
Core
|
DOM: Editor
|
ayg
|
RESO
|
FIXE
|
2014-07-24
|
999274
|
|
Heap-use-after-free in mozilla::dom::workers::WorkerPrivateParent
|
Core
|
DOM: Workers
|
bent.mozilla
|
RESO
|
FIXE
|
2015-08-30
|
752221
|
|
Crash in XPCNativeScriptableInfo::GetFlags()
|
Core
|
DOM: Core & HTML
|
bholley
|
RESO
|
WORK
|
2019-03-13
|
786142
|
|
Heap-use-after-free in XPCWrappedNative::Mark
|
Core
|
XPConnect
|
bholley
|
RESO
|
FIXE
|
2014-07-24
|
789766
|
|
Heap-use-after-free in XPCWrappedNativeProto::GetScope
|
Core
|
XPConnect
|
bholley
|
RESO
|
WORK
|
2015-08-07
|
832646
|
|
Crash on invalid address in CalculateUTF8Size::write
|
Core
|
DOM: Core & HTML
|
bholley
|
RESO
|
FIXE
|
2019-03-13
|
832986
|
|
SEGV in CalculateUTF8Size::write
|
Core
|
DOM: Core & HTML
|
bholley
|
RESO
|
FIXE
|
2019-03-13
|
843923
|
|
ASAN: js/xpconnect/tests/unit/test_bug608142.js triggers heap-use-after-free error
|
Core
|
XPConnect
|
bholley
|
RESO
|
FIXE
|
2014-11-19
|
883301
|
|
ASAN use-after-free in JS_GetGlobalForScopeChain #2
|
Core
|
DOM: Core & HTML
|
bholley
|
RESO
|
DUPL
|
2019-03-13
|
886174
|
|
ASAN use-after-free in JS_GetGlobalForScopeChain #3
|
Core
|
DOM: Core & HTML
|
bholley
|
RESO
|
DUPL
|
2019-03-13
|
752902
|
|
Heap-use-after-free in nsSMILTimeValueSpec::IsEventBased
|
Core
|
SVG
|
brian
|
RESO
|
FIXE
|
2016-12-01
|
775852
|
|
use after free, webgl fragment shader deleted by accessor
|
Core
|
DOM: Core & HTML
|
bzbarsky
|
RESO
|
FIXE
|
2019-03-13
|
851781
|
|
Heap-use-after-free in nsContentUtils::RemoveScriptBlocker
|
Core
|
DOM: Core & HTML
|
bzbarsky
|
RESO
|
FIXE
|
2019-03-13
|
1191492
|
|
AddressSanitizer: heap-buffer-overflow during incremental GC
|
Core
|
JavaScript: GC
|
bzbarsky
|
RESO
|
FIXE
|
2020-02-28
|
1092363
|
|
Heap-buffer-overflow in nsTransformedTextRun::SetCapitalization
|
Core
|
CSS Parsing and Comp
|
cam
|
RESO
|
FIXE
|
2016-06-04
|
709483
|
|
Off-by-one in dom/base/nsDOMClassInfo.cpp
|
Core
|
DOM: Core & HTML
|
choller
|
RESO
|
FIXE
|
2019-03-13
|
709580
|
|
Out of bounds access in GfxInfoBase::GetFeatureStatusImpl
|
Core
|
Graphics
|
choller
|
RESO
|
DUPL
|
2011-12-28
|
741258
|
|
ASAN: unresolved symbols in libnssutil3.dylib
|
Core
|
Security
|
choller
|
RESO
|
FIXE
|
2012-04-30
|
746951
|
|
Avoid inlining js::MarkRangeConservatively with AddressSanitizer builds
|
Core
|
JavaScript Engine
|
choller
|
RESO
|
FIXE
|
2012-04-21
|
748727
|
|
Include AddressSanitizer blacklist file into the tree
|
Firefox Build System
|
General
|
choller
|
RESO
|
FIXE
|
2020-02-28
|
749588
|
|
jit_test.py address space limiting is incompatible to AddressSanitizer
|
Core
|
JavaScript Engine
|
choller
|
RESO
|
FIXE
|
2012-05-08
|
751412
|
|
Invalid stack memory access in double_conversion::StringBuilder::AddSubstring
|
Core
|
MFBT
|
choller
|
RESO
|
FIXE
|
2012-05-05
|
776556
|
|
Code Signing breaks ASan OSX builds
|
Firefox Build System
|
General
|
choller
|
RESO
|
FIXE
|
2018-03-02
|
782336
|
|
use after free in gfxTextRun::GetAdvanceWidth
|
Core
|
Graphics: Text
|
choller
|
RESO
|
WORK
|
2017-10-26
|
787916
|
|
ASan: mochitest-1 is extremely slow on try but not locally
|
Release Engineering
|
General
|
choller
|
RESO
|
FIXE
|
2013-08-12
|
797900
|
|
Disable certain crashtests under AddressSanitizer
|
Testing
|
Reftest
|
choller
|
RESO
|
FIXE
|
2013-01-22
|
832989
|
|
Disable TestPoisonArea test under ASan due to incompatibility
|
Core
|
Layout
|
choller
|
RESO
|
FIXE
|
2013-01-22
|
833018
|
|
ASan: Enable memory-saving options for tests when running on test slaves
|
Release Engineering
|
General
|
choller
|
RESO
|
FIXE
|
2013-08-12
|
857189
|
|
AddressSanitizer's SIGSEGV handler is incompatible with asm.js
|
Core
|
JavaScript Engine
|
choller
|
RESO
|
FIXE
|
2013-05-15
|
874527
|
|
Disable certain XUL crashtests under AddressSanitizer
|
Testing
|
Reftest
|
choller
|
RESO
|
WONT
|
2014-06-04
|
898484
|
|
ASan build bustage due to libstdc++ problems (GLIBCXX_3.4.14/15 referenced)
|
Firefox Build System
|
General
|
choller
|
RESO
|
FIXE
|
2018-03-02
|
902132
|
|
Disable some WebGL tests under ASan
|
Core
|
Graphics: CanvasWebG
|
choller
|
RESO
|
FIXE
|
2013-08-15
|
902157
|
|
ASAN: Add another memory-saving option for test slaves with 2-4 GB memory
|
Release Engineering
|
General
|
choller
|
RESO
|
FIXE
|
2018-05-08
|
905636
|
|
ASAN: Mark test_multipart_streamconv_missing_lead_boundary.js as failing
|
Core
|
Networking
|
choller
|
RESO
|
FIXE
|
2013-08-17
|
784600
|
|
Heap-use-after-free in nsIFrame::GetStyleContext
|
Core
|
Layout
|
chris
|
RESO
|
FIXE
|
2016-12-01
|
750820
|
|
Use-after-free in nsGlobalWindow::PageHidden
|
Core
|
DOM: Core & HTML
|
continuation
|
RESO
|
FIXE
|
2019-03-13
|
757023
|
|
Heap-use-after-free in XPCNativeScriptableInfo::Mark()
|
Core
|
XPConnect
|
continuation
|
RESO
|
DUPL
|
2012-09-23
|
765011
|
|
Global-buffer-overflow in XPCWrappedNativeProto::GetScriptableInfo
|
Core
|
XPConnect
|
continuation
|
RESO
|
DUPL
|
2012-09-23
|
776213
|
|
Heap-use-after-free in nsHTMLSelectElement::SubmitNamesValues
|
Core
|
DOM: Core & HTML
|
continuation
|
RESO
|
FIXE
|
2016-12-01
|
780979
|
|
Out-of-bounds-read in CharDistributionAnalysis::HandleOneChar
|
Core
|
Internationalization
|
continuation
|
RESO
|
FIXE
|
2013-04-30
|
801957
|
|
Heap-use-after-free in XPCNativeSet::Mark
|
Core
|
JavaScript Engine
|
continuation
|
RESO
|
FIXE
|
2014-07-24
|
827687
|
|
Out of bounds read [@ ElementAnimations::EnsureStyleRuleFor] with CSS animation
|
Core
|
CSS Parsing and Comp
|
dbaron
|
RESO
|
FIXE
|
2014-11-19
|
893308
|
|
Heap-use-after-free in nsAnimationManager::BuildAnimations
|
Core
|
Layout
|
dbaron
|
RESO
|
FIXE
|
2014-11-19
|
719779
|
|
AddressSanitizer heap-use-after-free READ of size 4
|
Core
|
SVG
|
dholbert
|
RESO
|
DUPL
|
2013-02-21
|
824862
|
|
Heap-use-after-free in nsCounterList::RecalcAll and "ASSERTION: Bit should never be set on generated content: '!frame || !frame->IsGeneratedContentFrame()", with display:flex, "overflow", and generated content
|
Core
|
Layout
|
dholbert
|
RESO
|
FIXE
|
2016-12-01
|
857841
|
|
SEGV crash in nsFrame::BoxReflow
|
Core
|
Layout
|
dholbert
|
RESO
|
DUPL
|
2015-06-17
|
883514
|
|
Global buffer overflow (read 4) at nsFloatManager::GetFlowArea() with multicol, list, floats
|
Core
|
Layout: Floats
|
dholbert
|
RESO
|
FIXE
|
2017-03-14
|
892017
|
|
ASan: xpcshell test security/manager/ssl/tests/unit/test_ocsp_stapling.js triggers stack-buffer-overflow
|
Core
|
Security: PSM
|
dkeeler
|
RESO
|
FIXE
|
2013-07-22
|
790503
|
|
On Mac Mini, defaultCalibration reads outside of sensors[]
|
Core
|
Hardware Abstraction
|
doug.turner
|
RESO
|
FIXE
|
2012-10-02
|
830132
|
|
Heap-use-after-free in nsINode::ReplaceOrInsertBefore
|
Core
|
DOM: Editor
|
dzbarsky
|
RESO
|
FIXE
|
2014-07-24
|
771976
|
|
Heap-use-after-free in mozSpellChecker::SetCurrentDictionary
|
Core
|
Spelling checker
|
ehsan.akhgari
|
RESO
|
FIXE
|
2016-12-01
|
772346
|
|
Heap-use-after-free in nsHTMLEditRules::DeleteNonTableElements
|
Core
|
DOM: Editor
|
ehsan.akhgari
|
RESO
|
FIXE
|
2014-07-24
|
785574
|
|
Heap-use-after-free in nsHTMLCSSUtils::CreateCSSPropertyTxn
|
Core
|
DOM: Editor
|
ehsan.akhgari
|
RESO
|
FIXE
|
2016-12-01
|
785720
|
|
Heap-buffer-overflow in nsHTMLEditor::IsPrevCharInNodeWhitespace
|
Core
|
MathML
|
ehsan.akhgari
|
RESO
|
FIXE
|
2016-12-01
|
874915
|
|
Heap-buffer-overflow READ in mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer
|
Core
|
Web Audio
|
ehsan.akhgari
|
RESO
|
FIXE
|
2016-12-01
|
876118
|
|
Heap-buffer-overflow WRITE in mozilla::AudioNodeStream::ObtainInputBlock
|
Core
|
Web Audio
|
ehsan.akhgari
|
RESO
|
FIXE
|
2014-07-24
|
876252
|
|
Heap-buffer-overflow READ in speex_resampler_process_float
|
Core
|
Web Audio
|
ehsan.akhgari
|
RESO
|
FIXE
|
2014-07-24
|
877125
|
|
Heap-buffer-overflow in mozilla::dom::OfflineDestinationNodeEngine::ProduceAudioBlock
|
Core
|
Web Audio
|
ehsan.akhgari
|
RESO
|
FIXE
|
2014-07-24
|
1158651
|
|
Global-buffer-overflow in nsTArray_Impl<mozilla::dom::OwningNonNull<nsINode>, nsTArrayInfallibleAllocator>::RemoveElementAt
|
Core
|
DOM: Editor
|
ehsan.akhgari
|
RESO
|
FIXE
|
2020-03-10
|
790929
|
|
WebRTC crash [@sdp_build_attr_from_str]
|
Core
|
WebRTC: Signaling
|
ethanhugg
|
RESO
|
FIXE
|
2013-04-18
|
790949
|
|
WebRTC crash [@sdp_getnextstrtok]
|
Core
|
WebRTC: Signaling
|
ethanhugg
|
RESO
|
FIXE
|
2013-04-18
|
791702
|
|
WebRTC crash [@sipsdp_write_to_buf]
|
Core
|
WebRTC: Signaling
|
ethanhugg
|
RESO
|
FIXE
|
2013-04-18
|
824960
|
|
WebRTC use-after-free crash [@mozilla::DataChannelConnection::SendOpenAckMessage]
|
Core
|
WebRTC: Audio/Video
|
ethanhugg
|
RESO
|
DUPL
|
2015-06-17
|
749620
|
|
Invalid stack memory access in CompareLexicographicInt32
|
Core
|
JavaScript Engine
|
evilpies
|
RESO
|
FIXE
|
2012-05-04
|
833127
|
|
TestStartupCache fails under ASan
|
Core
|
XPCOM
|
froydnj+bz
|
RESO
|
FIXE
|
2013-07-10
|
961394
|
|
MOZ_ASAN_BLACKLIST does not work with GCC ASAN
|
Core
|
MFBT
|
froydnj+bz
|
RESO
|
FIXE
|
2014-01-22
|
710688
|
|
ASan reports heap-use-after-free in JS::Value::isMarkable
|
Core
|
JavaScript Engine
|
general
|
RESO
|
DUPL
|
2014-02-12
|
732791
|
|
Use-after-free [@ js::mjit::Compiler::bytecodeInChunk] or Crash [@ js::GetBytecodeLength]
|
Core
|
JavaScript Engine
|
general
|
RESO
|
DUPL
|
2012-04-19
|
784368
|
|
"make package" broken in ASan builds (GC related ASan failure)
|
Core
|
JavaScript Engine
|
general
|
RESO
|
FIXE
|
2012-09-01
|
799438
|
|
IonMonkey: AddressSanitizer heap-use-after-free in [@ js::StackSegment::popCall] or Assertion failure: !used(), at ../ion/shared/Assembler-shared.h:234
|
Core
|
JavaScript Engine
|
general
|
RESO
|
WORK
|
2014-02-12
|
872565
|
|
ASM.js tests orange on AddressSanitizer TBPL builds
|
Core
|
JavaScript Engine
|
general
|
RESO
|
FIXE
|
2013-08-05
|
893739
|
|
OdinMonkey: Use-after-free [@ strlen] through [@ js::ScriptSource::setFilename]
|
Core
|
JavaScript Engine
|
general
|
RESO
|
DUPL
|
2016-10-11
|
957716
|
|
ASan use-after-free [@ js::Binding::name()] with setObjectMetadataCallback
|
Core
|
JavaScript Engine
|
general
|
RESO
|
DUPL
|
2014-01-14
|
853589
|
|
WebVTT crash [@parse_cueparams]
|
Core
|
Audio/Video
|
giles
|
RESO
|
FIXE
|
2016-06-04
|
879924
|
|
Non-null crash at nsCString::CharAt
|
Core
|
Audio/Video
|
giles
|
RESO
|
FIXE
|
2014-11-19
|
881066
|
|
heap-buffer-overflow (read) at mozilla::(anonymous namespace)::ReadUint8
|
Core
|
Audio/Video
|
giles
|
RESO
|
FIXE
|
2016-06-04
|
815795
|
|
stack buffer overflow with canvas
|
Core
|
Graphics: Canvas2D
|
gw
|
RESO
|
FIXE
|
2014-07-24
|
961859
|
|
Out of bounds read(4) in SelectionIterator::GetNextSegment
|
Core
|
Layout: Text and Fon
|
inferno
|
RESO
|
WORK
|
2015-02-22
|
765198
|
|
WebGL crash [@mozilla::WebGLContext::ReadPixels]
|
Core
|
Graphics: CanvasWebG
|
jacob.benoit.1
|
RESO
|
FIXE
|
2012-06-22
|
775234
|
|
out of bounds read when compiling webgl vertex shader with long identifier name
|
Core
|
Graphics: CanvasWebG
|
jacob.benoit.1
|
RESO
|
FIXE
|
2014-07-14
|
787827
|
|
use-after-free in webgl with resource overflow thing, llvmpipe atleast
|
Core
|
Graphics: CanvasWebG
|
jacob.benoit.1
|
RESO
|
DUPL
|
2019-09-06
|
790879
|
|
integer overflow, invalid write w/webgl bufferdata
|
Core
|
Graphics: CanvasWebG
|
jacob.benoit.1
|
RESO
|
FIXE
|
2016-12-01
|
802778
|
|
crash in copyTexImage2D with image dimensions too large for given level
|
Core
|
Graphics: CanvasWebG
|
jacob.benoit.1
|
RESO
|
FIXE
|
2014-07-24
|
816695
|
|
Blocklist LLvmpipe graphics driver
|
Core
|
Graphics
|
jacob.benoit.1
|
RESO
|
FIXE
|
2012-12-21
|
827106
|
|
freeing unallocated address with webgl
|
Core
|
Graphics: CanvasWebG
|
jacob.benoit.1
|
RESO
|
FIXE
|
2013-11-25
|
950390
|
|
AddressSanitizer Errors: attempting to call malloc_usable_size() for pointer which is not owned, and memory address is located 2032 bytes to the left of 0-byte region
|
Core
|
Graphics: ImageLib
|
jacob.benoit.1
|
RESO
|
WORK
|
2014-07-16
|
771318
|
|
Heap-use-after-free in nsWSAdmissionManager::OnStopSession
|
Core
|
Networking
|
jduell.mcbugs
|
RESO
|
FIXE
|
2016-12-01
|
729626
|
|
ASAN: heap-buffer-overflow in harfbuzz indic cluster machine
|
Core
|
Graphics
|
jfkthame
|
RESO
|
FIXE
|
2013-02-20
|
780959
|
|
Heap-buffer-overflow in BuildTextRunsScanner::FindBoundaries
|
Core
|
Layout: Text and Fon
|
jfkthame
|
RESO
|
FIXE
|
2016-12-01
|
804927
|
|
heap-buffer-overflow in gfxShapedWord::CompressedGlyph::IsClusterStart
|
Core
|
Graphics
|
jfkthame
|
RESO
|
FIXE
|
2014-07-24
|
823925
|
|
Out of bounds read in BuildTextRunsScanner::FindBoundaries
|
Core
|
Layout: Text and Fon
|
jfkthame
|
RESO
|
WORK
|
2017-10-26
|
774207
|
|
Heap-buffer-overflow in mozilla::gfx::BoxBlurVertical
|
Core
|
Graphics
|
jmuizelaar
|
RESO
|
FIXE
|
2016-06-04
|
794471
|
|
Heap-use-after-free in mozilla::image::nsPNGDecoder::row_callback during WebGL conformance suite
|
Core
|
Graphics
|
joe
|
RESO
|
WORK
|
2022-06-01
|
840353
|
|
Heap-use-after-free in nsAsyncDOMEvent::Run
|
Core
|
DOM: Core & HTML
|
joe
|
RESO
|
FIXE
|
2019-03-13
|
890179
|
|
heap-buffer-overflow (write) at mozilla::image::nsPNGDecoder::row_callback
|
Core
|
Graphics: ImageLib
|
joe
|
RESO
|
FIXE
|
2014-07-24
|
773207
|
|
Heap-use-after-free in nsObjectLoadingContent::LoadObject
|
Core
|
DOM: Core & HTML
|
john
|
RESO
|
FIXE
|
2019-03-13
|
710479
|
|
ASan reports invalid read in PopOffPrec
|
Core
|
JavaScript Engine
|
jorendorff
|
RESO
|
FIXE
|
2012-05-16
|
788959
|
|
Heap-use-after-free in imgRequest::OnStopFrame
|
Core
|
Graphics: ImageLib
|
josh
|
RESO
|
FIXE
|
2016-12-01
|
801366
|
|
out-of-bounds-read in mozilla::image::RasterImage::DrawFrameTo
|
Core
|
Graphics: ImageLib
|
josh
|
RESO
|
FIXE
|
2014-11-19
|
819843
|
|
Heap-use-after-free in nsHttpConnection::SetSecurityCallbacks
|
Core
|
Networking: HTTP
|
josh
|
RESO
|
WORK
|
2014-11-19
|
783502
|
|
xpcshell test netwerk/test/unit/test_MIME_params.js fails on AddressSanitizer
|
Core
|
Networking
|
julian.reschke
|
RESO
|
FIXE
|
2013-01-10
|
804041
|
|
Heap-use-after-free in mozilla::image::DiscardTracker::DiscardNow
|
Core
|
Graphics: ImageLib
|
justin.lebar+bug
|
RESO
|
DUPL
|
2015-06-17
|
827689
|
|
Heap-buffer-overflow in LossyConvertEncoding8to16::write_sse2
|
Core
|
XPCOM
|
justin.lebar+bug
|
RESO
|
DUPL
|
2015-06-17
|
831090
|
|
crash @Worker::SetEventListener with Worker and __proto__
|
Core
|
JavaScript Engine
|
jwalden
|
RESO
|
DUPL
|
2016-10-11
|
926401
|
|
ASan heap-buffer-overflow with BinaryData
|
Core
|
JavaScript Engine
|
jwalden
|
RESO
|
FIXE
|
2015-02-25
|
780963
|
|
invalid cast with svg feImage
|
Core
|
SVG
|
jwatt
|
RESO
|
FIXE
|
2014-07-24
|
787722
|
|
Heap-buffer-overflow in Convolve3x3
|
Core
|
SVG
|
jwatt
|
RESO
|
FIXE
|
2014-07-24
|
795592
|
|
invalid cast leading to out of bounds read in nsSVGUtils::GetCanvasTM
|
Core
|
SVG
|
jwatt
|
RESO
|
FIXE
|
2014-07-24
|
795734
|
|
Out of bounds READ in nsRegion::Or
|
Core
|
SVG
|
jwatt
|
RESO
|
FIXE
|
2014-07-24
|
795740
|
|
Heap-buffer-overflow in nsMappedAttributes::GetAttr
|
Core
|
SVG
|
jwatt
|
RESO
|
DUPL
|
2014-07-14
|
798010
|
|
segfault with svg and markers
|
Core
|
SVG
|
jwatt
|
RESO
|
DUPL
|
2014-07-14
|
745548
|
|
Nickname race in PK11_ImportCert (potential heap-use-after-free in nssUTF8_Duplicate)
|
NSS
|
Libraries
|
kaie
|
RESO
|
FIXE
|
2014-06-27
|
792305
|
|
Heap-buffer-overflow in nsWindow::OnExposeEvent
|
Core
|
Widget: Gtk
|
karlt
|
RESO
|
FIXE
|
2016-12-01
|
803762
|
|
Invalid write in MakeBigReq memmove XRenderCompositeTrapezoids
|
Core
|
Graphics
|
karlt
|
RESO
|
WORK
|
2016-11-02
|
831095
|
|
Use-After-Free crash @xul!nsImageLoadingContent::OnStopContainer
|
Core
|
DOM: Core & HTML
|
khuey
|
RESO
|
FIXE
|
2019-03-13
|
826104
|
|
Crash in MediaDecoder::UpdatePlaybackOffset
|
Core
|
Audio/Video
|
kinetik
|
RESO
|
FIXE
|
2020-05-27
|
711653
|
|
SVGFilter out of bounds read (Address Sanitizer)
|
Core
|
SVG
|
longsonr
|
RESO
|
FIXE
|
2016-02-21
|
786895
|
|
Heap-use-after-free in DOMSVGTests::GetRequiredFeatures
|
Core
|
SVG
|
longsonr
|
RESO
|
FIXE
|
2014-07-24
|
760975
|
|
Heap-buffer-overflow in nsAutoCompleteController::ProcessResult
|
Toolkit
|
Autocomplete
|
mak
|
RESO
|
WORK
|
2015-10-16
|
764541
|
|
Crash in BidiParagraphData::PushBidiControl
|
Core
|
Layout: Text and Fon
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2012-07-19
|
765621
|
|
Out of bounds read in IsCSSWordSpacingSpace
|
Core
|
Layout: Block and In
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2014-07-22
|
774548
|
|
Heap-buffer-overflow in nsBlockFrame::MarkLineDirty
|
Core
|
Layout: Block and In
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2016-12-01
|
777578
|
|
Heap-use-after-free in PresShell::CompleteMove
|
Core
|
DOM: Selection
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2016-12-01
|
783041
|
|
out-of-bounds read when blurring
|
Core
|
Graphics
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2014-07-14
|
785555
|
|
Heap-buffer-overflow in gfxTextRun::ShrinkToLigatureBoundaries
|
Core
|
Layout: Text and Fon
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2014-07-18
|
785753
|
|
Global-buffer-overflow in nsCharTraits::length
|
Core
|
Networking
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2014-07-24
|
798691
|
|
Heap-use-after-free in nsDisplayBoxShadowOuter::Paint
|
Core
|
Layout
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2018-08-29
|
798853
|
|
Heap-use-after-free in gfxFont::GetFontEntry
|
Core
|
Graphics: Text
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2014-07-24
|
801330
|
|
out-of-bounds-read in nsCodingStateMachine::NextState
|
Core
|
Internationalization
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2014-11-19
|
802902
|
|
Heap-use-after-free in nsViewManager::ProcessPendingUpdates
|
Core
|
Layout
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2014-07-24
|
806483
|
|
Heap-use-after-free (read) nsIFrame::GetStyleContext
|
Core
|
Layout
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2016-12-01
|
812893
|
|
Heap-use-after-free in nsOverflowContinuationTracker::Finish, with -moz-columns
|
Core
|
Layout
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2016-12-01
|
814713
|
|
Heap-use-after-free in TableBackgroundPainter::TableBackgroundData::Destroy
|
Core
|
Layout: Tables
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2016-12-01
|
815489
|
|
OOB write relating to mozilla::gfx::AlphaBoxBlur::Blur
|
Core
|
Graphics
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2014-07-24
|
821126
|
|
Heap-use-after-free in nsFrameList::InsertFrames
|
Core
|
Layout
|
MatsPalmgren_bugz
|
RESO
|
DUPL
|
2014-11-19
|
821479
|
|
Out-of-bounds read crash in PropertyProvider::GetSpacingInternal
|
Core
|
Layout: Text and Fon
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2014-11-19
|
827070
|
|
Heap-buffer-overflow WRITE in nsSaveAsCharset::DoCharsetConversion
|
Core
|
Internationalization
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2014-07-16
|
850931
|
|
Heap-use-after-free in nsFrameList::FirstChild
|
Core
|
Layout
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2014-07-24
|
898871
|
|
ASAN heap-use-after-free in mozilla::layout::ScrollbarActivity
|
Core
|
Layout: Images, Vide
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2019-12-09
|
938341
|
|
heap-use-after-free in libxul.so!nsEventListenerManager::HandleEventSubType
|
Core
|
DOM: UI Events & Foc
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2019-03-13
|
947158
|
|
Use-after-poison in nsLineLayout::RelativePositionFrames
|
Core
|
Layout
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2015-10-16
|
964078
|
|
global-buffer-overflow (read) at CJKIdeographicToText
|
Core
|
Layout
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2015-11-25
|
1105938
|
|
Global-buffer-overflow in CSSParserImpl::ParseDeclaration
|
Core
|
CSS Parsing and Comp
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2016-06-04
|
1143299
|
|
Heap-use-after-free in UnhookTextRunFromFrames
|
Core
|
Layout
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2016-12-01
|
1153478
|
|
heap-use-after-free in SetBreaks
|
Core
|
Layout: Text and Fon
|
MatsPalmgren_bugz
|
RESO
|
FIXE
|
2017-03-29
|
1161393
|
|
heap-use-after-free in GetDocument
|
Core
|
Layout
|
MatsPalmgren_bugz
|
RESO
|
WORK
|
2017-01-23
|
1239917
|
|
Global-buffer-overflow in nsComputedDOMStyle::AppendGridLineNames
|
Core
|
CSS Parsing and Comp
|
MatsPalmgren_bugz
|
RESO
|
DUPL
|
2016-02-22
|
775228
|
|
use-after-free when loading html file on osx
|
Core
|
Graphics
|
matt.woodrow
|
RESO
|
FIXE
|
2016-12-01
|
795899
|
|
Heap-use-after-free in mozilla::layers::ContainerLayer::ComputeEffectiveTransformsForChildren
|
Core
|
Layout
|
matt.woodrow
|
RESO
|
FIXE
|
2017-05-09
|
850672
|
|
use-after-poison with tables, -moz-perspective and transform [@ OverflowChangedTracker::Flush]
|
Core
|
Layout
|
matt.woodrow
|
RESO
|
FIXE
|
2014-07-16
|
750932
|
|
ASAN: Test test_multipart_streamconv_missing_lead_boundary.js triggers error
|
Core
|
Networking
|
mcmanus
|
RESO
|
FIXE
|
2014-11-19
|
777838
|
|
use-after-free with columns, first-letter and first-line
|
Core
|
Layout: Text and Fon
|
miaubiz
|
RESO
|
DUPL
|
2013-11-12
|
845125
|
|
Mac: Crash when printing csptesting.herokuapp.com to PDF w/ heap-use-after-free
|
Core
|
Graphics
|
milaninbugzilla
|
RESO
|
FIXE
|
2016-12-01
|
787717
|
|
ASAN: Test netwerk/test/unit/test_permmgr.js triggers error
|
Core
|
Networking: Cookies
|
mounir
|
RESO
|
FIXE
|
2012-11-07
|
851353
|
|
compartment mismatch in nsXBLBinding::DoInitJSClass
|
Core
|
XBL
|
mrbkap
|
RESO
|
FIXE
|
2014-11-19
|
916404
|
|
Heap-use-after-free in nsContentUtils::ContentIsHostIncludingDescendantOf
|
Core
|
DOM: Core & HTML
|
mrbkap
|
RESO
|
FIXE
|
2019-03-13
|
961517
|
|
Heap-use-after-free in mozilla::gfx::(anonymous namespace)::PowCache::Pow
|
Core
|
Graphics
|
mstange.moz
|
RESO
|
DUPL
|
2016-10-14
|
963086
|
|
heap-use-after-free (read) at mozilla::PodCopy
|
Core
|
Graphics
|
mstange.moz
|
RESO
|
FIXE
|
2015-02-25
|
828903
|
|
UAF in xul!mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap
|
Core
|
Layout
|
mwobensmith
|
RESO
|
DUPL
|
2014-10-24
|
906100
|
|
Intermittent failures in tests that list sources, but don't call gc() after adding test globals
|
DevTools
|
Debugger
|
nfitzgerald
|
RESO
|
FIXE
|
2018-06-13
|
833604
|
|
UAF with transform and fixed position
|
Core
|
Layout: Block and In
|
nils
|
RESO
|
DUPL
|
2014-07-16
|
949198
|
|
ASan use-after-free [@ JSContext::runtime()] with TypedObject
|
Core
|
JavaScript Engine
|
nmatsakis
|
RESO
|
DUPL
|
2016-10-11
|
718227
|
|
Crash [@ js::ctypes::ConvertToJS] with test dom/ipc/tests/test_process_error.xul under Valgrind
|
Core
|
js-ctypes
|
nobody
|
RESO
|
INVA
|
2012-01-15
|
724587
|
|
svg files report out of bound reads with asan:
|
Core
|
SVG
|
nobody
|
RESO
|
DUPL
|
2014-05-05
|
736585
|
|
ASAN: nsCSSRendering::DrawTableBorderSegment
|
Core
|
Layout: Tables
|
nobody
|
RESO
|
WORK
|
2017-10-26
|
737987
|
|
ASAN: use-after-free during startup.
|
Core
|
XPConnect
|
nobody
|
RESO
|
INAC
|
2018-05-24
|
745679
|
|
Heap-use-after-free in indexedDB::IDBKeyRange::cycleCollection::Trace
|
Firefox
|
Untriaged
|
nobody
|
RESO
|
DUPL
|
2012-05-18
|
750988
|
|
ASAN: Several xpcshell tests in url-classifier triggers error
|
Core
|
XPConnect
|
nobody
|
RESO
|
DUPL
|
2012-11-04
|
752316
|
|
Heap-buffer-overflow in nsClipboard::GetData
|
Core
|
Widget: Gtk
|
nobody
|
RESO
|
INCO
|
2012-07-12
|
757905
|
|
segfault in DeadlockDetector from cubeb_alsa
|
Core
|
XPCOM
|
nobody
|
RESO
|
WORK
|
2012-07-05
|
765161
|
|
WebGL crash when empty string is passed to getUniformLocation, getAttribLocation or bindAttribLocation [@mozilla::WebGLProgram::MapIdentifier] (dupe)
|
Core
|
Graphics: CanvasWebG
|
nobody
|
RESO
|
DUPL
|
2012-07-31
|
765585
|
|
Heap-use-after-free in js::GCThingIsMarkedGray involving DOM events
|
Core
|
DOM: Events
|
nobody
|
RESO
|
INCO
|
2016-06-04
|
765711
|
|
Heap-use-after-free in nsFrameList::RemoveFirstChild
|
Core
|
Layout: Block and In
|
nobody
|
RESO
|
DUPL
|
2014-05-05
|
766255
|
|
Stack-buffer-overflow when doing XMLHttpRequest
|
Core
|
DOM: Core & HTML
|
nobody
|
RESO
|
WORK
|
2019-03-13
|
784918
|
|
Heap-use-after-free in nsHTMLMediaElement::CaptureStreamInternal
|
Core
|
Audio/Video
|
nobody
|
RESO
|
FIXE
|
2016-12-01
|
787715
|
|
ASAN: Crashtest content/xul/templates/src/crashtests/329335-1.xul triggers error
|
Core
|
XUL
|
nobody
|
RESO
|
WORK
|
2017-10-26
|
790252
|
|
out of bounds read in gfxTextRun::ShrinkToLigatureBoundaries
|
Core
|
Layout: Text and Fon
|
nobody
|
RESO
|
WORK
|
2018-07-02
|
790502
|
|
Heap-use-after-free in gfxSkipCharsIterator::SetOffsets
|
Core
|
Layout: Text and Fon
|
nobody
|
RESO
|
WORK
|
2017-10-26
|
791534
|
|
Heap-use-after-free in DocumentViewerImpl::SetBounds
|
Firefox
|
General
|
nobody
|
RESO
|
DUPL
|
2014-05-05
|
791905
|
|
Heap-use-after-free in Mesa, triggerable by resizing a WebGL canvas
|
Core
|
Graphics: CanvasWebG
|
nobody
|
RESO
|
FIXE
|
2014-07-24
|
794139
|
|
WebRTC crash [@definite_length_decoder]
|
Core
|
WebRTC: Signaling
|
nobody
|
RESO
|
DUPL
|
2014-05-05
|
795750
|
|
Heap-use-after-free in HttpBaseChannel::SetNotificationCallbacks
|
Core
|
Audio/Video
|
nobody
|
RESO
|
FIXE
|
2014-07-24
|
798293
|
|
ASan builds broken by WebRTC (error: visibility does not match previous declaration)
|
Core
|
WebRTC
|
nobody
|
RESO
|
DUPL
|
2012-10-05
|
802599
|
|
Assertion failure: false, at toolkit/components/places/AsyncFaviconHelpers.cpp:527 Crash [@ AsyncFetchAndSetIconForPage] or use-after-free across threads
|
Toolkit
|
Places
|
nobody
|
RESO
|
WORK
|
2014-02-12
|
805279
|
|
WebRTC crash [@webrtc::Trace::Add]
|
Core
|
WebRTC
|
nobody
|
RESO
|
FIXE
|
2013-11-25
|
807891
|
|
Out-of-bounds read in PropertyProvider::GetSpacingInternal
|
Core
|
Layout: Text and Fon
|
nobody
|
RESO
|
WORK
|
2017-11-15
|
813435
|
|
Heap-use-after-free in mozilla::MediaDecoderStateMachine::StopAudioThread
|
Core
|
Audio/Video
|
nobody
|
RESO
|
FIXE
|
2016-12-01
|
824536
|
|
Out of bound read in MOZ_PNG_combine_row
|
Core
|
Graphics: ImageLib
|
nobody
|
RESO
|
FIXE
|
2016-06-04
|
833895
|
|
UAF with backfaceVisibility='hidden' and position=fixed
|
Core
|
Layout
|
nobody
|
RESO
|
DUPL
|
2013-05-12
|
850951
|
|
Heap-use-after-free in imgStatusTracker::OnStopRequest
|
Core
|
Graphics: ImageLib
|
nobody
|
RESO
|
FIXE
|
2014-07-16
|
851553
|
|
Crash when deleting multiple profiles
|
Core
|
General
|
nobody
|
RESO
|
DUPL
|
2015-02-13
|
854086
|
|
WebVTT crash [@mozilla::dom::WebVTTLoadListener::ConvertNodeToCueTextContent]
|
Core
|
Audio/Video
|
nobody
|
RESO
|
WORK
|
2013-09-30
|
864008
|
|
ASan: conformance/textures/gl-teximage.html fails with "attempting to call malloc_usable_size() for pointer which is not owned"
|
Core
|
Graphics: ImageLib
|
nobody
|
RESO
|
FIXE
|
2013-06-10
|
865921
|
|
use-after-poison during launch while initializing NSS
|
NSS
|
Libraries
|
nobody
|
RESO
|
FIXE
|
2013-05-02
|
883938
|
|
ASAN heap-use-after-free in mozilla::StreamBuffer::FindTrack
|
Core
|
Web Audio
|
nobody
|
RESO
|
DUPL
|
2013-08-27
|
888700
|
|
heap-use-after-free at nsTArray_Impl::IndexOf
|
Core
|
DOM: Core & HTML
|
nobody
|
RESO
|
DUPL
|
2019-03-13
|
899802
|
|
Heap-use-after-free in Mesa swrast_dri.so, in test_webgl_conformance_test_suite.html
|
Core
|
Graphics: CanvasWebG
|
nobody
|
RESO
|
INCO
|
2018-11-27
|
903450
|
|
heap-buffer-overflow on startup
|
Core
|
General
|
nobody
|
RESO
|
WORK
|
2013-08-28
|
931368
|
|
ASAN "heap-buffer-overflow" in BufferUnrotate (out of bounds read)
|
Core
|
Graphics: Layers
|
nobody
|
RESO
|
INCO
|
2016-06-04
|
960160
|
|
AddressSanitizer: attempting to call malloc_usable_size() for pointer which is not owned (content/media/test/test_playback_rate.html)
|
Core
|
Graphics: ImageLib
|
nobody
|
RESO
|
INVA
|
2014-03-24
|
988380
|
|
AddressSanitizer: heap-buffer-overflow via [@ GetImapHostName]
|
MailNews Core
|
Networking: IMAP
|
nobody
|
RESO
|
INCO
|
2020-01-09
|
995636
|
|
SEGV in in HasProperty
|
Core
|
CSS Parsing and Comp
|
nobody
|
RESO
|
DUPL
|
2016-10-14
|
1018700
|
|
AddressSanitizer: stack-buffer-overflow [@ JSScript::code]
|
Core
|
JavaScript Engine
|
nobody
|
RESO
|
WORK
|
2017-11-15
|
1021928
|
|
Intermittent use-after-free in IsClosed
|
Core
|
WebRTC: Signaling
|
nobody
|
RESO
|
WORK
|
2015-08-07
|
1064519
|
|
Intermittent AddressSanitizer: heap-use-after-free content/media/../../dist/include/nsAutoPtr.h:1017 in test_mediaDecoding.html
|
Core
|
Audio/Video
|
nobody
|
RESO
|
DUPL
|
2015-08-07
|
1155060
|
|
use-after-poison at StyleDisplay
|
Core
|
Layout: Floats
|
nobody
|
RESO
|
DUPL
|
2023-05-22
|
1168276
|
|
Intermittent browser_bug703210.js | AddressSanitizer: SEGV on unknown address 0x000000000008 in js::ctypes::ConvertToJS
|
Core
|
js-ctypes
|
nobody
|
RESO
|
DUPL
|
2015-06-25
|
1196400
|
|
Mozilla Firefox Use-After-Free (ASAN included)
|
Core
|
Graphics
|
nobody
|
RESO
|
DUPL
|
2016-11-02
|
821737
|
|
Heap-use-after-free in nsThread::PutEvent
|
Core
|
Audio/Video
|
padenot
|
RESO
|
FIXE
|
2016-12-01
|
846612
|
|
Heap-buffer-overflow in soundtouch::TDStretchSSE::calcCrossCorr
|
Core
|
Audio/Video
|
padenot
|
RESO
|
FIXE
|
2016-12-01
|
871577
|
|
Stack buffer overflow in mozilla::AudioChannelsDownMix(nsTArray<void const*> const&, float**, unsigned int, unsigned int)
|
Core
|
Web Audio
|
padenot
|
RESO
|
DUPL
|
2016-10-11
|
901265
|
|
Out of bounds read due to misalignment in resampler_basic_direct_single
|
Core
|
Web Audio
|
padenot
|
RESO
|
WONT
|
2017-05-19
|
1064117
|
|
intermittent AddressSanitizer: heap-use-after-free content/media/../../dist/include/nsAutoPtr.h:1017 get
|
Core
|
WebRTC: Audio/Video
|
padenot
|
RESO
|
FIXE
|
2020-02-28
|
762280
|
|
use after free in js::gc::MapAllocToTraceKind
|
Core
|
DOM: Core & HTML
|
peterv
|
RESO
|
FIXE
|
2019-03-13
|
876316
|
|
Heap-use-after-free in GetPropertyDescriptorById
|
Core
|
DOM: Core & HTML
|
peterv
|
RESO
|
DUPL
|
2019-03-13
|
883313
|
|
ASAN heap-use-after-free in nsINode::GetParentNode
|
Core
|
DOM: Core & HTML
|
peterv
|
RESO
|
FIXE
|
2014-11-19
|
914017
|
|
Stack-buffer-overflow in txXPathNodeUtils::getBaseURI
|
Core
|
XSLT
|
peterv
|
RESO
|
FIXE
|
2015-02-25
|
886842
|
|
Add clang trunk builds for ASan
|
Release Engineering
|
General
|
rail
|
RESO
|
FIXE
|
2018-05-08
|
772046
|
|
ASan builds broken by WebRTC (Linker relocation error)
|
Core
|
WebRTC
|
respindola
|
RESO
|
FIXE
|
2012-07-27
|
839338
|
|
ASan alloc/dealloc mismatch in _M_create_nodes/_M_destroy_nodes
|
Core
|
MFBT
|
respindola
|
RESO
|
FIXE
|
2013-04-17
|
792068
|
|
WebRTC crash [@sctp_getopt]
|
Core
|
WebRTC: Signaling
|
rjesup
|
RESO
|
FIXE
|
2013-04-18
|
774597
|
|
Heap-use-after-free in MediaStreamGraphThreadRunnable::Run()
|
Core
|
Audio/Video
|
roc
|
RESO
|
FIXE
|
2016-12-01
|
780534
|
|
Heap-use-after-free in MediaStream::Init
|
Core
|
Audio/Video
|
roc
|
RESO
|
WORK
|
2017-10-26
|
787831
|
|
Heap-use-after-free in mozilla::TrackUnionStream::EndTrack
|
Core
|
Audio/Video
|
roc
|
RESO
|
FIXE
|
2020-05-24
|
790854
|
|
Invalid write [@ mozilla::MediaStream::Destroy] with mozCaptureStream, onloadedmetadata
|
Core
|
Audio/Video
|
roc
|
RESO
|
FIXE
|
2013-01-16
|
816359
|
|
Heap-use-after-free in nsFrameSelection::cycleCollection::TraverseImpl
|
Core
|
Layout
|
roc
|
RESO
|
FIXE
|
2014-07-24
|
824453
|
|
Heap-use-after-free in mozilla::MediaStreamGraphImpl::FinishStream
|
Core
|
Audio/Video
|
roc
|
RESO
|
WORK
|
2017-10-26
|
824971
|
|
Heap-use-after-free in mozilla::MediaInputPort::Disconnect
|
Core
|
Audio/Video
|
roc
|
RESO
|
WORK
|
2017-10-26
|
830138
|
|
Heap-use-after-free in nsFrameSelection::cycleCollection::TraverseImpl
|
Core
|
Layout
|
roc
|
RESO
|
DUPL
|
2014-07-16
|
830192
|
|
Out of bounds read in nsCellMap::GetRowSpanForNewCell
|
Core
|
Layout: Tables
|
roc
|
RESO
|
FIXE
|
2014-07-24
|
876092
|
|
out of bounds stack read in mozilla::DisplayItemClip::IntersectWith
|
Core
|
Layout
|
roc
|
RESO
|
FIXE
|
2014-07-18
|
876221
|
|
ASAN stack-buffer-overflow in mozilla::DisplayItemClip::IntersectWith
|
Core
|
Layout
|
roc
|
RESO
|
FIXE
|
2014-11-03
|
794025
|
|
AddressSanitizer heap-use-after-free in [@ js::mjit::CallCompiler::generateNativeStub]
|
Core
|
JavaScript Engine
|
sean.stangl
|
RESO
|
FIXE
|
2020-02-28
|
771961
|
|
Heap-use-after-free in nsEditor::RemoveContainer
|
Core
|
DOM: Editor
|
smaug
|
RESO
|
FIXE
|
2016-12-01
|
787704
|
|
use-after-free in nsIContent::GetNameSpaceID
|
Core
|
XUL
|
smaug
|
RESO
|
FIXE
|
2019-01-16
|
790856
|
|
Window resize accessed a dangling DocumentViewerImpl
|
Core
|
DOM: Navigation
|
smaug
|
RESO
|
FIXE
|
2013-01-10
|
798677
|
|
Heap-use-after-free in nsPlaintextEditor::FireClipboardEvent
|
Core
|
DOM: Editor
|
smaug
|
RESO
|
FIXE
|
2014-07-24
|
821991
|
|
[FIX] Heap-use-after-free in nsPrintEngine::CommonPrint
|
Core
|
Printing: Setup
|
smaug
|
RESO
|
FIXE
|
2017-05-09
|
865076
|
|
Heap-use-after-free in nsAttrAndChildArray::GetAttr
|
Core
|
DOM: Core & HTML
|
smaug
|
RESO
|
FIXE
|
2019-03-13
|
906301
|
|
Memory corruption in nsGfxScrollFrameInner::IsLTR()
|
Core
|
DOM: Core & HTML
|
smaug
|
RESO
|
FIXE
|
2019-03-13
|
915210
|
|
ASAN heap-use-after-free in nsIPresShell::GetPresContext() with canvas, onresize and mozTextStyle
|
Core
|
Graphics: Canvas2D
|
smaug
|
RESO
|
FIXE
|
2015-02-25
|
916576
|
|
[FIX] ASAN use-after-free in nsIOService::NewChannelFromURIWithProxyFlags with Blob URL
|
Core
|
DOM: Core & HTML
|
smaug
|
RESO
|
FIXE
|
2019-03-13
|
916685
|
|
ASAN use-after free in GC allocation in nsEventListenerManager::SetEventHandler
|
Core
|
DOM: Events
|
smaug
|
RESO
|
FIXE
|
2015-02-25
|
918864
|
|
[FIX] Heap-use-after-free in nsDocLoader::doStopDocumentLoad()
|
Core
|
DOM: Core & HTML
|
smaug
|
RESO
|
FIXE
|
2019-03-13
|
926361
|
|
ASAN use-after-free in nsNodeUtils::LastRelease on anonymous node from ShowInlineTableEditingUI
|
Core
|
DOM: Editor
|
smaug
|
RESO
|
FIXE
|
2015-02-25
|
767765
|
|
Heap-use-after-free BuildTextRunsScanner::BreakSink::SetBreaks
|
Core
|
Layout: Text and Fon
|
smontagu
|
RESO
|
FIXE
|
2016-12-01
|
815477
|
|
Heap-use-after-free in mozilla::WalkAncestorsResetAutoDirection
|
Core
|
Layout: Text and Fon
|
smontagu
|
RESO
|
FIXE
|
2013-11-26
|
815500
|
|
Heap-use-after-free in mozilla::RecomputeDirectionality
|
Core
|
Layout: Text and Fon
|
smontagu
|
RESO
|
FIXE
|
2014-07-24
|
816253
|
|
Heap-use-after-free in nsINode::GetBoolFlag
|
Core
|
Layout: Text and Fon
|
smontagu
|
RESO
|
FIXE
|
2014-07-24
|
818454
|
|
Out of Bounds Read in SelectionIterator::GetNextSegment
|
Core
|
Layout: Text and Fon
|
smontagu
|
RESO
|
FIXE
|
2014-11-20
|
819014
|
|
Use-after-free in nsINode::GetBoolFlag
|
Core
|
Layout: Text and Fon
|
smontagu
|
RESO
|
FIXE
|
2014-07-24
|
826163
|
|
Out-of-bound read in gfxSkipCharsIterator::SetOffsets
|
Core
|
Layout: Text and Fon
|
smontagu
|
RESO
|
FIXE
|
2013-11-26
|
827190
|
|
Heap-use-after-free in mozilla::ResetDir
|
Core
|
Layout: Text and Fon
|
smontagu
|
RESO
|
FIXE
|
2014-07-24
|
830098
|
|
Heap-use-after-free in mozilla::WalkAncestorsResetAutoDirection
|
Core
|
Layout: Text and Fon
|
smontagu
|
RESO
|
FIXE
|
2013-11-26
|
831287
|
|
Heap-use-after-free in mozilla::WalkAncestorsResetAutoDirection
|
Core
|
Layout
|
smontagu
|
RESO
|
FIXE
|
2014-07-24
|
832644
|
|
Heap-use-after-free in mozilla::ResetDir
|
Core
|
Layout
|
smontagu
|
RESO
|
FIXE
|
2013-11-26
|
838489
|
|
Remaining dir=auto use after frees
|
Core
|
Layout: Text and Fon
|
smontagu
|
RESO
|
FIXE
|
2014-07-24
|
845093
|
|
Remaining dir=auto use after frees: the sequel
|
Core
|
Layout: Text and Fon
|
smontagu
|
RESO
|
FIXE
|
2014-07-24
|
849727
|
|
Heap-use-after-free in mozilla::ResetDir
|
Core
|
Layout: Text and Fon
|
smontagu
|
RESO
|
FIXE
|
2016-12-01
|
849732
|
|
Heap-use-after-free in mozilla::WalkAncestorsResetAutoDirection
|
Core
|
Layout: Text and Fon
|
smontagu
|
RESO
|
FIXE
|
2016-12-01
|
859014
|
|
Remaining dir=auto issues (1): Heap-use-after-free in mozilla::ResetDir
|
Core
|
Layout: Text and Fon
|
smontagu
|
RESO
|
FIXE
|
2014-07-24
|
859016
|
|
Remaining dir=auto issues (2): Heap-use-after-free in mozilla::WalkAncestorsResetAutoDirection
|
Core
|
Layout: Text and Fon
|
smontagu
|
RESO
|
FIXE
|
2014-07-24
|
876155
|
|
Heap-use-after-free in mozilla::ResetDir
|
Core
|
Layout: Text and Fon
|
smontagu
|
RESO
|
FIXE
|
2016-12-01
|
1120655
|
|
Make the analysis detect compartment iterator invalidation
|
Core
|
JavaScript: GC
|
sphink
|
RESO
|
FIXE
|
2016-07-02
|
874486
|
|
ASAN: Crashtest layout/xul/tree/crashtests/409807-1.xul triggers error
|
Core
|
XUL
|
spohl.mozilla.bugs
|
RESO
|
FIXE
|
2014-05-05
|
827426
|
|
ASan: Out-of-bounds read [@ LossyConvertEncoding8to16::write_sse2] with test_undoManager.html
|
Core
|
DOM: Core & HTML
|
william
|
RESO
|
FIXE
|
2013-11-25
|
1135534
|
|
Heap-use-after-free in UnlockEnumerator
|
Core
|
CSS Parsing and Comp
|
xidorn+moz
|
RESO
|
FIXE
|
2017-03-29
|
1141919
|
|
Heap-use-after-free in UnhookTextRunFromFrames
|
Core
|
Layout: Text and Fon
|
xidorn+moz
|
RESO
|
FIXE
|
2017-03-29
|
1143535
|
|
Stack-buffer-overflow in nsCSSFrameConstructor::InterpretRubyWhitespace
|
Core
|
Layout
|
xidorn+moz
|
RESO
|
FIXE
|
2017-03-29
|
792811
|
|
Crash in ASan-ized unit tests in ssl_ConfigSecureServer
|
Core
|
WebRTC: Networking
|
ekr
|
VERI
|
FIXE
|
2013-04-18
|
828147
|
|
WebRTC use-after-free crash [@nr_ice_candidate_pair_set_state]
|
Core
|
WebRTC: Networking
|
jib
|
VERI
|
FIXE
|
2013-11-25
|
771873
|
|
Heap-use-after-free in RangeData::~RangeData
|
Core
|
DOM: Selection
|
ayg
|
VERI
|
FIXE
|
2016-12-01
|
771994
|
|
Heap-use-after-free in nsRangeUpdater::SelAdjDeleteNode
|
Core
|
DOM: Editor
|
ayg
|
VERI
|
FIXE
|
2016-12-01
|
778428
|
|
Heap-use-after-free in nsHTMLEditor::CollapseAdjacentTextNodes
|
Core
|
DOM: Editor
|
ayg
|
VERI
|
FIXE
|
2016-12-01
|
861841
|
|
Assertion failure: !done(), at ../jsscript.h:1045 or Use-after-free [@ js::BindingIter::operator->()] or Crash [@ getSlotAddressUnchecked]
|
Core
|
JavaScript Engine
|
bhackett1024
|
VERI
|
FIXE
|
2014-05-05
|
882897
|
|
ASAN use-after-free in JS_GetGlobalForScopeChain
|
Core
|
DOM: Core & HTML
|
bholley
|
VERI
|
FIXE
|
2019-03-13
|
720103
|
|
ASAN: heap-use-after-free READ of size 8 at nsSMILTimeValueSpec::ConvertBetweenTimeContainers
|
Core
|
SVG
|
brian
|
VERI
|
FIXE
|
2017-05-09
|
928798
|
|
Heap-buffer-overflow in nsSVGTextFrame2::ResolvePositions
|
Core
|
SVG
|
cam
|
VERI
|
FIXE
|
2015-02-25
|
1046534
|
|
Heap-use-after-free in mozilla::css::SheetLoadData::ScheduleLoadEventIfNeeded
|
Core
|
CSS Parsing and Comp
|
cam
|
VERI
|
FIXE
|
2015-05-07
|
728674
|
|
Use-after-free [@ js::mjit::Compiler::bytecodeInChunk]
|
Core
|
JavaScript Engine
|
choller
|
VERI
|
FIXE
|
2017-05-09
|
749860
|
|
Heap-use-after-free in nsBorderColors
|
Core
|
CSS Parsing and Comp
|
dbaron
|
VERI
|
FIXE
|
2017-05-09
|
765218
|
|
Out of bounds read in ElementAnimations::EnsureStyleRuleFor
|
Core
|
CSS Parsing and Comp
|
dbaron
|
VERI
|
FIXE
|
2012-07-20
|
734288
|
|
ASAN: Heap-buffer-overflow WRITE of size 1 at nsSVGFEDiffuseLightingElement::LightPixel
|
Core
|
SVG
|
dholbert
|
VERI
|
FIXE
|
2014-06-27
|
760996
|
|
Heap-use-after-free in nsTArray_base<nsTArrayDefaultAllocator>::Length()
|
Core
|
SVG
|
dholbert
|
VERI
|
FIXE
|
2016-12-01
|
786111
|
|
Heap-use-after-free in nsSMILAnimationController::DoSample
|
Core
|
SVG
|
dholbert
|
VERI
|
FIXE
|
2016-12-01
|
1000185
|
|
ASAN heap-use-after-free in RefreshDriverTimer::TickDriver
|
Core
|
SVG
|
dholbert
|
VERI
|
FIXE
|
2015-08-30
|
951354
|
|
ASan: Crash with heap-use-after-free when running xpcshell test getHSTSPreloadList.js
|
Core
|
Security: PSM
|
dkeeler
|
VERI
|
FIXE
|
2015-02-25
|
1224100
|
|
"Conditional jump or move depends on uninitialised value(s)" at imgFrame::Optimize
|
Core
|
Graphics: ImageLib
|
edwin.bugs
|
VERI
|
FIXE
|
2016-07-02
|
750146
|
|
Heap-use-after-free in RestoreSelectionState::Run
|
Core
|
DOM: Core & HTML
|
ehsan.akhgari
|
VERI
|
FIXE
|
2017-05-09
|
874952
|
|
Heap-buffer-overflow in nsTArray_Impl<mozilla::AudioChunk, nsTArrayInfallibleAllocator>::ElementAt
|
Core
|
Web Audio
|
ehsan.akhgari
|
VERI
|
FIXE
|
2014-07-24
|
750327
|
|
Opus crash invalid write [@quant_band]
|
Core
|
Audio/Video
|
giles
|
VERI
|
FIXE
|
2012-09-23
|
957452
|
|
MediaRecorder: use-after-free crash [@mozilla::dom::MediaRecorder::Session::GetEncodedData]
|
Core
|
Audio/Video: Recordi
|
globelinmoz
|
VERI
|
FIXE
|
2015-08-30
|
937582
|
|
nsPrefetchNode use-after-free
|
Core
|
Networking
|
honzab.moz
|
VERI
|
FIXE
|
2015-02-25
|
886266
|
|
Stack out-of-bounds read [@ js::ion::IonFrameIterator::prevType]
|
Core
|
JavaScript Engine
|
hv1989
|
VERI
|
FIXE
|
2014-05-05
|
765179
|
|
WebGL crash when empty string is passed to getUniformLocation, getAttribLocation or bindAttribLocation [@mozilla::WebGLProgram::MapIdentifier]
|
Core
|
Graphics: CanvasWebG
|
jacob.benoit.1
|
VERI
|
FIXE
|
2012-07-20
|
777028
|
|
stack scribbling with 4-byte values choosable among a few values, when using more than 16 sampler uniforms, on Mesa, with all drivers
|
Core
|
Graphics: CanvasWebG
|
jacob.benoit.1
|
VERI
|
FIXE
|
2019-12-27
|
785734
|
|
Mesa crashes on certain texImage2D calls involving level>0
|
Core
|
Graphics: CanvasWebG
|
jacob.benoit.1
|
VERI
|
FIXE
|
2014-07-24
|
752176
|
|
out-of-bounds read at nsFontVariantTextRunFactory::RebuildTextRun
|
Core
|
Layout: Text and Fon
|
jfkthame
|
VERI
|
FIXE
|
2012-09-23
|
752662
|
|
Graphite 2 use-after-free crash
|
Core
|
Graphics
|
jfkthame
|
VERI
|
FIXE
|
2016-12-01
|
753230
|
|
Graphite 2 crash [@graphite2::Silf::readClassMap]
|
Core
|
Graphics
|
jfkthame
|
VERI
|
FIXE
|
2012-10-25
|
753623
|
|
Graphite 2 crash [@graphite2::Pass::readPass]
|
Core
|
Graphics
|
jfkthame
|
VERI
|
FIXE
|
2012-10-25
|
769303
|
|
Heap-use-after-free in gfxTextRun::CanBreakLineBefore
|
Core
|
Layout: Text and Fon
|
jfkthame
|
VERI
|
FIXE
|
2016-12-01
|
758200
|
|
ASAN: Heap-buffer-overflow at image::RasterImage::DrawFrameTo
|
Core
|
Graphics: ImageLib
|
joe
|
VERI
|
FIXE
|
2014-07-02
|
789046
|
|
gif with wrong block length crashes asan
|
Core
|
Graphics: ImageLib
|
joe
|
VERI
|
FIXE
|
2016-08-15
|
748365
|
|
READ near NULL while parsing XPath in a XSLT style-sheet
|
Core
|
XSLT
|
john
|
VERI
|
FIXE
|
2012-10-25
|
779025
|
|
jit-test/tests/collections/Map-iterator-add-remove.js causes AddressSanitizer heap-use-after-free
|
Core
|
JavaScript Engine
|
jorendorff
|
VERI
|
FIXE
|
2020-02-28
|
759802
|
|
Null-pointer execution/null out of bounds write at libjpeg/jdmarker.c
|
Core
|
Graphics
|
justin.lebar+bug
|
VERI
|
FIXE
|
2014-07-02
|
782141
|
|
Heap-buffer-overflow in nsSVGFEMorphologyElement::Filter
|
Core
|
SVG
|
jwatt
|
VERI
|
FIXE
|
2016-12-01
|
738985
|
|
heap-use-after-free at mozilla::dom::indexedDB::IDBKeyRange::cycleCollection::Trace
|
Core
|
Storage: IndexedDB
|
khuey
|
VERI
|
FIXE
|
2017-05-09
|
835814
|
|
Heap-use-after-free in nsAsyncDOMEvent::Run
|
Core
|
DOM: Core & HTML
|
khuey
|
VERI
|
FIXE
|
2019-03-13
|
936327
|
|
Heap-use-after-free in mozilla::dom::workers::WorkerPrivate::RunExpiredTimeouts
|
Core
|
DOM: Workers
|
khuey
|
VERI
|
FIXE
|
2014-07-24
|
785967
|
|
Heap-buffer-overflow in nsWaveReader::DecodeAudioData
|
Core
|
Audio/Video
|
kinetik
|
VERI
|
FIXE
|
2016-12-01
|
812161
|
|
Out of bounds read in nsSVGPathElement::GetPathLengthScale
|
Core
|
SVG
|
longsonr
|
VERI
|
FIXE
|
2014-07-24
|
747688
|
|
Heap-use-after-free in nsFrameList::FirstChild
|
Core
|
Layout
|
MatsPalmgren_bugz
|
VERI
|
FIXE
|
2016-12-01
|
750066
|
|
Out of bounds read in nsHTMLReflowState::CalculateHypotheticalBox, with nested multi-column, relative position, and absolute position
|
Core
|
Layout: Block and In
|
MatsPalmgren_bugz
|
VERI
|
FIXE
|
2014-06-27
|
756241
|
|
Heap-use-after-free READ 8 in gfxTextRun::GetUserData
|
Core
|
Layout: Text and Fon
|
MatsPalmgren_bugz
|
VERI
|
FIXE
|
2016-12-01
|
769120
|
|
Bad iterator in text runs
|
Core
|
Layout: Text and Fon
|
MatsPalmgren_bugz
|
VERI
|
FIXE
|
2014-07-24
|
871099
|
|
Heap-use-after-free in nsIDocument::GetRootElement
|
Core
|
DOM: Core & HTML
|
MatsPalmgren_bugz
|
VERI
|
FIXE
|
2019-03-13
|
969756
|
|
Heap-buffer-overflow in AppendValueToString
|
Core
|
CSS Parsing and Comp
|
MatsPalmgren_bugz
|
VERI
|
FIXE
|
2015-02-25
|
840480
|
|
use-after-poison in nsIFrame::Properties()
|
Core
|
Layout
|
matt.woodrow
|
VERI
|
FIXE
|
2014-07-18
|
914966
|
|
Heap-buffer-overflow in nsPNGEncoder::ConvertHostARGBRow
|
Core
|
Graphics: ImageLib
|
milaninbugzilla
|
VERI
|
FIXE
|
2015-02-25
|
888728
|
|
Out of bounds read-2 in BuildTextRunsScanner::ScanFrame
|
Core
|
Layout: Text and Fon
|
mrbkap
|
VERI
|
DUPL
|
2013-11-25
|
944579
|
|
heap-buffer-overflow in mozilla::gfx::FilterProcessing::ApplyMorphologyHorizontal_SSE2
|
Core
|
Graphics
|
mstange.moz
|
VERI
|
FIXE
|
2016-12-01
|
746577
|
|
ASAN: Opus crash [@nsNativeAudioStream::Write]
|
Core
|
Audio/Video
|
nobody
|
VERI
|
FIXE
|
2012-06-14
|
760664
|
|
Opus crash illegal instruction [@ec_dec_normalize]
|
Core
|
Audio/Video
|
nobody
|
VERI
|
FIXE
|
2016-06-04
|
760754
|
|
Opus crash illegal instruction [@bits2pulses]
|
Core
|
Audio/Video
|
nobody
|
VERI
|
FIXE
|
2016-06-04
|
760814
|
|
Opus crash illegal instruction [@ncwrs_urow]
|
Core
|
Audio/Video
|
nobody
|
VERI
|
FIXE
|
2016-06-04
|
760846
|
|
Opus crash illegal instruction [@ec_decode]
|
Core
|
Audio/Video
|
nobody
|
VERI
|
FIXE
|
2016-06-04
|
795165
|
|
Assertion failure: (ptrBits & 0x7) == 0, at ../../jsval.h:708 or Crash [@ js::ParallelArrayObject::toStringBufferImpl]
|
Core
|
JavaScript Engine
|
shu
|
VERI
|
FIXE
|
2013-01-10
|
750109
|
|
Use-after-free in nsINode::ReplaceOrInsertBefore
|
Core
|
DOM: Core & HTML
|
smaug
|
VERI
|
FIXE
|
2019-03-13
|
765139
|
|
Heap-use-after-free in nsDocument::AdoptNode
|
Core
|
DOM: Core & HTML
|
smaug
|
VERI
|
FIXE
|
2019-03-13
|
787493
|
|
Crash with ASSERTION: insPos too small
|
Core
|
DOM: Core & HTML
|
smaug
|
VERI
|
FIXE
|
2014-07-24
|
987140
|
|
ASAN heap-use-after-free in nsGenericHTMLElement::GetWidthHeightForImage
|
Core
|
DOM: Core & HTML
|
smaug
|
VERI
|
FIXE
|
2015-08-30
|
819623
|
|
Heap-use-after-free in mozilla::WalkDescendantsSetDirectionFromText
|
Core
|
Layout: Text and Fon
|
smontagu
|
VERI
|
FIXE
|
2014-07-24
|
824719
|
|
Heap-use-after-free in nsINode::GetBoolFlag
|
Core
|
Layout: Text and Fon
|
smontagu
|
VERI
|
FIXE
|
2013-11-25
|
989994
|
|
out of bounds read in PropertyProvider::FindJustificationRange
|
Core
|
Layout: Text and Fon
|
smontagu
|
VERI
|
FIXE
|
2018-07-02
|
750231
|
|
Opus crash illegal instruction [@quant_band]
|
Core
|
Audio/Video
|
tterribe
|
VERI
|
FIXE
|
2012-06-21
|
746855
|
|
[ASan] READ heap-buffer-overflow in format-number()
|
Core
|
XSLT
|
william
|
VERI
|
FIXE
|
2012-10-10
|
888820
|
|
Heap-buffer-overflow READ in nsHtml5TreeBuilder::resetTheInsertionMode()
|
Core
|
DOM: HTML Parser
|
william
|
VERI
|
FIXE
|
2014-11-19
|