[tor-bugs] #16495 [Tor Browser]: Tor Browser 5.0a3 crashes on nytimes.com with security level set to "High"

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jul 7 17:48:37 UTC 2015


#16495: Tor Browser 5.0a3 crashes on nytimes.com with security level set to "High"
-------------------------+-------------------------------------------------
     Reporter:  gk       |      Owner:  tbb-team
         Type:  defect   |     Status:  new
     Priority:           |  Milestone:
  critical               |    Version:
    Component:  Tor      |   Keywords:  tbb-crash, tbb-5.0a,
  Browser                |  TorBrowserTeam201507
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------

Comment (by mcs):

 We found the cause of the crash.  The nsIContent::DoGetClasses()
 implementation uses static_cast to obtain an nsSVGElement pointer, but if
 SVG is disabled the object is a regular XML element... so the cast results
 in bad news.  The code is here:
 http://mxr.mozilla.org/mozilla-esr38/source/dom/base/Element.cpp#155

 Kathy and I are working on a fix.  We are also looking for other places
 where similar casts are used.  Our current thinking is that we will change
 IsSVG() to return false if SVG is disabled.  It would be better to avoid
 the cast entirely, but we do not see an easy way to do so (if someone were
 to change the svg.in-content.enabled pref. during page load, there is a
 chance that the code mentioned above will go down the wrong path even
 after we put a fix in place).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16495#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list