Sec-Affects B2G 2.2

Wed Apr 24 2024 13:34:49 PDT
  • Resolution: FIXED
  • Classification: Client Software, Components
  • Keywords: sec-critical, sec-high, sec-moderate, sec-other,
  • Group: core-security
  • Whiteboard: [b2g-adv-main2.2
  • status-b2g-v2.2: affected, verified, fixed
255 bugs found.
ID Product Comp Status Summary status-firefox37 status-b2g-v2.2 status-b2g-v2.1 Whiteboard Keywords
1172397 Core WebRTC: Audio/Video RESO Replaying a HTMLMediaElement streamed over a PeerConnecti... --- fixed fixed [adv-main39+][adv-esr38.1+] sec-moderate
1092025 Core Audio/Video RESO Potential UAF in MediaSourceReader::ReadMetadata() mAudio... fixed fixed unaffected [b2g-adv-main2.2-] csectype-uaf, sec-high
1036399 Core DOM: Security RESO Multiple CSP policies should be combined towards an inter... --- fixed fixed [b2g-adv-main2.2-][post-critsmash-triage] sec-moderate
1185033 NSS Libraries RESO ASan: use-after-poison in PK11_ImportDERPrivateKeyInfoAnd... --- affected wontfix [post-critsmash-triage][b2g-adv-main2.5?][adv-main45+][adv-esr38.8+] csectype-uaf, sec-high
1141749 Core WebRTC: Signaling RESO Prevent SSRC collisions in local tracks fixed fixed unaffected [post-critsmash-triage] sec-high
1089207 Core WebRTC: Signaling RESO sipcc SDP parser can corrupt memory --- fixed fixed [adv-main34+][adv-esr31.3+] csectype-bounds, sec-high
1233346 Core WebRTC: Networking RESO Potential buffer overrun in Windows ICE interface name code --- affected wontfix [post-critsmash-triage][adv-main44+][adv-esr38.6+] csectype-bounds, sec-high
1123492 Core Audio/Video RESO TrackBuffer::ResetDecode() reads mDecoders array on decod... fixed fixed unaffected csectype-uaf, sec-high
1086145 NSS Libraries RESO NSS incorrectly permits skipping of ServerKeyExchange wontfix fixed fixed [adv-main39+][adv-esr38.1+][adv-esr31.8+][b2g-adv-main2.2+] sec-moderate
1219339 Core WebRTC: Audio/Video RESO Race condition in GetStaticInstance can cause use after free --- affected wontfix [adv-main45+][post-critsmash-triage] csectype-race, sec-high
1130150 Core WebRTC: Audio/Video RESO AudioGUM thread can access freed SourceMediaStream under ... fixed fixed fixed [adv-main37+] csectype-uaf, regression, sec-high
1234571 Core WebRTC RESO UAF in MutexAutoLock::MutexAutoLock on frame-encoded call... --- affected wontfix [post-critsmash-triage][adv-main44+][adv-esr38.6+] crash, csectype-uaf, sec-critical
1190248 NSS Libraries RESO mp_div and mp_exptmod sometimes produce wrong calculation... --- affected wontfix [post-critsmash-triage][b2g-adv-main2.5?][adv-main44+][adv-esr38.8+] see comment 27 for severity sec-high
1125025 NSS Libraries RESO ECC correctness issues wontfix fixed fixed [adv-main39+][adv-esr31.8+][adv-esr38.1+] sec-moderate
1090142 Core DOM: Workers RESO Use After Free in WebSocketChannelChild::Release() --- fixed unaffected [reporter-external] csectype-uaf, regression, sec-critical
1091962 Core DOM: Workers RESO Use After Free in EndForcedQueueing fixed fixed unaffected [b2g-adv-main2.2-] csectype-uaf, regression, sec-critical
1105194 Core DOM: Workers RESO Use After Free in DispatchPrivate() fixed fixed unaffected [reporter-external][b2g-adv-main2.2-] csectype-uaf, sec-high
1111971 Core DOM: Workers RESO Use After Free in WebSocketChannel::BeginOpen() fixed fixed unaffected [b2g-adv-main2.2-] csectype-uaf, regression, sec-critical
1112307 Core DOM: Core & HTML RESO WebSockets + e10s + workers use a non thread-safe Channel... fixed fixed unaffected sec-high
1123021 Core DOM: Workers RESO Use After Free in WebSocketChannelChild::OnStart() fixed fixed unaffected csectype-uaf, sec-critical
1166900 Core Networking: JAR RESO Memory safety bug due to bad test in nsZipArchive.cpp --- fixed fixed [adv-main39+][adv-esr38.1+][adv-esr31.8+] csectype-bounds, sec-high
1166924 Core DOM: Workers RESO Use After Free in CanonicalizeXPCOMParticipant --- fixed fixed [asan][adv-main39+][adv-esr38.1+][adv-esr31.8+] csectype-uaf, sec-critical
1167888 Core Networking: JAR RESO nsZipArchive::BuildFileList has memory-safety bug --- fixed fixed [adv-main39+][adv-esr38.1+][adv-esr31.8+] csectype-intoverflow, regression, sec-high
1169867 Core DOM: Workers RESO Use After Free in CanonicalizeXPCOMParticipant() with ded... --- fixed fixed [adv-main39+][adv-esr38.1+][adv-esr31.8+][b2g-adv-main2.2+] csectype-uaf, sec-critical
1170809 Core DOM: Core & HTML RESO Overflow in nsXMLHttpRequest::AppendToResponseText causes... --- fixed fixed [adv-main39+][adv-esr38.1+][adv-esr31.8+] csectype-intoverflow, sec-critical
1172055 Core DOM: Core & HTML RESO Overflow in nsAttrAndChildArray::GrowBy causes memory-saf... --- fixed wontfix [post-critsmash-triage][adv-main41+][adv-esr38.3+] csectype-intoverflow, sec-moderate
1185820 Core DOM: Workers RESO Use After Free in XMLHttpRequest::Open() --- fixed wontfix [adv-main40+][adv-esr38.2+] csectype-uaf, sec-high
1155985 Core js-ctypes RESO EXC_BAD_ACCESS in js`JS_GetClass(JSObject*) [inlined] JSO... --- fixed fixed [adv-main39+] sec-moderate
1132468 Core Graphics: Color Mana RESO [qcms] heap info leak fixed fixed wontfix [adv-main37+] sec-moderate
1210413 Core DOM: Security RESO anonymous CORS sends cookies to cross-origin redirects in... --- affected affected [b2g-adv-main2.5?] sec-high
1081703 Core Storage: IndexedDB RESO crash in mozilla::dom::indexedDB::BackgroundCursorChild::... --- fixed unaffected [2.2-Daily-Testing] crash, csectype-uaf, regression, sec-critical
1122750 Core DOM: Core & HTML RESO Crash [@ mozilla::detail::AtomicBaseIncDec<int, (mozilla:... fixed fixed unaffected [b2g-crash][caf-crash 442][caf priority: p1][CR 782853][adv-main36-] crash, regression, sec-high
1163109 Core DOM: Core & HTML RESO Inline JPEG images fail to load --- fixed fixed [pdfjs-c-ff-integration][adv-main39+][adv-esr38.1+][adv-esr31.8+] csectype-priv-escalation, regression, sec-high
1061600 Core JavaScript Engine RESO Assertion failure: [infer failure] Missing type in object... --- fixed fixed [jsbugmon:][adv-main33+][adv-esr31.2+][b2g-adv-main2.2-] assertion, regression, sec-critical, testcase
1084280 Core JavaScript Engine RESO Regexp freeze --- fixed fixed Fx 32-35 requires non-default pref to be vulnerable regression, sec-critical, testcase
1096026 Core JavaScript Engine RESO Assertion failure: !isInside(*pSlotsElems), at gc/Nursery... --- fixed unaffected [jsbugmon:update,ignore][adv-main34+][b2g-adv-main2.2-] assertion, regression, sec-high, testcase
1124018 Core JavaScript: GC RESO Intermittent test_file_resurrection_delete.html | applica... fixed fixed fixed [adv-main36+][adv-esr31.5+][post-critsmash-triage] crash, intermittent-failure, sec-moderate
1125389 Core JavaScript Engine RESO ChangeObjectFixedSlotCount can make a non-extensible obje... fixed fixed unaffected [adv-main36+]sec-high for Caja regression, sec-moderate
1138199 Core JavaScript: GC RESO Crash [@ js::ConstraintTypeSet::sweep] or Assertion failu... fixed fixed fixed [jsbugmon:][adv-main37+][adv-esr31.6+][post-critsmash-triage] assertion, crash, regression, sec-high, testcase
984467 Core DOM: Core & HTML RESO Should nsGlobalWindow::CallerInnerWindow distinguish betw... --- fixed fixed [adv-main35-][b2g-adv-main2.2-] sec-moderate
1092388 Core DOM: Core & HTML RESO nsGlobalWindow::SecurityCheckURL can allow content to loa... --- fixed fixed [adv-main35-][adv-esr31.4-][embargo until bug 1110614 fixed] csectype-priv-escalation, regression, sec-high
1124898 Core DOM: Core & HTML RESO Privileged Window.webidl stuff is exposed based on the do... fixed fixed wontfix [adv-main37+] Embargo until fixed on ESR31? sec-high, sec-moderate
1125483 Core XPConnect RESO Arbitrary code execution using bug 1120261 and bug 1110614 --- --- fixed [b2g-adv-main2.2-] sec-high, verifyme
1164567 Core Security: CAPS RESO Various consumers in the tree use nsIPrincipal off-main-t... --- fixed fixed [adv-main39+][adv-esr31.8+][adv-esr38.1+] csectype-race, sec-high
1182723 Core XPCOM RESO Self-assignment in nsTArray_Impl causes memory-safety bug --- fixed fixed [post-critsmash-triage][adv-main40+][adv-esr38.2+] csectype-uaf, sec-high
1087801 Core DOM: Core & HTML RESO Some properties of the CSS object are not safe in a sandbox --- fixed fixed [adv-main34-] regression, sec-moderate
1127206 Core DOM: Core & HTML RESO Crash when using certain File() constructors on workers fixed fixed unaffected [adv-main36+] csectype-race, sec-high
1167489 Core DOM: Core & HTML RESO "Spy in the Sandbox" - Security issue related to High Res... --- affected wontfix [post-critsmash-triage][adv-main41+] csectype-disclosure, privacy, sec-moderate
1168207 Core DOM: Core & HTML RESO Memory safety problem in ArrayBufferBuilder::append --- fixed fixed [adv-main39+][adv-esr38.1+][adv-esr31.8+] csectype-intoverflow, regression, sec-high
1186489 Core DOM: Workers RESO Clamp the resolution of performance.now() in workers too --- affected --- [post-critsmash-triage][adv-main41-] csectype-disclosure, privacy, sec-moderate
1092363 Core CSS Parsing and Comp RESO Heap-buffer-overflow in nsTransformedTextRun::SetCapitali... fixed fixed unaffected [asan][adv-main36+][b2g-adv-main2.2-] crash, csectype-bounds, regression, sec-high, testcase
1127198 Core CSS Parsing and Comp RESO ClearCachedInheritedStyleDataOnDescendants is sometimes c... fixed fixed unaffected csectype-bounds, sec-high
1146101 Core CSS Parsing and Comp RESO "Assertion failure: false (destroying Text style struct s... wontfix fixed unaffected [adv-main38+] assertion, sec-high, testcase
1080987 Core DOM: Core & HTML RESO navigator.sendBeacon() doesn't satisfy CORS specification fixed fixed fixed [reporter-external][adv-main35+][adv-esr31.4+][b2g-adv-main2.2+] sec-moderate
1111834 Core DOM: Security RESO CORS request after preflight should not follow 30x redirect fixed fixed fixed [adv-main37+][adv-esr31.6+] sec-high
1178058 Core XPConnect RESO It's possible to read local files or perform privilege es... --- fixed wontfix [b2g-adv-main2.5+][adv-main39+][adv-esr38.1+] sec-high
1030667 Core DOM: Core & HTML RESO AddressSanitizer: double-free with zero-length XHR, depen... --- fixed wontfix [reporter-external][adv-main36+][b2g-adv-main2.2-] reproducible, sec-high
1167782 Core Layout RESO crash in nsHTMLCSSStyleSheet::RulesMatching(PseudoElement... --- fixed wontfix [adv-main39-][adv-esr38.1-] assertion, crash, csectype-nullptr, regression, sec-other
1147497 Core Security: PSM RESO key pinning checks for overridable errors do not work as ... wontfix fixed unaffected [adv-main39+][adv-esr38.1+] sec-moderate
1026774 Core WebRTC: Networking RESO malloc of undefined size in stun_get_mib_addrs in rare cases --- fixed fixed [adv-main35+][b2g-adv-main2.2+] csectype-uninitialized, sec-moderate
1072044 Core WebRTC: Networking RESO Several signals from PCMedia to PCImpl are unsafe --- fixed fixed [adv-main33+][adv-esr31.2+] sec-high
1082142 Core WebRTC: Signaling RESO Potentially unterminated string buffers in |CC_SIPCCCall| --- fixed unaffected [CID 1244245][CID 1244246][CID 1244247] coverity, sec-moderate
1099414 Core WebRTC: Networking RESO memory management issues in nICEr if e10s is used disabled fixed fixed [b2g-adv-main2.2?] csectype-uaf, sec-high
1123882 Core Audio/Video RESO MediaDecoderStateMachine::SendStreamAudio passes an incor... fixed fixed fixed [adv-main36+][adv-esr31.5+] sec-high
1151139 Core WebRTC: Signaling RESO Racy call to PeerConnectionMedia::num_ice_media_streams f... wontfix fixed fixed [adv-main38+][adv-esr31.7+] sec-high
1098583 Core WebRTC: Networking RESO Empty datachannel label results in heap overflow --- fixed fixed [adv-main35+][b2g-adv-main2.2+] sec-moderate
1135511 Core Graphics: Layers RESO Memset crash in mozilla::layers::BufferTextureClient::All... fixed fixed --- [adv-main37+][fixed by bug 1135883][post-critsmash-triage] sec-critical
1092370 Core Audio/Video RESO Stack-buffer-underflow in mozilla::MP3FrameParser::ParseB... fixed fixed fixed [adv-main36+][b2g-adv-main2.2+] crash, csectype-bounds, sec-moderate, testcase
1113005 Core XPCOM RESO Heap-buffer-overflow in nsCString::ReplaceSubstring fixed fixed unaffected csectype-bounds, regression, sec-critical
1200856 Core DOM: Core & HTML RESO CORS preflight cache poisoning with the credentials flag --- fixed wontfix [post-critsmash-triage][adv-main41+][adv-esr38.3+] csectype-sop, sec-high
1200869 Core DOM: Core & HTML RESO CORS preflight cache poisoning with a CORS header being m... --- fixed wontfix [post-critsmash-triage][adv-main41+][adv-esr38.3+] csectype-sop, sec-high
1140537 Core XML RESO Buffer overflow xml parser wontfix fixed fixed [adv-main38+][adv-esr31.7+] csectype-bounds, sec-critical
1111243 Core JavaScript Engine RESO Crash with structured-cloning and proxy wrapped Map/Sets verified fixed fixed [adv-main36+][adv-esr31.5+] sec-high
1111248 Core JavaScript Engine RESO Crash in BooleanGetPrimitiveValueSlow fixed fixed fixed [adv-main36+][adv-esr31.5+] sec-critical
1066362 Core Security RESO Privileged apps on desktop don't apply a default CSP --- fixed fixed [adv-main34-] sec-moderate
1036515 Core XPCOM RESO Refcounting on nsTimerImpl is not actually threadsafe fixed fixed fixed [adv-main37+][adv-esr31.6+][b2g-adv-main2.2+] csectype-race, sec-high
1094930 Core DOM: Core & HTML RESO compartment mismatch in nsDocument::RegisterElement --- fixed --- sec-high
1132358 Core Networking: DNS RESO possible use after free in nsDNSRecord::GetNextAddr fixed fixed fixed [adv-main36+][adv-esr31.6+] csectype-uaf, sec-high
1101576 Core JavaScript Engine: J RESO Assertion failure: Integer input should be equal or highe... --- fixed unaffected [jsbugmon:] assertion, regression, sec-high, testcase
1192226 Core Audio/Video RESO vp9_init_context_buffers --- affected wontfix [adv-main41+][adv-esr38.3+] sec-moderate
1064670 NSS Libraries RESO ASN.1 DER decoding of lengths is too permissive, allowing... fixed fixed affected [adv-main36-] sec-low/moderate after fix in bug 1064636, we don't know of any other exploitable paths sec-critical
1061214 Core JavaScript: GC RESO MarkJitExitFrame() doesn't mark some VM wrapper argument ... --- fixed fixed [adv-main33+][adv-esr31.2+][b2g-adv-main2.2-] sec-high
1073577 Core JavaScript: GC RESO Objects can be put into the wrong entry in the new object... --- fixed disabled [adv-main34+] sec-high
1110931 Core JavaScript: GC RESO Intermittent crash at !InFreeList fixed fixed unaffected sec-moderate
1116306 Core JavaScript: GC RESO Assertion failure: [barrier verifier] Unmarked edge: allo... fixed fixed unaffected [adv-main37+] assertion, regression, sec-moderate, testcase
1127246 Core JavaScript: GC RESO baseShapes table is not updated after generational GC fixed fixed unaffected [adv-main36+] sec-high
1149526 Core JavaScript: GC RESO Check HeapPtrs have GC lifetime wontfix fixed fixed [adv-main38+][b2g-adv-main2.2+] sec-high
1208665 Core JavaScript Engine RESO TempAllocPolicy::pod_* suffer from integer overflow issues --- affected unaffected [post-critsmash-triage][adv-main42+][adv-esr38.4+] csectype-intoverflow, sec-high
1086842 Core JavaScript Engine: J RESO Assertion failure: [infer failure] Missing type in object... --- fixed fixed [jsbugmon:update][adv-main34+][b2g-adv-main2.2-] assertion, regression, sec-critical, testcase
1115776 Core JavaScript Engine RESO Crashes in EnterIon on Pinterest fixed fixed fixed [adv-main36+][adv-esr31.5+] crash, sec-critical, topcrash
1128196 Core JavaScript Engine: J RESO Skipping argument type checks is unsafe when the callee i... fixed fixed fixed [adv-main36+][adv-esr31.5+] sec-critical
1160884 Core JavaScript Engine: J RESO Crash [@ js::str_split_string(JSContext*, JS::Handle<js::... --- fixed fixed [adv-main39+][adv-esr31.8+][adv-esr38.1+] assertion, crash, sec-critical
1111065 Core IPC RESO Inadequate robustness of Chromium IPC Pickle code fixed fixed fixed [adv-main37-][post-critsmash-triage] csectype-bounds, csectype-uninitialized, sec-high
1111079 Core IPC RESO Chromium IPC channel bug: use-after-free in IPC::Channel:... fixed fixed fixed [adv-main37-][post-critsmash-triage] csectype-uaf, sec-high
1146416 Core IPC RESO NS_OpenAnonymousTemporaryFile() runs main thread code whe... wontfix fixed wontfix [adv-main39+] csectype-race, sec-moderate
1070990 Core DOM: Core & HTML RESO B2G crash in JSAutoCompartment::JSAutoCompartment | IPC::... --- fixed unaffected [b2g-crash] crash, csectype-uaf, regression, sec-critical
1161063 Core Storage: IndexedDB RESO Getting a stored MutableFile out of IndexedDB on a worker... --- fixed unaffected [post-critsmash-triage][adv-main41+][adv-esr38.3+] csectype-race, sec-high
1097253 Core JavaScript Engine RESO SIGBUS due to unaligned TypedArray copies on ARM --- fixed unaffected regression, sec-high
1127012 Core JavaScript Engine RESO Assertion failure: pn_type < PNK_LIMIT, at ParseNode.h:494 fixed fixed fixed [adv-main37+] regression, sec-critical
1128939 Core Audio/Video RESO MP4 crash access violation fixed fixed fixed [adv-main36+] sec-critical
1144107 Core Audio/Video RESO crash in [@ stagefright::SampleTable::isValid() ] with h2... --- fixed unaffected [adv-main40+][adv-esr38.2+] crash, crashreportid, regression, reproducible, sec-high, testcase
1149605 Core Audio/Video RESO Security Vulnerability in StageFright MP4 Processing wontfix fixed fixed [Android and B2G] Embargo until July 8, 2015 (needs a fix in Firefox 39) [adv-main38-] sec-critical
1154683 Core Audio/Video RESO Integer overflow in libstagefright (data tag in mp4) migh... wontfix fixed fixed [adv-main38+][see bug 1158568 and don't open until July 8] csectype-bounds, sec-high
1158568 Core Audio/Video RESO Integer overflow in libstagefright might lead to heap ove... wontfix fixed fixed [b2g-adv-main-2.5+][adv-main38+] fixes CVE-2015-3864 csectype-bounds, sec-high
1163359 Core Web Audio RESO Crash [@ moz_speex_inner_product_single ] | Assertion fai... --- fixed disabled [adv-main39+][adv-esr38.1+] assertion, crash, reproducible, sec-high
1181651 Core Audio/Video RESO crash in CmpInstructions --- affected unaffected [post-critsmash-triage][adv-main41+][adv-esr38.3+] crash, sec-high
1184871 Core Audio/Video: Playbac RESO Stagefright: heap-use-after-free crash [@stagefright::ESD... --- fixed wontfix [b2g-adv-main2.5+][fixed by 1186718] crash, csectype-uaf, sec-critical, testcase
1185115 Core Audio/Video RESO MPEG4 saio Chunk Integer Overflow (libstagefright) (ZDI-C... --- fixed wontfix [adv-main40+][adv-esr38.2+] csectype-intoverflow, sec-critical
1064636 NSS Libraries RESO RSA PKCS#1 signature verification forgery is possible due... --- fixed fixed [status-firefox-esr24:fixed][status-b2g-v1.3:fixed][status-b2g-v1.3t:fixed][adv-main32+][adv-esr31.1+] sec-critical
1146026 NSS CA Certificates Code RESO Distrust MSCHOLDING intermediate certificate --- fixed fixed [b2g-adv-main2.2-] sec-high
1107009 Core Graphics: Layers RESO Intermittent test_bug346659.html | application crashed [@... fixed fixed fixed [e10s only?][adv-main36+][adv-esr31.5+][b2g-adv-main2.2+] crash, csectype-uaf, intermittent-failure, sec-critical
1111737 Core DOM: Core & HTML RESO crash nsScriptLoader not thread-safe nsScriptLoader.cpp:178 fixed fixed fixed [adv-main35+][adv-esr31.4+] sec-moderate
1145870 Core DOM: Navigation RESO Pwn2Own bug still exploitable in 36.0.3 fixed fixed fixed [b2g-adv-main2.2-] sec-critical
1152026 Core Storage: IndexedDB RESO IndexedDB cycle-collection crash, probably --- fixed unaffected [fixed in 43 by bug 1179909][post-critsmash-triage][adv-main41+][adv-esr38.3+] crash, sec-moderate
1085175 Core Audio/Video RESO Stack-buffer-overflow Write in mozilla::FileBlockCache::Read --- fixed fixed [adv-main34+][adv-esr31.3+] csectype-bounds, sec-critical
1171540 Core JavaScript Engine: J RESO crash in void js::jit::AssemblerX86Shared::lock_addl<js::... --- fixed unaffected [post-critsmash-triage][adv-main40+][adv-esr38.2+] crash, sec-moderate
1201793 Core JavaScript Engine RESO "Assertion failure: !has(reg), at ../../../gecko/js/src/j... --- fixed wontfix [post-critsmash-triage][adv-main41+][adv-esr38.3+] sec-high
1204061 Core SVG RESO Missing status checks in AddWeightedPathSegLists and SVGP... --- fixed wontfix [b2g-adv-main-2.5+][post-critsmash-triage[adv-main42+][adv-esr38.4+] sec-critical
1054538 Core JavaScript Engine: J RESO Crash [@ interpExitTrampoline] with js::jit::IonScript::u... --- fixed wontfix [adv-main35+][b2g-adv-main2.2+] sec-high
1152280 Core JavaScript Engine RESO Incorrect asm.js bounds check elimination vulnerability (... wontfix fixed unaffected [adv-main38+] sec-critical
1077687 Core CSS Parsing and Comp RESO Style struct may refer to removed CounterStyle object --- fixed fixed [adv-main34+] bug 1077718 protects with frame poisoning, backported to Fx34 csectype-uaf, regression, sec-high
1105938 Core CSS Parsing and Comp RESO Global-buffer-overflow in CSSParserImpl::ParseDeclaration fixed fixed wontfix [asan][adv-main37-][b2g-adv-main2.2-] crash, csectype-dos, regression, sec-other, testcase
1110557 Toolkit Autocomplete RESO Arbitrary File Read Vulnerability via Form Autocomplete fixed fixed fixed [adv-main36+][adv-esr31.5+] csectype-disclosure, sec-high, testcase
1143299 Core Layout RESO Heap-use-after-free in UnhookTextRunFromFrames wontfix fixed fixed [asan][adv-main38+][adv-esr31.7+] crash, csectype-uaf, sec-critical, testcase
1153478 Core Layout: Text and Fon RESO heap-use-after-free in SetBreaks wontfix fixed fixed [asan][adv-main38+][adv-esr31.7+] crash, csectype-uaf, sec-critical, testcase
1189814 Core DOM: Copy & Paste an RESO Dragging and dropping image to <textbox> pastes final URL... --- affected unaffected [adv-main41+][adv-esr38.3+] can be used in critical attacks against certain sites. regression, sec-moderate
1095859 Core Networking RESO Cookie injection by Proxy with 407 response --- fixed fixed [adv-main35+][adv-esr31.4+][b2g-adv-main2.2-] sec-moderate
1148328 Core Networking: HTTP RESO Server certificate verification bypass with Alt-Svc verified fixed unaffected csectype-sop, sec-critical
1196237 Core Networking RESO nsHostResolver thread is still running late in shutdown --- affected wontfix [post-critsmash-triage][adv-main42+] csectype-race, csectype-uaf, sec-high
1213979 Core Networking: HTTP RESO Heap-use-after-free [@ mozilla::net::Http2Stream::AdjustI... --- fixed wontfix [post-critsmash-triage][adv-main42+][adv-esr38.4+] crash, csectype-uaf, dogfood, regression, sec-critical
1186160 Core Networking: WebSocke RESO WebSocketChannel accesses nsDocShell and nsDocument off t... --- fixed wontfix [post-critsmash-triage][adv-main42+][adv-esr38.7+] csectype-race, regression, sec-high
1072871 Core Graphics RESO IPC: heap-use-after-free crash [@mozilla::gfx::DrawTarget... fixed fixed fixed [adv-main35+][b2g-adv-main2.2+] crash, csectype-uaf, sec-high, testcase
1099437 Core Graphics: Layers RESO Negative-size-param memset in mozilla::layers::BufferText... fixed fixed wontfix [adv-main37+][b2g-adv-main2.2+] sec-moderate
1110488 Core Graphics: CanvasWebG RESO webgl shader compilation log strcpy not allocated memory fixed fixed fixed [adv-main36+][b2g-adv-main2.2+] sec-moderate
1147188 Core Storage: IndexedDB RESO Security checks in IndexedDB code are getting compiled out wontfix fixed --- [adv-main39-] sec-high
1074280 Core Graphics: Layers RESO Bad casting: From BasicThebesLayer to BasicContainerLayer --- fixed fixed [adv-main34+][adv-esr31.3+] sec-high
1076983 Core Security: PSM RESO Padding oracle attack on SSL 3.0 --- fixed fixed [adv-main34-][adv-esr31.3-] relnote, sec-high
1138554 NSS Libraries RESO NSS accepts export-length DHE keys with regular DHE ciphe... --- fixed fixed [adv-main39+][adv-esr38.1+][adv-esr31.8+] Embargo until multi-vendor coordinated info release (May 19) dev-doc-needed, sec-moderate, site-compat
1072877 Core Graphics: Layers RESO IPC: heap-buffer-overflow crash [@mozilla::layers::TileHo... --- fixed fixed [fuzzblocker] crash, csectype-bounds, sec-critical, testcase
1151650 Core Graphics RESO GfxInfoBase::GetFeatureStatus() sends an IPDL message off... --- fixed fixed [fixed by bug 1151713][adv-main39+][adv-esr38.1+] sec-moderate
1137624 Core JavaScript Engine: J RESO MArrayJoin misbehaves when array elements override toString fixed fixed fixed [adv-main37+] regression, sec-critical, testcase
1204700 Core JavaScript Engine: J RESO Assertion failure: !has(reg), at jit/RegisterSets.h --- fixed wontfix [jsbugmon:update][post-critsmash-triage][adv-main42+][adv-esr38.4+] assertion, regression, sec-high, testcase
1154672 Core Audio/Video RESO Heap buffer overflow in libstagefright (tx3g tag in mp4) --- fixed fixed [adv-main38+] fixed in bug 1154683 (separate testcase) csectype-bounds, sec-high
1211585 Core Security: PSM RESO [meta] upgrade firefox 38 ESR to to nspr 4.10.10 and nss ... --- fixed --- [post-critsmash-triage][adv-esr38.4-] meta, sec-other
1108455 Core WebRTC RESO Execution of arbitrary addresses in relation to WebRTC Me... fixed fixed fixed [adv-main35+][adv-esr31.4+][b2g-adv-main2.2+] sec-critical, valgrind
1122218 Core Web Audio RESO Out-of-Bounds Read in AudioParamTimeline::AudioNodeInputV... wontfix fixed fixed [adv-main39+][adv-esr38.1+] csectype-bounds, sec-moderate
988698 Core Audio/Video RESO heap-use-after-free in nsThreadManager::RegisterCurrentTh... wontfix fixed wontfix [adv-main38+][b2g-adv-main2.2+] crash, csectype-uaf, sec-moderate
1080312 Core WebRTC: Networking RESO Crash in DataChannels/sctp timer loop when far-end is bei... --- fixed fixed [webrtc-uplift][adv-main34+][adv-esr31.3+] crash, csectype-uaf, sec-critical
1122387 Core WebRTC: Audio/Video RESO MediaEngineWebRTCVideoSource::mSources is inadequately pr... fixed fixed fixed [adv-main36+] regression, sec-high
1178890 Core XPCOM RESO TimerThread::DoAfterSleep() seems to not be threadsafe --- fixed fixed [adv-main40+][adv-esr38.2+] sec-high
1064320 Core Security RESO NSC_Encrypt returns uninitialised garbage which is handed... --- fixed fixed csectype-uninitialized, sec-high
1166031 Core Security: PSM RESO Update to NSS 3.19.1 --- fixed fixed [adv-main39-][adv-esr38.1-][adv-esr31.8-] fixes sec-high security bugs [b2g-adv-main2.2-]] sec-other
1119579 Core JavaScript Engine RESO Assertion failure: !comp.ref().done(), at gc/Zone.h fixed fixed fixed [adv-main36+][adv-esr31.5+] assertion, regression, sec-high, testcase
1136397 Core JavaScript Engine: J RESO [jsdbg2] Crash after resuming from breakpoint fixed fixed unaffected [adv-main37+][post-critsmash-triage] sec-moderate
1153688 Core XPConnect RESO Type confusion between object and symbol in XPCVariant wontfix fixed unaffected [adv-main38+] assertion, sec-critical, testcase
1183901 Core DOM: Core & HTML RESO DistributedContentList doesn't QI to nsWrapperCache, nor ... --- fixed wontfix [adv-main42-] sec-high
1184065 Core DOM: Core & HTML RESO DestinationInsertionPointList doesn't QI to nsWrapperCach... --- fixed wontfix [post-critsmash-triage] sec-high
1056410 Core JavaScript: GC RESO More missing callgraph edges involving destructors wontfix fixed fixed [b2g-adv-main2.2+][adv-main39+][adv-esr38.1+] sec-high
1120655 Core JavaScript: GC RESO Make the analysis detect compartment iterator invalidation wontfix fixed fixed [asan][adv-main38+][adv-esr31.7+][post-critsmash-triage] csectype-bounds, sec-high
1133909 Core JavaScript: GC RESO Fix hazards revealed by adding in missing GCPointers fixed fixed fixed [adv-main37+] sec-high
1137326 Core JavaScript: GC RESO Avoid compartment iterator invalidation fixed fixed fixed [adv-main37+][adv-esr31.6+] csectype-bounds, sec-high
1137336 Core JavaScript: GC RESO fix weak map tracing hazard due to function pointer fixed fixed --- [adv-main37-][post-critsmash-triage] sec-other
1146724 Toolkit General RESO Untrusted page can see webchannel responses wontfix fixed fixed [adv-main38+] dev-doc-needed, sec-high
1125734 Core JavaScript Engine: J RESO Twitter edit profile page consistently crashes with the L... fixed fixed fixed [adv-main36+] crash, qawanted, regression, sec-high
1163583 Core Layout RESO Heap-buffer-overflow in nsBidi::ResolveImplicitLevels --- fixed unaffected [systemsfe] csectype-bounds, regression, sec-critical, testcase
1152177 Core JavaScript Engine RESO "Assertion failure: js::CurrentThreadCanAccessRuntime(run... wontfix fixed fixed [adv-main38+][adv-esr31.7+] assertion, sec-high, testcase
1159321 Core JavaScript: GC RESO Well-known symbols in jsid's should not fire pre-barriers wontfix fixed unaffected [adv-main39+][adv-esr38.1+] sec-high
1011354 Core Networking RESO crash in mozilla::net::nsHttpChannel::OnStopRequest(nsIRe... --- fixed fixed [adv-main33+][adv-esr31.2+][b2g-adv-main2.2+] crash, csectype-uaf, sec-high
1012609 Core Web Audio VERI Out-of-Bounds Read in mozilla::dom::OscillatorNodeEngine:... --- fixed fixed [adv-main33+][adv-esr31.2+][b2g-adv-main2.2+] crash, regression, sec-high, testcase
1082734 Core DOM: Core & HTML VERI Saving window.location.searchParams can steal search para... --- fixed fixed csectype-disclosure, regression, sec-high
1089328 Core DOM: Workers VERI Use-After-Free in WorkerPrivateParent<mozilla::dom::worke... --- fixed unaffected [reporter-external] csectype-uaf, regression, sec-critical
1160890 Core DOM: Workers VERI Cross-origin information disclosure with error message of... --- affected wontfix [b2g-adv-main2.5?][adv-main43+] csectype-disclosure, csectype-sop, sec-high
1192350 Core DOM: Workers VERI null crash in XMLHttpRequest::Open() --- fixed unaffected [adv-main41-][adv-esr38.3-] csectype-nullptr, sec-other
1130541 Core Storage: IndexedDB VERI Heap use-after-free in mozilla::dom::IndexedDB::IDBObject... verified fixed fixed [adv-main36+][adv-esr31.5+] csectype-uaf, sec-critical
1142210 Core Storage: IndexedDB VERI Type Confusion mozilla::dom::indexedDB::IndexedDatabaseMa... wontfix fixed fixed [adv-main39+][adv-esr38.1+][adv-esr31.8+] qawanted, regression, sec-high
1060276 Core JavaScript Engine VERI Assertion failure: hasSlot() && !hasMissingSlot(), at vm/... --- fixed fixed [fuzzblocker] [jsbugmon:][b2g-adv-main2.2-] assertion, crash, regression, sec-critical, testcase
1089665 Core JavaScript Engine VERI Assertion failure: (*dictp)->inDictionary(), at Shape.cpp:95 --- fixed unaffected [reporter-external] regression, sec-high
1096016 Core JavaScript Engine VERI Crash [@ compartment] or Crash [@ ObjectType] with poison... --- fixed unaffected [jsbugmon:update] crash, regression, sec-high, testcase
1096023 Core JavaScript Engine VERI Assertion failure: offset < length(), at jsscript.h:1049 --- fixed unaffected [jsbugmon:update] assertion, regression, sec-critical, testcase
1102608 Core JavaScript Engine VERI Crash [@ ObjectType] or Crash [@ proto] with TypedObject verified fixed unaffected [jsbugmon:update][b2g-adv-main2.2-] sec-critical
1209471 Core JavaScript Engine VERI Assertion failure: MIR instruction returned object with u... --- fixed wontfix [jsbugmon:update,ignore][adv-main42+][adv-esr38.4+] assertion, regression, sec-high, testcase
1072174 Core XPConnect VERI XrayToString assumes that there are only two XrayTrait types --- fixed fixed [adv-main33+][adv-esr31.2+] sec-high
1228950 Core DOM: Core & HTML VERI cross-origin restriction bypass & arbitrary local file re... --- affected wontfix [adv-main43+][adv-esr38.5+] sec-critical
1107011 Core JavaScript Engine: J VERI Crash in js::jit::LiveInterval::addRangeAtHead --- fixed unaffected [adv-main42+][adv-esr38.4+] crash, sec-high
1234280 Core JavaScript Engine VERI Assertion failure: aIndex < mLength, at ../../dist/includ... --- affected wontfix [jsbugmon:update][adv-main44+][adv-esr38.6+] assertion, regression, sec-high, testcase
1144991 Core DOM: Core & HTML VERI Privilege escalation from resource:// document (e.g. pdf ... verified fixed fixed [adv-main37+][adv-esr31.6+] csectype-priv-escalation, sec-moderate
1041512 Core CSS Parsing and Comp VERI Heap-buffer-overflow in nsTransformedTextRun::SetCapitali... --- fixed fixed [adv-main33+][adv-esr31.2+][b2g-adv-main2.2-] crash, csectype-bounds, regression, sec-high, testcase
1149542 Core SVG VERI Heap-buffer-overflow in SVGTextFrame::ResolvePositions wontfix fixed fixed [adv-main38+][adv-esr31.7+] csectype-bounds, sec-critical
1069762 Core DOM: Security VERI CSP violation report contains sensitive data of other ori... --- fixed fixed [reporter-external][adv-main34+] regression, sec-high
1230668 Core CSS Parsing and Comp VERI Heap-use-after-free [@ nsStyleContext::~nsStyleContext] --- affected wontfix [adv-main44+][adv-esr38.6+] assertion, crash, csectype-uaf, sec-critical, testcase
1066089 Core CSS Parsing and Comp VERI Heap-use-after-free in mozilla::CustomCounterStyle::IsOrd... --- fixed unaffected crash, csectype-uaf, regression, sec-critical, testcase
1065909 Core Security: PSM VERI HPKP and HSTS can be bypassed with extra dot in hostname verified fixed fixed [reporter-external][adv-main36+][b2g-adv-main2.2+] sec-moderate
1224100 Core Graphics: ImageLib VERI "Conditional jump or move depends on uninitialised value(... --- affected wontfix [asan][post-critsmash-triage][adv-main43+][adv-esr38.5+] crash, csectype-bounds, sec-high
1072760 Core JavaScript Engine VERI Failed JS_ASSERT_IF(attrs & JSPROP_READONLY, !(attrs & (J... fixed fixed fixed [adv-main36+][b2g-adv-main2.2+] assertion, sec-high, testcase
1096319 Firefox Security VERI browser.js should validate opener when using it to determ... verified --- --- [adv-main35-][adv-esr31.4-][embargo][b2g-adv-main2.2-][b2g-unaffected] sec-high
1063327 Core Audio/Video VERI OOB write in get_tile --- fixed fixed [adv-main33+][adv-esr31.2+][b2g-adv-main2.2-] csectype-bounds, regression, sec-critical
1117406 Core Graphics: ImageLib VERI PNG: heap-overflow crash [@qcms_transform_data_rgba_out_l... verified fixed fixed [adv-main36+][adv-esr31.5+] crash, csectype-bounds, sec-critical, testcase
1088635 Core DOM: HTML Parser VERI 1410H - Firefox 32,33 xul.dll!nsHtml5TreeOperation use-af... --- fixed fixed [adv-main34+][adv-esr31.3+] csectype-uaf, regression, sec-critical
1075546 Core JavaScript: GC VERI Assertion failure: entry_ == makeIndex(clasp, key, kind),... --- fixed disabled [jsbugmon:][adv-main34+] assertion, regression, sec-high, testcase
1108007 Core JavaScript: GC VERI Assertion failure: (ptrBits & 0x7) == 0, at dist/include/... fixed fixed wontfix [jsbugmon:update][b2g-adv-main2.2-] assertion, regression, sec-other, testcase
1108836 Core JavaScript: GC VERI Crash [@ js::gc::GCRuntime::sweepBackgroundThings] verified fixed unaffected [jsbugmon:update,bisect,ignore][fuzzblocker][b2g-adv-main2.2-] crash, regression, sec-high, testcase
1124563 Core JavaScript Engine VERI Assertion failure: obj->lastProperty() == p->value().shap... fixed fixed unaffected [jsbugmon:update][adv-main36-] assertion, csectype-uaf, regression, sec-high, testcase
1057598 Core JavaScript Engine: J VERI Crash [@ js::jit::JitFrameIterator::operator++] --- fixed fixed [jsbugmon:][b2g-adv-main2.2-] crash, sec-moderate, testcase
1060398 Core JavaScript Engine: J VERI Assertion failure: obj->as<ArrayObject>().lengthIsWritabl... --- fixed fixed [jsbugmon:update][b2g-adv-main2.2-] assertion, sec-moderate, testcase
1085464 Core JavaScript Engine: J VERI Crash [@ js::GeneratorObject::suspend] or Assertion failu... --- fixed unaffected [jsbugmon:update] assertion, crash, regression, sec-critical, testcase
1109889 Core JavaScript Engine VERI Crash [@ ??] with gczeal and recursion verified fixed fixed [jsbugmon:update][adv-main35+][adv-esr31.4+][b2g-adv-main2.2+] crash, regression, sec-critical, testcase
1143679 Core JavaScript Engine VERI Crash [@ js::UnwindIteratorForException] or Assertion fai... wontfix fixed fixed [jsbugmon:ignore][adv-main39+][adv-esr31.8+][adv-esr38.1+] assertion, crash, csectype-uaf, regression, sec-critical, testcase
1182711 Core JavaScript Engine VERI Crash [@ js::ScopeIter::operator++] or Assertion failure:... --- fixed wontfix [jsbugmon:update][post-critsmash-triage][adv-main40+][adv-esr38.2+] assertion, crash, regression, sec-high, testcase
1183153 Core JavaScript Engine VERI Assertion failure: MIR instruction returned object with u... --- fixed wontfix [jsbugmon:update][post-critsmash-triage][adv-main41+][adv-esr38.3+] assertion, regression, sec-high, testcase
1205707 Core JavaScript Engine VERI Assertion failure: this->is<T>(), at js/src/jsobj.h:553 --- affected unaffected [jsbugmon:update][adv-main42+][adv-esr38.4+] assertion, regression, sec-high, testcase
1221385 Core JavaScript Engine VERI Crash [@ js::jit::ExecutableAllocator::releasePoolPages] ... --- affected wontfix [jsbugmon:update][adv-main44+][adv-esr38.6+] assertion, crash, regression, sec-high, testcase
1233152 Core JavaScript Engine VERI Crash [@ js::CompartmentChecker::fail] or Crash [@ compar... --- affected wontfix [jsbugmon:update][adv-main44+][adv-esr38.6+] crash, regression, sec-high, testcase
1062981 Core WebRTC VERI Navigating away from a page with camera sharing in an ifr... --- fixed fixed [adv-main33+][adv-esr31.2+][b2g-adv-main2.2-] privacy, sec-moderate
1042567 Core JavaScript Engine VERI Crash [@ js::FetchName] or Assertion failure: shape->hasS... --- fixed fixed [jsbugmon:origRev=dc352a7bf234,testComment=9,update][adv-main34+][adv-esr31.3+][b2g-adv-main2.2-] assertion, crash, regression, sec-critical, testcase
1061665 Core JavaScript Engine VERI Assertion failure: [barrier verifier] Unmarked edge: <unk... --- fixed disabled [jsbugmon:update,ignore][fixed by bug 1053676][b2g-adv-main2.2-][adv-main41-] assertion, regression, sec-high, testcase
1186718 Core Audio/Video: Playbac VERI Stagefright: heap-buffer-overflow crash [@stagefright::ES... --- fixed wontfix [adv-main40+][adv-esr38.2+][post-critsmash-triage] crash, csectype-bounds, sec-high
1100409 Core Web Audio VERI Crash in mozilla::dom::AudioParamTimeline::AudioNodeInput... --- fixed fixed [adv-main35+][b2g-adv-main2.2+] crash, csectype-bounds, reproducible, sec-moderate, testcase
1175396 Core Audio/Video VERI out of bounds read at mozilla::AudioSink::PlayFromAudioQu... --- fixed fixed [adv-main40+][adv-esr38.2+] csectype-bounds, csectype-uaf, sec-high
1200148 Core Audio/Video: Playbac VERI Heap-buffer-overflow due to overflow in nestegg_track_cod... --- affected wontfix [adv-main41+][adv-esr38.3+] crash, csectype-bounds, sec-high, testcase
1064835 Core JavaScript Engine VERI Assertion failure: stack_[*size_].isJs(), at vm/SPSProfil... --- fixed fixed [adv-main34+] assertion, crash, sec-moderate, testcase
1076918 Core CSS Parsing and Comp VERI Heap-buffer-overflow in nsTransformedTextRun::SetCapitali... --- fixed unaffected crash, csectype-bounds, regression, sec-high, testcase
1117304 Core Graphics VERI Heap-buffer-overflow write in mozilla::gfx::CopyRect verified fixed fixed [adv-main36+][adv-esr31.5+] csectype-bounds, regression, sec-high
1164766 Core Graphics: Canvas2D VERI use-after-free (& crash) after style flush in CanvasRende... --- fixed wontfix [QA: when verifying fix, please test all testcases on duplicate bug 1175278] ZDI will disclose October 2015 (Firefox 41)[b2g-adv-main2.5+] crash, csectype-uaf, regression, reproducible, sec-critical, testcase
1063733 Core Graphics: ImageLib VERI Apparent use of uninitialized memory when rendering trunc... --- fixed fixed [adv-main33+] sec-high
1063653 Core JavaScript Engine: J VERI Crash [@ js::jit::LRecoverInfo::appendResumePoint] --- fixed fixed [fuzzblocker][jsbugmon:update] crash, regression, sec-high, testcase
1106171 Core JavaScript Engine VERI Assertion failure: live->empty(), at js/src/jit/LiveRange... verified fixed unaffected [jsbugmon:update][b2g-adv-main2.2-] assertion, crash, regression, sec-high, testcase
1113940 Core JavaScript Engine: J VERI Crash [@ js::HeapSlot::set] or Assertion failure: !(*inst... verified fixed unaffected [jsbugmon:update] assertion, crash, regression, sec-moderate, testcase
1114569 Core JavaScript Engine VERI Assertion failure: ionRecovery_.empty(), at js/src/vm/Sta... verified fixed unaffected [jsbugmon:update][adv-main36+] assertion, regression, sec-critical, testcase
1138391 Core JavaScript Engine VERI Crash [@ js::jit::JitFrameIterator::checkInvalidation] or... fixed fixed unaffected [jsbugmon:][adv-main37+] crash, regression, sec-critical, testcase
1172076 Core JavaScript Engine VERI Crash [@ js::jit::RValueAllocation::index() const] with h... --- fixed unaffected [jsbugmon:update,ignore][adv-main39+][adv-esr38.1+] crash, csectype-bounds, regression, sec-critical, testcase
1179484 Core Audio/Video VERI libcubeb MediaStream use-after-free --- affected unaffected [adv-main40+][adv-esr38.7+] csectype-uaf, sec-critical
1062876 Core WebRTC VERI The "stop sharing" option in the video sharing control in... --- fixed fixed [adv-main33+][adv-esr31.2+][b2g-adv-main2.2-] privacy, sec-moderate
1073350 Core WebRTC VERI WebRTC: heap-buffer-overflow [@webrtc::ExtractBuffer] --- fixed fixed crash, csectype-bounds, sec-high, testcase
1077274 Core WebRTC: Audio/Video VERI Dead object dereference if <video> GC'd before page closes --- fixed fixed csectype-uaf, regression, sec-critical
1079729 Core WebRTC: Networking VERI PeerConnection.createDataChannel crashes remote end in mo... --- fixed fixed [adv-main34+][adv-esr31.3+] crash, csectype-bounds, sec-critical
1143194 Core JavaScript Engine VERI for-of loops should emit trynotes wontfix fixed unaffected [adv-main38+] assertion, crash, regression, sec-moderate, testcase
1155474 Core JavaScript Engine VERI Crash [@ js::Shape::search] with heap-buffer-overflow wontfix fixed unaffected [jsbugmon:update][adv-main38+] crash, csectype-bounds, regression, sec-critical, testcase
1087633 Core DOM: Core & HTML VERI XMLHttpRequest.prototype.send crashes when given a crafte... --- fixed fixed [adv-main34+][adv-esr31.3+] thread checks seem to protect from the worst sec-moderate
1144988 Core DOM: Navigation VERI Same-origin bypass via SVG hash navigation (ZDI-CAN-2825) verified fixed fixed [filed bug 1145195 to change svgView() behavior][adv-main37-][adv-esr31.6-][b2g-adv-main2.2-] sec-critical
1146339 Core DOM: Navigation VERI A variant of Bug 1144988 lets one bypass same-origin policy verified fixed fixed [adv-main37+][adv-esr31.6+][bg2-adv-main2.2+] sec-high
1149891 Core DOM: Security VERI crash in CSPService::ShouldLoad(unsigned int, nsIURI*, ns... wontfix fixed unaffected [adv-main39+][adv-esr38.1+] crash, csectype-uaf, regression, reproducible, sec-critical
1068218 Core DOM: Core & HTML VERI DirectionalityUtils Use-After-Free, crash [@ mozilla::dom... --- fixed fixed [adv-main33+][adv-esr31.2+] crash, csectype-uaf, sec-critical, testcase
1082986 Core Graphics: Layers VERI Exploitable crash in mozilla::layers::ImageBridgeParent::... --- fixed unaffected crash, csectype-uaf, regression, sec-critical
1145255 Core JavaScript Engine VERI Incorrect asm.js bounds checking elimination (Pwn2Own 201... verified fixed fixed [post-critsmash-triage][adv-main37-][adv-esr31.6-][jsbugmon:update,testComment=13,origRev=2e2222a40262] 32-bit crash, csectype-bounds, regression, sec-critical, testcase
1184500 Toolkit Application Update VERI Out of bounds write in mar_read.c --- fixed fixed [adv-main40+][adv-esr38.2+] sec-high
1077991 Core JavaScript Engine VERI Crash [@ GetObjectAllocKindForCopy] with poison pattern --- fixed unaffected [jsbugmon:update] crash, regression, sec-high, testcase
1096138 Core JavaScript Engine: J VERI Assertion failure: *to != *moves_[i].to(), at jit/LIR.cpp verified fixed fixed [jsbugmon:update][adv-main36+][adv-esr31.5+][b2g-adv-main2.2+] assertion, regression, sec-critical, testcase
1118894 Core JavaScript Engine VERI Assertion failure: pred->isLoopBackedge(), at js/src/jit/... fixed fixed fixed [jsbugmon:update,ignore][adv-main36+] assertion, regression, sec-high, testcase
1230483 Core Audio/Video: Playbac VERI crash in mozilla::MediaDecoder::NotifySuspendedStatusChanged --- affected wontfix [adv-main44+][adv-esr38.6+] crash, csectype-uaf, sec-critical
1013001 Core JavaScript Engine: J VERI Assertion failure: ptr->isTenured(), at jit/shared/Assemb... --- fixed unaffected [jsbugmon:update,testComment=6][adv-main34+][b2g-adv-main2.2-] assertion, sec-high, testcase
1023158 Core JavaScript Engine: J VERI Assertion failure: ptr->isTenured(), at jit/shared/Assemb... --- fixed unaffected [jsbugmon:update,ignore][only a sec issue with GGC][adv-main34+][b2g-adv-main2.2-] assertion, sec-high, testcase
1064346 Core JavaScript Engine VERI Crash [@ IsInsideNursery] with use-after-free (likely OOM) --- fixed fixed [adv-main33+][adv-esr31.2+] crash, csectype-uaf, sec-high, testcase
1085355 Core JavaScript Engine VERI Assertion failure: isExclusiveContext(), at jscntxt.h:225... verified fixed --- [jsbugmon:update,ignore][b2g-adv-main2.2-] assertion, sec-high, testcase
1114058 Core JavaScript Engine: J VERI Crash [@ js::RegExpShared::~RegExpShared] verified fixed fixed [jsbugmon:update][adv-main36+] crash, regression, sec-high, testcase
1075336 Core CSS Parsing and Comp VERI Heap-use-after-free in mozilla::CustomCounterStyle::IsBullet --- fixed fixed [adv-main33-] crash, csectype-uaf, regression, sec-critical, testcase
255 bugs found.
REST | CSV | Feed | iCalendar
Change Columns 		Edit Search
as