关键漏洞信息 漏洞概述 CVE编号: CVE-2013-1694 漏洞名称: Use of PreserveWrapper in cases when we don't have a wrapper seems broken 漏洞类型: 缺陷(defect) 影响范围 产品: Core 组件: DOM: Core & HTML 平台: x86, macOS 状态与跟踪 状态: RESOLVED FIXED 里程碑: mozilla24 关键跟踪信息 Firefox 20-24: Fixed Firefox 22+: Fixed Firefox b2g18: Fixed 漏洞描述 1. XHR starts. 2. Its wrapper, if any, is collected. 3. A C++/readyStateChange listener calls GetResponse, and the response type is JSON or arraybuffer. This causes nsXMLHttpRequest::RootJSResultObjects to be called, which calls PreserveWrapper. 4. JS touches the XHR object, causing it to be wrapped, which calls nsWrapperCache::SetWrapper. In a debug build this will assert fatally. In an opt build this will clear the preserved-wrapper flag on the wrapper cache, which seems bad. 解决措施 The solution involves preserving the flag on SetWrapper and removing the assert in that method. Alternatively, it might be better to stop using PreserveWrapper to mean "hold JS objects" in XHR. 审核与批准 Multiple changes were reviewed and approved by key stakeholders. Patches were attached and approved for various branches. 修复验证 Testing was completed on m-c, etc., and the patch was landed successfully.