关键漏洞信息 漏洞ID: 863935 漏洞标题: Use-after-poison in nsFrameList::UnhookFrameFromSiblings with moz-column 状态: Closed, RESOLVED FIXED 产品: Core 组件: Layout: Block and Inline 类型: defect 优先级: Not set 严重性: critical 里程碑: mozilla24 关键跟踪状态: - firefox23: won'tfix - firefox24: fixed - b2g18: unaffected 漏洞描述 调试信息: - Assertion failure: !GetPropertyTableFrames(aPresContext, aProperty), at layout/generic/nsContainerFrame.cpp:1459 - Use-after-poison of pres arena memory in nsFrameList::UnhookFrameFromSiblings 安全问题 潜在安全敏感性,与长期存在的漏洞 Bug-729519 相关。 修复信息 修复提交: - https://hg.mozilla.org/mozilla-central/rev/52127bafd50b - https://hg.mozilla.org/integration/mozilla-inbound/rev/48bbd10759f7 - https://hg.mozilla.org/mozilla-central/rev/c4e37220caed