| 328851
|
|
[FIX]print preview killing browser's chrome
|
Core
|
Security
|
bzbarsky
|
RESO
|
FIXE
|
2007-01-08
|
| 329677
|
|
[FIX]Persist seems to let any page set any persist value
|
Core
|
XUL
|
bzbarsky
|
RESO
|
FIXE
|
2010-02-11
|
| 330925
|
|
[FIX]Crash [@ nsContentIterator::NextNode] involving reparenting XBL anonymous children
|
Core
|
XBL
|
bzbarsky
|
RESO
|
FIXE
|
2008-01-15
|
| 334210
|
|
[FIX]nsScriptSecurityManager::SecurityCompareURIs uses sourcePort unitialized if getting targetPort fails
|
Core
|
Security: CAPS
|
bzbarsky
|
RESO
|
FIXE
|
2007-01-08
|
| 328817
|
|
Content injection spoofing with Content-Length header overflow
|
Core
|
Networking: HTTP
|
darin.moz
|
RESO
|
FIXE
|
2011-07-14
|
| 329746
|
|
Content injection spoofing with a space before colon in HTTP header
|
Core
|
Networking: HTTP
|
darin.moz
|
RESO
|
FIXE
|
2006-06-13
|
| 330214
|
|
Content injection spoofing with a combination of headers defined by HTTP/1.0 and 1.1 (e.g. Content-Length and Transfer-Encoding: chunked)
|
Core
|
Networking: HTTP
|
darin.moz
|
RESO
|
FIXE
|
2008-05-22
|
| 334080
|
|
crashes due to null mBodyContent in nsImageDocument::CheckOverflowing [@ nsStyleContext::GetStyleData]
|
Core
|
DOM: Core & HTML
|
dbaron
|
RESO
|
FIXE
|
2019-03-13
|
| 334104
|
|
WAY_TOO_MUCH_GC crash opening Firefox bookmarks menu, doing GC inside XPC_WN_Shared_ToString
|
Core
|
XPConnect
|
dbaron
|
RESO
|
FIXE
|
2006-11-10
|
| 334977
|
|
[FIX]File Upload Box Still can have arbitrary file specified by changing type attribute several times with javascript
|
Core
|
Layout: Form Control
|
jonas
|
RESO
|
FIXE
|
2008-08-13
|
| 330773
|
|
DOM property setter override (remote compromise)
|
Core
|
JavaScript Engine
|
mrbkap
|
RESO
|
FIXE
|
2013-03-26
|
| 332971
|
|
crash with iframe removing itself [@ nsAttrAndChildArray::Clear] [@ nsAttrAndChildArray::~nsAttrAndChildArray]
|
Core
|
DOM: Core & HTML
|
mrbkap
|
RESO
|
FIXE
|
2019-03-13
|
| 319263
|
|
valueOf.call() causes privilege escalation issue in Greasemonkey
|
Core
|
Security
|
mrbkap
|
RESO
|
FIXE
|
2008-10-10
|
| 321101
|
|
Malicious PAC script can escalate privilege
|
Core
|
Security
|
mrbkap
|
RESO
|
FIXE
|
2008-10-17
|
| 333113
|
|
Crash using schema and "0.5 RC" xpi on branch
|
Core Graveyard
|
XForms
|
allan
|
RESO
|
FIXE
|
2016-07-15
|
| 336830
|
|
Arbitrary code execution using nsISelectionPrivate.addSelectionListener()
|
Core
|
Security
|
bzbarsky
|
RESO
|
FIXE
|
2009-07-25
|
| 307560
|
|
WAY_TOO_MUCH_GC JS eng assert under SetNewDocument
|
Core
|
XPConnect
|
dbaron
|
RESO
|
FIXE
|
2006-05-22
|
| 327712
|
|
nsXBLProtoImplProperty::InstallMember doesn't root correctly
|
Core
|
XBL
|
dbaron
|
RESO
|
FIXE
|
2006-07-13
|
| 328113
|
|
crash [@ nsIconChannel::GetName][@ nsMimeType::GetDescription][@ nsDownloadsDataSource::GetURI]
|
Toolkit
|
Downloads API
|
dbaron
|
RESO
|
FIXE
|
2011-06-13
|
| 324918
|
|
This testcase triggers "index out of range" through nsHTMLSelectElement::RemoveOptionsFromListRecurse
|
Core
|
Layout: Form Control
|
jonas
|
RESO
|
FIXE
|
2007-12-16
|
| 325730
|
|
Crash changing document during DOMNodeRemoved [@ nsAttrAndChildArray::InsertChildAt]
|
Core
|
DOM: Core & HTML
|
jonas
|
RESO
|
FIXE
|
2019-03-13
|
| 329982
|
|
Crash [@ nsXULElement::RemoveChildAt] involving DOMNodeRemoved mutation event
|
Core
|
XUL
|
jonas
|
RESO
|
FIXE
|
2011-06-13
|
| 330897
|
|
crypto.signText writing off end-of-array, leading to SEGV, with patch
|
Core
|
Security: PSM
|
kaie
|
RESO
|
FIXE
|
2006-06-13
|
| 330900
|
|
nsCrypto::GenerateCRMFRequest reads past end of array when given 2 args
|
Core
|
Security: PSM
|
kaie
|
RESO
|
FIXE
|
2006-06-09
|
| 327744
|
|
[Intel OS X] SVG implementation/support isn't fully functional.
|
Core
|
SVG
|
mark
|
RESO
|
FIXE
|
2006-06-06
|
| 332704
|
|
divide by zero crash on intel mac with universal build when viewing SVG app
|
Core Graveyard
|
GFX: Mac
|
mark
|
RESO
|
FIXE
|
2009-01-22
|
| 334464
|
|
Firefox abort when entering chars in form field on HP-UX
|
Toolkit
|
Form Manager
|
mark
|
RESO
|
FIXE
|
2008-07-31
|
| 309599
|
|
crash in nsIHTMLEditor::insertHTML
|
Core
|
DOM: Editor
|
martijn.martijn
|
RESO
|
FIXE
|
2006-06-02
|
| 329468
|
|
Show Only This Frame XSS (FF, TB, Suite)
|
Core
|
Security
|
martijn.martijn
|
RESO
|
FIXE
|
2006-06-04
|
| 329521
|
|
View Image xss
|
Core
|
Security
|
martijn.martijn
|
RESO
|
FIXE
|
2006-06-13
|
| 330037
|
|
Embed Propertypage Remote Compromise (version 2)
|
Core
|
Security
|
martijn.martijn
|
RESO
|
FIXE
|
2008-10-17
|
| 301308
|
|
[@ nsMsgGroupView::~nsMsgGroupView]
|
MailNews Core
|
Backend
|
mozilla
|
RESO
|
FIXE
|
2008-07-31
|
| 331676
|
|
Crash on search in threaded mode
|
Thunderbird
|
Mail Window Front En
|
mozilla
|
RESO
|
FIXE
|
2007-03-30
|
| 332119
|
|
IMAP folders: if sum of characters in foldernames to long TB crashes or loops when you access the last folder in chain. [@ nsMsgDatabase::GetTableCreateIfMissing]
|
MailNews Core
|
Database
|
mozilla
|
RESO
|
FIXE
|
2008-07-31
|
| 298525
|
|
Phishing State should take precedence over Junk State in the message bar
|
Thunderbird
|
Mail Window Front En
|
mscott
|
RESO
|
FIXE
|
2006-05-17
|
| 327037
|
|
[gcc4 + -O2 + i386] Newsgroup names over-abbreviated on UB Mac
|
MailNews Core
|
Backend
|
mscott
|
RESO
|
FIXE
|
2008-07-31
|
| 329595
|
|
Crash on marking mail as Junk (Local Folders) [@ nsMsgDBView::PerformActionsOnJunkMsgs]
|
Thunderbird
|
General
|
mscott
|
RESO
|
FIXE
|
2011-06-09
|
| 336506
|
|
Bump Thunderbird version to 1.5.0.4
|
Thunderbird
|
Build Config
|
mscott
|
RESO
|
FIXE
|
2006-05-09
|
| 326931
|
|
Content should not be able to call SetBoxObjectFor
|
Core
|
DOM: Core & HTML
|
neil
|
RESO
|
FIXE
|
2019-03-13
|
| 330818
|
|
memory corruption involving boxObject.
|
Core
|
Security
|
neil
|
RESO
|
FIXE
|
2008-02-14
|
| 329583
|
|
Sidebar View Image xss
|
Firefox
|
General
|
nobody
|
RESO
|
FIXE
|
2012-04-03
|
| 326501
|
|
Content can implement tree views and trigger memory corruption
|
Core
|
XUL
|
roc
|
RESO
|
FIXE
|
2008-07-31
|
| 335816
|
|
Potential XSS attack using zwnbsp on UTF-8 page
|
Core
|
Internationalization
|
VYV03354
|
RESO
|
FIXE
|
2016-03-15
|
| 319980
|
|
javascript garbage collector not run when supposed to, leading to "memory leak"
|
Core
|
JavaScript Engine
|
brendan
|
VERI
|
FIXE
|
2006-07-07
|
| 327534
|
|
uneval on E4X gives "Error: xml is not a function"
|
Core
|
JavaScript Engine
|
brendan
|
VERI
|
FIXE
|
2006-04-27
|
| 331664
|
|
Null ptr deref crash deleting XML methods
|
Core
|
JavaScript Engine
|
brendan
|
VERI
|
FIXE
|
2006-05-26
|
| 331719
|
|
Problem with String.replace running with WAY_TOO_MUCH_GC
|
Core
|
JavaScript Engine
|
brendan
|
VERI
|
FIXE
|
2006-08-21
|
| 331787
|
|
FunctionDef should root fun->obj across call to js_LookupHiddenProperty
|
Core
|
JavaScript Engine
|
brendan
|
VERI
|
FIXE
|
2006-08-21
|
| 302536
|
|
crash [@ nsEventStateManager::UpdateCursor ] when visiting and/or printing a page on www.vdab.be
|
Core
|
DOM: UI Events & Foc
|
dbaron
|
VERI
|
FIXE
|
2019-03-13
|
| 334177
|
|
topcrash (not at shutdown) [@ PL_DHashTableRawRemove] called from nsGenericElement::~nsGenericElement
|
Core
|
DOM: Core & HTML
|
dbaron
|
VERI
|
FIXE
|
2019-03-13
|
| 335731
|
|
Crash while calling HTMLElement.prototype.toString()
|
Core
|
XPConnect
|
mrbkap
|
VERI
|
FIXE
|
2006-05-23
|
| 336313
|
|
Dynamic this binding is biting PAC
|
Core
|
Networking
|
mrbkap
|
VERI
|
FIXE
|
2007-08-06
|
| 336601
|
|
Fix for Bug 319263 can be bypassed by calling valueOf() via a local variable
|
Core
|
Security
|
mrbkap
|
VERI
|
FIXE
|
2008-10-10
|
| 336875
|
|
With Adblock Plus 0.7 installed, images disappear upon reloading any page
|
Core
|
DOM: Core & HTML
|
mrbkap
|
VERI
|
FIXE
|
2019-03-13
|
| 322348
|
|
[FIX]Crash [@ nsFrameList::DestroyFrames] with evil testcase using position:fixed/absolute; and ::first-line
|
Core
|
Layout
|
bzbarsky
|
VERI
|
FIXE
|
2011-06-09
|
| 328012
|
|
"Permission denied to get property ChromeWindow.PropertyIterator"
|
Core
|
JavaScript Engine
|
mrbkap
|
VERI
|
FIXE
|
2006-05-09
|
| 315210
|
|
Using munder:hover {display:-moz-box;} crashes [@ nsBox::SyncLayout] Mozilla
|
Core
|
MathML
|
bernd_mozilla
|
VERI
|
FIXE
|
2006-08-15
|
| 329692
|
|
Crash using canvas style display:table-footer-group and font display:table and more
|
Core
|
Layout: Tables
|
bernd_mozilla
|
VERI
|
FIXE
|
2006-05-22
|
| 329768
|
|
Crash [@ nsTableOuterFrame::IsAutoWidth] setting display:table on html and using position:absolute, display:block in object
|
Core
|
Layout
|
bernd_mozilla
|
VERI
|
FIXE
|
2011-06-09
|
| 67111
|
|
JS_GetImplementationVersion() date string needs to be updated
|
Core
|
JavaScript Engine
|
bob
|
VERI
|
FIXE
|
2006-05-15
|
| 335142
|
|
Bookmarks folders display empty
|
Core
|
XUL
|
bzbarsky
|
VERI
|
FIXE
|
2008-07-31
|
| 329889
|
|
Crash in [@ imgContainerGIF::GetFrameAt] when dragging a corrupted gif file
|
Core
|
Graphics: ImageLib
|
darin.moz
|
VERI
|
FIXE
|
2006-05-22
|
| 271669
|
|
crash [@ nsXULDocument::AttributeChanged]
|
Core
|
XUL
|
dbaron
|
VERI
|
FIXE
|
2011-06-13
|
| 330624
|
|
accessibility code (when accessibility enabled) holds on to DOM nodes until shutdown
|
Core
|
Disability Access AP
|
dbaron
|
VERI
|
FIXE
|
2007-04-26
|
| 331077
|
|
nsFontMetricsXft::CacheFontMetrics() : face may be NULL [@ nsFontMetricsXft::CacheFontMetrics]
|
Core Graveyard
|
GFX: Gtk
|
dbaron
|
VERI
|
FIXE
|
2011-06-09
|
| 331786
|
|
WAY_TOO_MUCH_GC crash in regress-290499.js
|
Core
|
JavaScript Engine
|
dbaron
|
VERI
|
FIXE
|
2006-08-21
|
| 331793
|
|
JS_ASSERT about charSet when running with WAY_TOO_MUCH_GC
|
Core
|
JavaScript Engine
|
dbaron
|
VERI
|
FIXE
|
2006-08-21
|
| 331040
|
|
Crash when removing parent iframe in onbeforunload handler
|
Core
|
DOM: Core & HTML
|
feng.qian.moz
|
VERI
|
FIXE
|
2019-03-13
|
| 329530
|
|
Out of memory crash when calling fn.toString where fn is a deeply nested function
|
Core
|
JavaScript Engine
|
igor
|
VERI
|
FIXE
|
2007-05-22
|
| 331558
|
|
Decompiler: Missing = in default xml namespace statement
|
Core
|
JavaScript Engine
|
jerfa
|
VERI
|
FIXE
|
2006-05-16
|
| 330084
|
|
Crash in [@ nsGenericElement::doReplaceOrInsertBefore]
|
Core
|
DOM: Core & HTML
|
jonas
|
VERI
|
FIXE
|
2019-03-13
|
| 331981
|
|
Crash on reload when setting designMode while loading a large piece of junk
|
Core
|
DOM: Editor
|
jonas
|
VERI
|
FIXE
|
2007-04-16
|
| 334515
|
|
crash initialising iframe as html edit where html loaded contains a second iframe [@ nsQueryInterface::operator()]
|
Core
|
DOM: Editor
|
jonas
|
VERI
|
FIXE
|
2006-07-14
|
| 321598
|
|
Double memory free in nsIX509::getRawDER when called from JavaScript
|
Core
|
Security: PSM
|
kaie
|
VERI
|
FIXE
|
2006-06-02
|
| 326529
|
|
Crash when setting ordinal and hidden property on tooltip
|
Core
|
Layout
|
MatsPalmgren_bugz
|
VERI
|
FIXE
|
2006-08-15
|
| 316845
|
|
Build error in gfx/cairo/libpixman/src/fbpict.c: symbol `_cairo_pixman_composite' is already defined
|
Core
|
Graphics
|
mozbugs
|
VERI
|
FIXE
|
2011-06-11
|
| 320927
|
|
crash when checking pop3 mail [@ msvcrt.dll + 0x378c0 ][@ msvcrt!strlen + 0x20 - nsPop3Protocol::CapaResponse ]
|
MailNews Core
|
Networking: POP
|
mozilla
|
VERI
|
FIXE
|
2011-06-09
|
| 323526
|
|
Fix xpcom build break on OS/2 on 1.8 branches
|
Core
|
XPCOM
|
mozilla
|
VERI
|
FIXE
|
2007-03-11
|
| 324240
|
|
Update OS/2 ReadMe files (newsgroup change, new libc)
|
Firefox Build System
|
General
|
mozilla
|
VERI
|
FIXE
|
2018-03-02
|
| 334384
|
|
Double free in nsVCard.cpp
|
MailNews Core
|
Address Book
|
mozilla
|
VERI
|
FIXE
|
2020-05-23
|
| 326281
|
|
Missing SAVE_SP_AND_PC calls before js_CheckRedeclaration calls
|
Core
|
JavaScript Engine
|
mrbkap
|
VERI
|
FIXE
|
2006-08-17
|
| 329219
|
|
Box object dangles content reference
|
Core
|
XUL
|
neil
|
VERI
|
FIXE
|
2008-07-31
|
| 328395
|
|
Crash in [@ nsIPresShell::GetPresContext()] closing Print Preview window after automatic selection testcase.
|
Core
|
Layout
|
sharparrow1
|
VERI
|
FIXE
|
2011-06-09
|
| 283565
|
|
Improper use of Realloc (mlk/crash) and silly return value for OOM
|
Core Graveyard
|
Security: UI
|
timeless
|
VERI
|
FIXE
|
2016-09-27
|
| 330098
|
|
XPCCallContext::~XPCCallContext is still wiping out newborn roots causing crashes under [@ js_FinalizeObject] because AllocSlots is calling gc and causing its caller (js_NewObject)'s obj to be destroyed before it's stable
|
Core
|
XPConnect
|
timeless
|
VERI
|
FIXE
|
2006-05-22
|