Closed
Bug 859016
Opened 11 years ago
Closed 11 years ago
Remaining dir=auto issues (2): Heap-use-after-free in mozilla::WalkAncestorsResetAutoDirection
Categories
(Core :: Layout: Text and Fonts, defect)
Core
Layout: Text and Fonts
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox20 | --- | disabled |
firefox21 | + | fixed |
firefox22 | + | fixed |
firefox23 | + | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: inferno, Assigned: smontagu)
References
Details
(5 keywords, Whiteboard: [asan][adv-main21+])
Attachments
(1 file)
355 bytes,
text/html
|
Details |
>==7133== ERROR: AddressSanitizer: heap-use-after-free on address 0x6018002ed2ec at pc 0x7ff059da3584 bp 0x7fffc28f2b40 sp 0x7fffc28f2b38
>READ of size 4 at 0x6018002ed2ec thread T0
> #0 0x7ff059da3583 in mozilla::WalkAncestorsResetAutoDirection(mozilla::dom::Element*, bool) ../../../dist/include/nsINode.h:1354
> #1 0x7ff059da7074 in mozilla::SetDirOnBind(mozilla::dom::Element*, nsIContent*) content/base/src/DirectionalityUtils.cpp:947
> #2 0x7ff059f1f093 in mozilla::dom::Element::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) content/base/src/Element.cpp:1139
> #3 0x7ff05a1e505a in nsGenericHTMLElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) content/html/content/src/nsGenericHTMLElement.cpp:602
> #4 0x7ff059f580cc in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) content/base/src/nsINode.cpp:1337
> #5 0x7ff05a43ccf2 in mozilla::dom::HTMLSelectElement::InsertChildAt(nsIContent*, unsigned int, bool) content/html/content/src/HTMLSelectElement.cpp:189
> #6 0x7ff059f5bca7 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) content/base/src/nsINode.cpp:1943
> #7 0x7ff05c4c6a87 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, unsigned int, JS::Value*) ../../dist/include/nsINode.h:1547
> #8 0x7ff05c4bc796 in mozilla::dom::NodeBinding::genericMethod(JSContext*, unsigned int, JS::Value*) objdir-ff-asan/dom/bindings/NodeBinding.cpp:1365
> #9 0x7ff05dcd3fb3 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/jscntxtinlines.h:338
> #10 0x7ff05dcc6618 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode, bool) js/src/jsinterp.cpp:2393
> #11 0x7ff05dcb4dad in js::RunScript(JSContext*, js::StackFrame*) js/src/jsinterp.cpp:365
> #12 0x7ff05dcd3ed2 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/jsinterp.cpp:422
> #13 0x7ff05dcd4f6f in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) js/src/jsinterp.h:135
> #14 0x7ff05db8b91a in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) js/src/jsapi.cpp:5854
> #15 0x7ff05b3081e9 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJSClass.cpp:1433
> #16 0x7ff05b2f8afa in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJS.cpp:579
> #17 0x7ff05c991a24 in PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122
> #18 0x7ff05c990a96 in SharedStub
>0x6018002ed2ec is located 44 bytes inside of 120-byte region [0x6018002ed2c0,0x6018002ed338)
>freed by thread T0 here:
> #0 0x4186d2 in __interceptor_free
> #1 0x7ff059f8af4f in nsNodeUtils::LastRelease(nsINode*) content/base/src/nsNodeUtils.cpp:259
> #2 0x7ff059f3e6f5 in nsGenericDOMDataNode::Release() content/base/src/nsGenericDOMDataNode.cpp:116
> #3 0x7ff059ea3352 in nsDocument::EndUpdate(unsigned int) content/base/src/nsDocument.cpp:4291
> #4 0x7ff05a5ad112 in nsHTMLDocument::EndUpdate(unsigned int) content/html/document/src/nsHTMLDocument.cpp:2577
> #5 0x7ff05fe6e09f in
>previously allocated by thread T0 here:
> #0 0x4187b2 in __interceptor_malloc
> #1 0x7ff062a5f418 in moz_xmalloc memory/mozalloc/mozalloc.cpp:54
> #2 0x7ff0596b1d76 in nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&) layout/base/nsCSSFrameConstructor.cpp:3798
> #3 0x7ff0596ab2e9 in nsCSSFrameConstructor::ConstructSelectFrame(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsIFrame*, nsStyleDisplay const*, nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:2942
> #4 0x7ff0596aee1c in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsIFrame*, nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:3531
> #5 0x7ff0596b6270 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsIFrame*, nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5481
> #6 0x607200ffffff in
>Shadow bytes around the buggy address:
> 0x0c0380055a00: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
> 0x0c0380055a10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0c0380055a20: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
> 0x0c0380055a30: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
> 0x0c0380055a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
>=>0x0c0380055a50: fa fa fa fa fa fa fa fa fd fd fd fd fd[fd]fd fd
> 0x0c0380055a60: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
> 0x0c0380055a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
> 0x0c0380055a80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
> 0x0c0380055a90: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
> 0x0c0380055aa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap righ redzone: fb
> Freed Heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> ASan internal: fe
>==7133== ABORTING
>
>
Comment 1•11 years ago
|
||
Same problem as in bug 859014 -- we find a deleted text node on a dirAutoSetBy property and try to use it, this time in WalkAncestorsResetAutoDirection.
Assignee: nobody → smontagu
Severity: normal → critical
Hardware: x86_64 → All
Whiteboard: [asan]
Updated•11 years ago
|
Flags: sec-bounty?
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox20:
--- → disabled
status-firefox21:
--- → affected
status-firefox22:
--- → affected
status-firefox23:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-firefox21:
--- → +
tracking-firefox22:
--- → +
tracking-firefox23:
--- → +
Comment 2•11 years ago
|
||
WFM (using ASan on Mac)
Assignee | ||
Comment 3•11 years ago
|
||
Fixed by bug 861607. That is to say, bug 861606 makes this assert instead of crash, and bug 861607 fixes the assert.
Updated•11 years ago
|
Flags: sec-bounty? → sec-bounty+
Comment 5•11 years ago
|
||
Marking the status flags in this bug fixed as Bug 861607 was uplifted all the way to Fx21.
Updated•11 years ago
|
Whiteboard: [asan] → [asan][adv-main21+]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•