Closed Bug 1105938 Opened 10 years ago Closed 10 years ago

Global-buffer-overflow in CSSParserImpl::ParseDeclaration

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla37
Tracking Flags:
Tracking Status
firefox35 --- wontfix
firefox36 --- wontfix
firefox37 --- fixed
firefox-esr31 --- wontfix
b2g-v1.4 --- wontfix
b2g-v2.0 --- wontfix
b2g-v2.0M --- wontfix
b2g-v2.1 --- wontfix
b2g-v2.1S --- wontfix
b2g-v2.2 --- fixed

People

(Reporter: attekett, Assigned: MatsPalmgren_bugz)

References

Details

(5 keywords, Whiteboard: [asan][adv-main37-][b2g-adv-main2.2-])

Attachments

(2 files)

repro-file.html
112 bytes, text/html
Details
fix
2.51 KB, patch
heycam
: review+
Details | Diff | Splinter Review
Attached file repro-file.html
Tested on: OS: Ubuntu 14.04 Firefox: ASAN build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1417138481/ ASAN-trace: ==13264==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7ff6e18e58d0 at pc 0x7ff6dd4d5766 bp 0x7fffcc780df0 sp 0x7fffcc780de8 READ of size 4 at 0x7ff6e18e58d0 thread T0 #0 0x7ff6dd4d5765 in PropHasFlags /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsCSSProps.h:379:0 #1 0x7ff6dd4d5765 in (anonymous namespace)::CSSParserImpl::ParseDeclaration(mozilla::css::Declaration*, unsigned int, bool, bool*, (anonymous namespace)::CSSParserImpl::nsCSSContextType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsCSSParser.cpp:6527:0 #2 0x7ff6dd4d3cb9 in (anonymous namespace)::CSSParserImpl::ParseDeclarationBlock(unsigned int, (anonymous namespace)::CSSParserImpl::nsCSSContextType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsCSSParser.cpp:6044:0 #3 0x7ff6dd4eef34 in (anonymous namespace)::CSSParserImpl::ParsePageRule(void (*)(mozilla::css::Rule*, void*), void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsCSSParser.cpp:3871:0 #4 0x7ff6dd4e463c in (anonymous namespace)::CSSParserImpl::ParseAtRule(void (*)(mozilla::css::Rule*, void*), void*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsCSSParser.cpp:2839:0 #5 0x7ff6dd3e896a in ParseSheet /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsCSSParser.cpp:1311:0 #6 0x7ff6dd3e896a in nsCSSParser::ParseSheet(nsAString_internal const&, nsIURI*, nsIURI*, nsIPrincipal*, unsigned int, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsCSSParser.cpp:15330:0 #7 0x7ff6dd3a693d in mozilla::css::Loader::ParseSheet(nsAString_internal const&, mozilla::css::SheetLoadData*, bool&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/Loader.cpp:1740:0 #8 0x7ff6dd3ac101 in mozilla::css::Loader::LoadInlineStyle(nsIContent*, nsAString_internal const&, unsigned int, nsAString_internal const&, nsAString_internal const&, mozilla::dom::Element*, nsICSSLoaderObserver*, bool*, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/Loader.cpp:1995:0 #9 0x7ff6da669e4e in nsStyleLinkElement::DoUpdateStyleSheet(nsIDocument*, mozilla::dom::ShadowRoot*, nsICSSLoaderObserver*, bool*, bool*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsStyleLinkElement.cpp:418:0 #10 0x7ff6da668752 in nsStyleLinkElement::UpdateStyleSheet(nsICSSLoaderObserver*, bool*, bool*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsStyleLinkElement.cpp:218:0 #11 0x7ff6d9a71614 in nsHtml5DocumentBuilder::UpdateStyleSheet(nsIContent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5DocumentBuilder.cpp:76:0 #12 0x7ff6d9b45731 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOperation.cpp:803:0 #13 0x7ff6d9b36e6a in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:448:0 #14 0x7ff6d9b3dffb in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5StreamParser.cpp:127:0 #15 0x7ff6d83fa804 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:830:0 #16 0x7ff6d845983a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265:0 #17 0x7ff6d8c74089 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:99:0 #18 0x7ff6d8c222dc in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233:0 #19 0x7ff6d8c222dc in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226:0 #20 0x7ff6d8c222dc in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200:0 #21 0x7ff6dcfe5337 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:164:0 #22 0x7ff6dea0f9b8 in nsAppStartup::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:281:0 #23 0x7ff6deafc14e in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4150:0 #24 0x7ff6deafd073 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4226:0 #25 0x7ff6deafdeed in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4446:0 #26 0x48a2fa in do_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:292:0 #27 0x48a2fa in main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:661:0 #28 0x7ff6e7fc2ec4 in __libc_start_main ??:0:0 #29 0x48975c in _start ??:0:0 0x7ff6e18e58d0 is located 120 bytes to the right of global variable 'nsCSSProps::kFlagsTable' from '/builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/layout/style/Unified_cpp_layout_style1.cpp' (0x7ff6e18e5300) of size 1368
It looks benign to me - we're reading out-of-bounds from nsCSSProps::kFlagsTable which is a const array. (On Linux it's in the .rodata section.)
Blocks: 773296
Severity: normal → critical
Keywords: crash, csectype-dos, regression, sec-other, testcase
OS: Linux → All
Hardware: x86_64 → All
Whiteboard: [asan]
Attached patch fixSplinter Review
The testcase contains: @page { ... --webkit-box-shadow:1px ... I'm guessing custom properties aren't support in @page: http://hg.mozilla.org/mozilla-central/annotate/df3fc7cb7e80/layout/style/nsCSSParser.cpp#l6510 otherwise, we should also add "|| aContext == eCSSContext_Page" there.
Assignee: nobody → mats
Status: NEW → ASSIGNED
Attachment #8530655 - Flags: review?(cam)
Comment on attachment 8530655 [details] [diff] [review] fix Yeah, these shouldn't parse in @page rules.
Attachment #8530655 - Flags: review?(cam) → review+
https://hg.mozilla.org/mozilla-central/rev/fdc27ab62b4f
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox37: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
How far back did this problem go?
Flags: needinfo?(mats)
mozilla29
Flags: needinfo?(mats)
Whiteboard: [asan] → [asan][adv-main37-]
Whiteboard: [asan][adv-main37-] → [asan][adv-main37-][b2g-adv-main2.2-]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: