1186508 - Heap-buffer-overflow nsStyleStruct::StyleMargin

Status: RESOLVED DUPLICATE of bug 1181011

(Core :: CSS Parsing and Computation, defect)

Description

[Atte Kettunen]

Attachment: repro-file.html

Tested on:

OS: Ubuntu 14.04

Firefox: ASAN-build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1437566509/

ASAN-trace:

=================================================================
==12107==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000000028 at pc 0x7f8d54b1ea55 bp 0x7ffc45fc6440 sp 0x7ffc45fc6438
READ of size 1 at 0x625000000028 thread T0 (Web Content)
    #0 0x7f8d54b1ea54 in StyleMargin /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/../style/nsStyleStruct.h:627:0
    #1 0x7f8d54b1ea54 in nsFrame::DidSetStyleContext(nsStyleContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsFrame.cpp:811:0
    #2 0x7f8d547bff43 in SetStyleContext /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/../generic/nsIFrame.h:544:0
    #3 0x7f8d547bff43 in mozilla::RestyleManager::ReparentStyleContext(nsIFrame*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/RestyleManager.cpp:2364:0
    #4 0x7f8d54c284ec in ReparentChildListStyle /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsInlineFrame.cpp:364:0
    #5 0x7f8d54c284ec in nsFirstLineFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsInlineFrame.cpp:1127:0
    #6 0x7f8d54a34d39 in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsLineLayout.cpp:956:0
    #7 0x7f8d54a9eac1 in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:3936:0
    #8 0x7f8d54a9d2cd in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:3738:0
    #9 0x7f8d54a92d82 in nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:3604:0
    #10 0x7f8d54a83fa2 in ReflowLine /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:2711:0
    #11 0x7f8d54a83fa2 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:2246:0
    #12 0x7f8d54a7c87c in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:1160:0
    #13 0x7f8d54a34d39 in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsLineLayout.cpp:956:0
    #14 0x7f8d54a9eac1 in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:3936:0
    #15 0x7f8d54a9d2cd in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:3738:0
.
.
.
0x625000000028 is located 216 bytes to the left of 8192-byte region [0x625000000100,0x625000002100)
allocated by thread T0 (Web Content) here:
    #0 0x474fe1 in __interceptor_malloc _asan_rtl_:0
    #1 0x7f8d5bd8ae86 in PL_ArenaAllocate /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/lib/ds/plarena.c:203:0
    #2 0x7f8d4eb99359 in ArenaStrDup /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/modules/libpref/prefapi.cpp:112:0
    #3 0x7f8d4eb99359 in pref_HashPref(char const*, PrefValue, PrefType, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/modules/libpref/prefapi.cpp:724:0
    #4 0x7f8d4ebbc6c7 in pref_DoCallback /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/modules/libpref/prefread.cpp:133:0
    #5 0x7f8d4ebbc6c7 in PREF_ParseBuf /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/modules/libpref/prefread.cpp:530:0
    #6 0x7f8d4ebbfd36 in mozilla::pref_ReadPrefFromJar(nsZipArchive*, char const*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/modules/libpref/Preferences.cpp:1202:0
    #7 0x7f8d4eba26bc in mozilla::pref_InitInitialObjects() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/modules/libpref/Preferences.cpp:1325:0
    #8 0x7f8d4eba00e2 in mozilla::Preferences::Init() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/modules/libpref/Preferences.cpp:531:0
    #9 0x7f8d4eb9fd1d in mozilla::Preferences::GetInstanceForService() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/modules/libpref/Preferences.cpp:419:0
    #10 0x7f8d4ebbf07f in PreferencesConstructor(nsISupports*, nsID const&, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/modules/libpref/nsPrefsFactory.cpp:13:0
.
.
.
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0c4a7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8000: fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8020: 00 00 00 00 00 00 00 00 05 00 00 00 00 07 00 00
  0x0c4a7fff8030: 05 00 00 00 00 00 00 07 00 00 00 00 00 00 00 00
  0x0c4a7fff8040: 00 00 00 00 00 00 07 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8050: 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==12107==ABORTING
[Parent 11951] WARNING: pipe error (32): Connection reset by peer: file /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 459

###!!! [Parent][MessageChannel] Error: (msgtype=0x200081,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv

Comment 1

[Daniel Holbert [:dholbert]]

FWIW:
 - In an opt build, the attached testcase just triggers a crash. (not sure where; didn't submit a crash report to avoid leaking information)

 - In a debug build (without ASAN), the attached testcase triggers an abort from this fatal assertion:
Assertion failure: !(mConditionalBits & GetBitForSID(aSID)) (rule node should not have unconditional and conditional style data for a given struct), at layout/style/nsRuleNode.h:180

heycam, looks like you added that assertion (and surrounding code) recently in bug 804975. Mind taking a look?

Comment 2

[Daniel Holbert [:dholbert]]

mozregression confirms that this bug (or at least, the opt-build crash aspect of it) is a regression from
bug 804975.

Regression range:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=a6f67ef45731&tochange=733b4adb4140

[Tracking Requested - why for this release]: new crash in Firefox 41, w/ possible security implications.

Comment 3

[Cameron McCormack (:heycam)]

I think this is the same issue (interaction of animations, ::first-line, and reset structs being cached in the rule tree with a font-size dependency) as, and was fixed by, bug 1181011, which was merged into m-c on July 28.  I can't reproduce the assertion on m-c unless I revert the bug 1181011 patch.

Resolving as a duplicate; Daniel/Atte if you are able to reproduce on a current build please reopen.

Comment 4

[Daniel Holbert [:dholbert]]

(In reply to Cameron McCormack (:heycam) from comment #3)
> Resolving as a duplicate; Daniel/Atte if you are able to reproduce on a
> current build please reopen.

Can't reproduce any assertions/crashes with current mozilla-inbound build. Also no issues with a current ASAN build downloaded from here:
https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1438606121/firefox-42.0a1.en-US.linux-x86_64-asan.tar.bz2

So, seems fixed, & hence likely indeed a dupe.

Comment 5

[Daniel Holbert [:dholbert]]

(meant to say: "...with current mozilla-inbound *debug* build"