Closed
Bug 1186508
Opened 9 years ago
Closed 9 years ago
Heap-buffer-overflow nsStyleStruct::StyleMargin
Categories
(Core :: CSS Parsing and Computation, defect)
Core
CSS Parsing and Computation
Tracking
()
RESOLVED
DUPLICATE
of bug 1181011
mozilla42
Tracking | Status | |
---|---|---|
firefox40 | --- | unaffected |
firefox41 | + | fixed |
firefox42 | + | fixed |
firefox-esr31 | --- | unaffected |
firefox-esr38 | --- | unaffected |
b2g-v2.0 | --- | unaffected |
b2g-v2.0M | --- | unaffected |
b2g-v2.1 | --- | unaffected |
b2g-v2.1S | --- | unaffected |
b2g-v2.2 | --- | unaffected |
b2g-v2.2r | --- | unaffected |
b2g-master | --- | fixed |
People
(Reporter: attekett, Assigned: heycam)
References
Details
(5 keywords, Whiteboard: [regression from bug 804975])
Attachments
(1 file)
1.12 KB,
text/html
|
Details |
Tested on: OS: Ubuntu 14.04 Firefox: ASAN-build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1437566509/ ASAN-trace: ================================================================= ==12107==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000000028 at pc 0x7f8d54b1ea55 bp 0x7ffc45fc6440 sp 0x7ffc45fc6438 READ of size 1 at 0x625000000028 thread T0 (Web Content) #0 0x7f8d54b1ea54 in StyleMargin /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/../style/nsStyleStruct.h:627:0 #1 0x7f8d54b1ea54 in nsFrame::DidSetStyleContext(nsStyleContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsFrame.cpp:811:0 #2 0x7f8d547bff43 in SetStyleContext /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/../generic/nsIFrame.h:544:0 #3 0x7f8d547bff43 in mozilla::RestyleManager::ReparentStyleContext(nsIFrame*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/RestyleManager.cpp:2364:0 #4 0x7f8d54c284ec in ReparentChildListStyle /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsInlineFrame.cpp:364:0 #5 0x7f8d54c284ec in nsFirstLineFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsInlineFrame.cpp:1127:0 #6 0x7f8d54a34d39 in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsLineLayout.cpp:956:0 #7 0x7f8d54a9eac1 in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:3936:0 #8 0x7f8d54a9d2cd in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:3738:0 #9 0x7f8d54a92d82 in nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:3604:0 #10 0x7f8d54a83fa2 in ReflowLine /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:2711:0 #11 0x7f8d54a83fa2 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:2246:0 #12 0x7f8d54a7c87c in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:1160:0 #13 0x7f8d54a34d39 in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsLineLayout.cpp:956:0 #14 0x7f8d54a9eac1 in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:3936:0 #15 0x7f8d54a9d2cd in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:3738:0 . . . 0x625000000028 is located 216 bytes to the left of 8192-byte region [0x625000000100,0x625000002100) allocated by thread T0 (Web Content) here: #0 0x474fe1 in __interceptor_malloc _asan_rtl_:0 #1 0x7f8d5bd8ae86 in PL_ArenaAllocate /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/lib/ds/plarena.c:203:0 #2 0x7f8d4eb99359 in ArenaStrDup /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/modules/libpref/prefapi.cpp:112:0 #3 0x7f8d4eb99359 in pref_HashPref(char const*, PrefValue, PrefType, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/modules/libpref/prefapi.cpp:724:0 #4 0x7f8d4ebbc6c7 in pref_DoCallback /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/modules/libpref/prefread.cpp:133:0 #5 0x7f8d4ebbc6c7 in PREF_ParseBuf /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/modules/libpref/prefread.cpp:530:0 #6 0x7f8d4ebbfd36 in mozilla::pref_ReadPrefFromJar(nsZipArchive*, char const*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/modules/libpref/Preferences.cpp:1202:0 #7 0x7f8d4eba26bc in mozilla::pref_InitInitialObjects() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/modules/libpref/Preferences.cpp:1325:0 #8 0x7f8d4eba00e2 in mozilla::Preferences::Init() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/modules/libpref/Preferences.cpp:531:0 #9 0x7f8d4eb9fd1d in mozilla::Preferences::GetInstanceForService() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/modules/libpref/Preferences.cpp:419:0 #10 0x7f8d4ebbf07f in PreferencesConstructor(nsISupports*, nsID const&, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/modules/libpref/nsPrefsFactory.cpp:13:0 . . . SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x0c4a7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c4a7fff8000: fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff8020: 00 00 00 00 00 00 00 00 05 00 00 00 00 07 00 00 0x0c4a7fff8030: 05 00 00 00 00 00 00 07 00 00 00 00 00 00 00 00 0x0c4a7fff8040: 00 00 00 00 00 00 07 00 00 00 00 00 00 00 00 00 0x0c4a7fff8050: 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==12107==ABORTING [Parent 11951] WARNING: pipe error (32): Connection reset by peer: file /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 459 ###!!! [Parent][MessageChannel] Error: (msgtype=0x200081,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv
Comment 1•9 years ago
|
||
FWIW: - In an opt build, the attached testcase just triggers a crash. (not sure where; didn't submit a crash report to avoid leaking information) - In a debug build (without ASAN), the attached testcase triggers an abort from this fatal assertion: Assertion failure: !(mConditionalBits & GetBitForSID(aSID)) (rule node should not have unconditional and conditional style data for a given struct), at layout/style/nsRuleNode.h:180 heycam, looks like you added that assertion (and surrounding code) recently in bug 804975. Mind taking a look?
Component: Layout → CSS Parsing and Computation
Flags: needinfo?(cam)
Comment 2•9 years ago
|
||
mozregression confirms that this bug (or at least, the opt-build crash aspect of it) is a regression from bug 804975. Regression range: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=a6f67ef45731&tochange=733b4adb4140 [Tracking Requested - why for this release]: new crash in Firefox 41, w/ possible security implications.
status-firefox40:
--- → unaffected
status-firefox41:
--- → affected
tracking-firefox41:
--- → ?
Whiteboard: [regression from bug 804975]
Updated•9 years ago
|
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → unaffected
status-b2g-v2.2r:
--- → unaffected
status-b2g-master:
--- → affected
status-firefox-esr31:
--- → unaffected
status-firefox-esr38:
--- → unaffected
Updated•9 years ago
|
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → cam
Flags: needinfo?(cam)
Assignee | ||
Comment 3•9 years ago
|
||
I think this is the same issue (interaction of animations, ::first-line, and reset structs being cached in the rule tree with a font-size dependency) as, and was fixed by, bug 1181011, which was merged into m-c on July 28. I can't reproduce the assertion on m-c unless I revert the bug 1181011 patch. Resolving as a duplicate; Daniel/Atte if you are able to reproduce on a current build please reopen.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Target Milestone: --- → mozilla42
Comment 4•9 years ago
|
||
(In reply to Cameron McCormack (:heycam) from comment #3) > Resolving as a duplicate; Daniel/Atte if you are able to reproduce on a > current build please reopen. Can't reproduce any assertions/crashes with current mozilla-inbound build. Also no issues with a current ASAN build downloaded from here: https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1438606121/firefox-42.0a1.en-US.linux-x86_64-asan.tar.bz2 So, seems fixed, & hence likely indeed a dupe.
Comment 5•9 years ago
|
||
(meant to say: "...with current mozilla-inbound *debug* build"
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•