Heap-buffer-overflow WRITE in nsGridContainerFrame::TrackSize::Initialize

RESOLVED DUPLICATE of bug 1225592

Status

()

Core
Layout
--
critical
RESOLVED DUPLICATE of bug 1225592
2 years ago
2 years ago

People

(Reporter: Abhishek Arya, Assigned: mats)

Tracking

({sec-critical, testcase})

Trunk
sec-critical, testcase
Points:
---

Firefox Tracking Flags

(firefox45 affected)

Details

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
Created attachment 8692292 [details]
grid.html

=================================================================
==23995==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f27de636814 at pc 0x7f27ffb09cfd bp 0x7ffcea53d1c0 sp 0x7ffcea53d1b8
WRITE of size 2 at 0x7f27de636814 thread T0 (Web Content)
    #0 0x7f27ffb09cfc in nsGridContainerFrame::TrackSize::Initialize(int, nsStyleCoord const&, nsStyleCoord const&) layout/generic/nsGridContainerFrame.cpp:1876:14
    #1 0x7f27ffb0a11d in nsGridContainerFrame::Tracks::Initialize(nsGridContainerFrame::TrackSizingFunctions const&, int, unsigned int, int) layout/generic/nsGridContainerFrame.cpp:1937:5
    #2 0x7f27ffb1c751 in nsGridContainerFrame::IntrinsicISize(nsRenderingContext*, nsLayoutUtils::IntrinsicISizeType) layout/generic/nsGridContainerFrame.cpp:3019:3
    #3 0x7f27ffb1d7ff in nsGridContainerFrame::GetMinISize(nsRenderingContext*) layout/generic/nsGridContainerFrame.cpp:3037:23
    #4 0x7f27ffa2df94 in ShrinkWidthToFit layout/generic/nsFrame.cpp:4543:22
    #5 0x7f27ffa2df94 in nsContainerFrame::ComputeAutoSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, bool) layout/generic/nsContainerFrame.cpp:905
    #6 0x7f27ffa39ab8 in nsFrame::ComputeSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) layout/generic/nsFrame.cpp:4295:24
    #7 0x7f27ffb2b11e in nsHTMLReflowState::InitConstraints(nsPresContext*, mozilla::LogicalSize const&, nsMargin const*, nsMargin const*, nsIAtom*) layout/generic/nsHTMLReflowState.cpp:2340:9
    #8 0x7f27ffa44a19 in nsHTMLReflowState::Init(nsPresContext*, mozilla::LogicalSize const*, nsMargin const*, nsMargin const*) layout/generic/nsHTMLReflowState.cpp:388:3
    #9 0x7f27ff96c845 in emplace<nsPresContext *&, const nsHTMLReflowState &, nsIFrame *&, mozilla::LogicalSize &> objdir-ff-asan/dist/include/mozilla/Maybe.h:386:29
    #10 0x7f27ff96c845 in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) layout/generic/nsLineLayout.cpp:883
    #11 0x7f27ff9e0320 in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) layout/generic/nsBlockFrame.cpp:4044:3
    #12 0x7f27ff9de6d1 in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) layout/generic/nsBlockFrame.cpp:3846:5
    #13 0x7f27ff9d4ecf in nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3712:9
    #14 0x7f27ff9c4b2d in ReflowLine layout/generic/nsBlockFrame.cpp:2720:5
    #15 0x7f27ff9c4b2d in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp:2255
    #16 0x7f27ff9bd813 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp:1166:3
    #17 0x7f27ff9dbaa1 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) layout/generic/nsBlockReflowContext.cpp:306:3
    #18 0x7f27ff9d1717 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3357:7
    #19 0x7f27ff9c4b5d in ReflowLine layout/generic/nsBlockFrame.cpp:2717:5
    #20 0x7f27ff9c4b5d in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp:2255
    #21 0x7f27ff9bd813 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp:1166:3
    #22 0x7f27ffa2e966 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:990:3
    #23 0x7f27ffa11ef5 in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsCanvasFrame.cpp:693:5
    #24 0x7f27ffac7f9e in ReflowChild layout/generic/nsContainerFrame.cpp:990:3
    #25 0x7f27ffac7f9e in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) layout/generic/nsGfxScrollFrame.cpp:527
    #26 0x7f27ffac97bd in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) layout/generic/nsGfxScrollFrame.cpp:639:3
    #27 0x7f27ffacbb39 in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsGfxScrollFrame.cpp:874:3
    #28 0x7f27ffa2edcd in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:1032:3
    #29 0x7f27ffc5ccc2 in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsViewportFrame.cpp:308:7
    #30 0x7f27ff90aab7 in PresShell::DoReflow(nsIFrame*, bool) layout/base/nsPresShell.cpp:9000:3
    #31 0x7f27ff91f94b in PresShell::ProcessReflowCommands(bool) layout/base/nsPresShell.cpp:9173:24
    #32 0x7f27ff91e74a in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) layout/base/nsPresShell.cpp:4119:11
    #33 0x7f27ff866ef3 in nsDocumentViewer::LoadComplete(nsresult) layout/base/nsDocumentViewer.cpp:926:5
    #34 0x7f28005da412 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) docshell/base/nsDocShell.cpp:7440:5
    #35 0x7f28005d65c9 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) docshell/base/nsDocShell.cpp:7254:7
    #36 0x7f28005dd76f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) docshell/base/nsDocShell.cpp:7151:13
    #37 0x7f27fad724aa in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) uriloader/base/nsDocLoader.cpp:1247:3
    #38 0x7f27fad717b2 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) uriloader/base/nsDocLoader.cpp:831:5
    #39 0x7f27fad6ea68 in nsDocLoader::DocLoaderIsEmpty(bool) uriloader/base/nsDocLoader.cpp:721:9
    #40 0x7f27fad70b05 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) uriloader/base/nsDocLoader.cpp:605:5
    #41 0x7f27fad713fc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) uriloader/base/nsDocLoader.cpp:468:14
    #42 0x7f27f95e99f6 in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) netwerk/base/nsLoadGroup.cpp:634:18
    #43 0x7f27fbacae2d in nsDocument::DoUnblockOnload() dom/base/nsDocument.cpp:8967:7
    #44 0x7f27fbaca3fd in nsDocument::UnblockOnload(bool) dom/base/nsDocument.cpp:8895:9
    #45 0x7f27fba9b577 in nsDocument::DispatchContentLoadedEvents() dom/base/nsDocument.cpp:5042:3
    #46 0x7f27fbb703d0 in apply<nsDocument, void (nsDocument::*)()> objdir-ff-asan/dist/include/nsThreadUtils.h:663:5
    #47 0x7f27fbb703d0 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() objdir-ff-asan/dist/include/nsThreadUtils.h:870
    #48 0x7f27f9419f48 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:964:7
    #49 0x7f27f949bf2c in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:297:10
    #50 0x7f27f9e0597e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:95:21
    #51 0x7f27f9d6fcf1 in RunInternal ipc/chromium/src/base/message_loop.cc:234:3
    #52 0x7f27f9d6fcf1 in RunHandler ipc/chromium/src/base/message_loop.cc:227
    #53 0x7f27f9d6fcf1 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:201
    #54 0x7f27fef82daf in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:156:3
    #55 0x7f2800fc8063 in XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:787:12
    #56 0x7f27f9d6fcf1 in RunInternal ipc/chromium/src/base/message_loop.cc:234:3
    #57 0x7f27f9d6fcf1 in RunHandler ipc/chromium/src/base/message_loop.cc:227
    #58 0x7f27f9d6fcf1 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:201
    #59 0x7f2800fc75f3 in XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:623:7
    #60 0x4ed37e in content_process_main(int, char**) ipc/contentproc/plugin-container.cpp:237:19
    #61 0x7f27f6622ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
0x7f27de636814 is located 20 bytes to the right of 262144-byte region [0x7f27de5f6800,0x7f27de636800)
allocated by thread T0 (Web Content) here:
    #0 0x4bd028 in __interceptor_malloc _asan_rtl_
    #1 0x4ed79d in moz_xmalloc memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7f27f925bb2d in Malloc objdir-ff-asan/dist/include/nsTArray.h:184:46
    #3 0x7f27f925bb2d in nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long) objdir-ff-asan/dist/include/nsTArray-inl.h:171
    #4 0x7f27fab7022b in bool nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::InsertSlotsAt<nsTArrayInfallibleAllocator>(unsigned long, unsigned long, unsigned long, unsigned long) objdir-ff-asan/dist/include/nsTArray-inl.h:286:3
    #5 0x7f27ffb0a3c1 in InsertElementsAt<nsTArrayInfallibleAllocator> objdir-ff-asan/dist/include/nsTArray.h:1824:10
    #6 0x7f27ffb0a3c1 in nsTArrayInfallibleAllocator::ResultType nsTArray_Impl<nsGridContainerFrame::TrackSize, nsTArrayInfallibleAllocator>::SetLength<nsTArrayInfallibleAllocator>(unsigned long) objdir-ff-asan/dist/include/nsTArray.h:1762
    #7 0x7f27ffb09e73 in nsGridContainerFrame::Tracks::Initialize(nsGridContainerFrame::TrackSizingFunctions const&, int, unsigned int, int) layout/generic/nsGridContainerFrame.cpp:1917:3
    #8 0x7f27ffb1c751 in nsGridContainerFrame::IntrinsicISize(nsRenderingContext*, nsLayoutUtils::IntrinsicISizeType) layout/generic/nsGridContainerFrame.cpp:3019:3
    #9 0x7f27ffb1d7ff in nsGridContainerFrame::GetMinISize(nsRenderingContext*) layout/generic/nsGridContainerFrame.cpp:3037:23
    #10 0x7f27ffa2df94 in ShrinkWidthToFit layout/generic/nsFrame.cpp:4543:22
    #11 0x7f27ffa2df94 in nsContainerFrame::ComputeAutoSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, bool) layout/generic/nsContainerFrame.cpp:905
    #12 0x7f27ffa39ab8 in nsFrame::ComputeSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) layout/generic/nsFrame.cpp:4295:24
    #13 0x7f27ffb2b11e in nsHTMLReflowState::InitConstraints(nsPresContext*, mozilla::LogicalSize const&, nsMargin const*, nsMargin const*, nsIAtom*) layout/generic/nsHTMLReflowState.cpp:2340:9
    #14 0x7f27ffa44a19 in nsHTMLReflowState::Init(nsPresContext*, mozilla::LogicalSize const*, nsMargin const*, nsMargin const*) layout/generic/nsHTMLReflowState.cpp:388:3
    #15 0x7f27ff96c845 in emplace<nsPresContext *&, const nsHTMLReflowState &, nsIFrame *&, mozilla::LogicalSize &> objdir-ff-asan/dist/include/mozilla/Maybe.h:386:29
    #16 0x7f27ff96c845 in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) layout/generic/nsLineLayout.cpp:883
    #17 0x7f27ff9e0320 in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) layout/generic/nsBlockFrame.cpp:4044:3
    #18 0x7f27ff9de6d1 in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) layout/generic/nsBlockFrame.cpp:3846:5
    #19 0x7f27ff9d4ecf in nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3712:9
    #20 0x7f27ff9c4b2d in ReflowLine layout/generic/nsBlockFrame.cpp:2720:5
    #21 0x7f27ff9c4b2d in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp:2255
    #22 0x7f27ff9bd813 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp:1166:3
    #23 0x7f27ff9dbaa1 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) layout/generic/nsBlockReflowContext.cpp:306:3
    #24 0x7f27ff9d1717 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3357:7
    #25 0x7f27ff9c4b5d in ReflowLine layout/generic/nsBlockFrame.cpp:2717:5
    #26 0x7f27ff9c4b5d in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp:2255
    #27 0x7f27ff9bd813 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp:1166:3
    #28 0x7f27ffa2e966 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:990:3
    #29 0x7f27ffa11ef5 in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsCanvasFrame.cpp:693:5
    #30 0x7f27ffac7f9e in ReflowChild layout/generic/nsContainerFrame.cpp:990:3
    #31 0x7f27ffac7f9e in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) layout/generic/nsGfxScrollFrame.cpp:527
    #32 0x7f27ffac97bd in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) layout/generic/nsGfxScrollFrame.cpp:639:3
    #33 0x7f27ffacbb39 in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsGfxScrollFrame.cpp:874:3
    #34 0x7f27ffa2edcd in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:1032:3
    #35 0x7f27ffc5ccc2 in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsViewportFrame.cpp:308:7
    #36 0x7f27ff90aab7 in PresShell::DoReflow(nsIFrame*, bool) layout/base/nsPresShell.cpp:9000:3

SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/scratch0/clusterfuzz/slave-bot/builds/linux_asan_firefox/custom/firefox/libxul.so+0x8510cfc)
Shadow bytes around the buggy address:
  0x0fe57bcbecb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe57bcbecc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe57bcbecd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe57bcbece0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe57bcbecf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe57bcbed00: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe57bcbed10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe57bcbed20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe57bcbed30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe57bcbed40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe57bcbed50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23995==ABORTING
Daniel, do you know who might be familiar with this code? Thanks.
Flags: needinfo?(dholbert)
Keywords: sec-critical
Mats is working on grid stuff -- needinfo'ing him.
Flags: needinfo?(mats)
(Assignee)

Comment 3

2 years ago
I can't reproduce this in an up-to-date local debug ASAN build on Linux64.
It might have been fixed by bug 1225592?  Seeing that the testcase contains
grid-template-columns: repeat(32541, ...)
I'll revert that locally and debug this a bit just to verify...
Assignee: nobody → mats
Severity: normal → critical
Flags: needinfo?(mats)
Flags: needinfo?(dholbert)
Keywords: testcase
(Assignee)

Comment 4

2 years ago
Yeah, I get the assertion in bug 1225592 when I backed that out locally.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1225592
Group: core-security
You need to log in before you can comment on or make changes to this bug.