Closed Bug 1245427 Opened 9 years ago Closed 9 years ago

global-buffer-overflow in mozilla::dom::GetPropertyValuesPairs

Categories

(Core :: DOM: Animation, defect)

Product:
Core
Component:
DOM: Animation
Version:
45 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1244595

People

(Reporter: nils, Unassigned)

Details

(Keywords: testcase)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Build ID: 20160127070712 Steps to reproduce: The following testcase crashes the lastest ASAN build of Firefox: <script> d = (new DOMParser()).parseFromString('','text/html'); d.all[0].animate([{flexFlow: 'column-reverse nowrap'},{flexFlow: 'column wrap-reverse'}],3); </script> Actual results: Crash with the following ASAN output: ================================================================= ==8078==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f3e3f2392a4 at pc 0x7f3e362403c2 bp 0x7ffdc3945f10 sp 0x7ffdc3945f08 READ of size 4 at 0x7f3e3f2392a4 thread T0 (Web Content) #0 0x7f3e362403c1 in mozilla::dom::GetPropertyValuesPairs(JSContext*, JS::Handle<JSObject*>, mozilla::dom::ListAllowance, nsTArray<mozilla::dom::PropertyValuesPair>&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:1049 #1 0x7f3e36232a86 in ConvertKeyframeSequence /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:1115 #2 0x7f3e36232a86 in BuildAnimationPropertyListFromKeyframeSequence /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:1409 #3 0x7f3e36232a86 in mozilla::dom::KeyframeEffectReadOnly::BuildAnimationPropertyList(JSContext*, mozilla::dom::Element*, JS::Handle<JSObject*>, nsTArray<mozilla::AnimationProperty>&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:1662 #4 0x7f3e36236830 in mozilla::dom::KeyframeEffectReadOnly::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::Element*, JS::Handle<JSObject*>, mozilla::TimingParams const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:1686 #5 0x7f3e3644efa7 in mozilla::dom::Element::Animate(JSContext*, JS::Handle<JSObject*>, mozilla::dom::UnrestrictedDoubleOrKeyframeAnimationOptions const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/Element.cpp:3341 #6 0x7f3e37edee4b in mozilla::dom::ElementBinding::animate(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:3074 #7 0x7f3e382dc796 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/bindings/BindingUtils.cpp:2715 #8 0x7f3e3e09ac69 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235 #9 0x7f3e3e09ac69 in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:475 #10 0x7f3e3e0865f3 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2799 #11 0x7f3e3e066cad in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:425 #12 0x7f3e3e09d0ab in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:681 #13 0x7f3e3e09d6af in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:713 #14 0x7f3e3db8f8c4 in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::StaticScope*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4451 #15 0x7f3e3db90337 in Evaluate /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4478 #16 0x7f3e3db90337 in JS::Evaluate(JSContext*, JS::AutoVectorRooter<JSObject*>&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4539 #17 0x7f3e36754dcd in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:224 #18 0x7f3e36755a41 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:286 #19 0x7f3e367df983 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, JS::SourceBufferHolder&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:1151 #20 0x7f3e367dc6e4 in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:970 #21 0x7f3e367d5fb7 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:726 #22 0x7f3e367d283e in nsScriptElement::MaybeProcessScript() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptElement.cpp:142 #23 0x7f3e35a776a4 in operator-> /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsIScriptElement.h:221 #24 0x7f3e35a776a4 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:666 #25 0x7f3e35a75cf4 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:491 #26 0x7f3e35a7becb in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5StreamParser.cpp:128 #27 0x7f3e33f4d13f in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:995 #28 0x7f3e33fc83ca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297 #29 0x7f3e34975378 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:127 #30 0x7f3e348dfaec in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #31 0x7f3e348dfaec in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227 #32 0x7f3e348dfaec in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201 #33 0x7f3e39cf41d7 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:156 #34 0x7f3e3bc3e382 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:789 #35 0x7f3e348dfaec in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #36 0x7f3e348dfaec in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227 #37 0x7f3e348dfaec in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201 #38 0x7f3e3bc3da7a in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:625 #39 0x48d760 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:237 #40 0x7f3e3176ca3f in __libc_start_main /build/buildd/glibc-2.21/csu/libc-start.c:289 #41 0x48cabc in _start (/home/nils/FF/firefox/plugin-container+0x48cabc) 0x7f3e3f2392a4 is located 84 bytes to the right of global variable 'nsCSSProps::kAnimTypeTable' from '/builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/layout/style/Unified_cpp_layout_style1.cpp' (0x7f3e3f238d80) of size 1232 SUMMARY: AddressSanitizer: global-buffer-overflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:1049 mozilla::dom::GetPropertyValuesPairs(JSContext*, JS::Handle<JSObject*>, mozilla::dom::ListAllowance, nsTArray<mozilla::dom::PropertyValuesPair>&) Shadow bytes around the buggy address: 0x0fe847e3f200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe847e3f210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe847e3f220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe847e3f230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe847e3f240: 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 =>0x0fe847e3f250: f9 f9 f9 f9[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0fe847e3f260: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0fe847e3f270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe847e3f280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe847e3f290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe847e3f2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==8078==ABORTING Expected results: No crash
Group: firefox-core-security → core-security
Component: Untriaged → DOM: Animation
Keywords: testcase
Product: Firefox → Core
Looks like a duplicate of bug 1244595 to me.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.