Closed Bug 1245427 Opened 4 years ago Closed 4 years ago

global-buffer-overflow in mozilla::dom::GetPropertyValuesPairs

Categories

(Core :: DOM: Animation, defect)

Product:
Core
Component:
DOM: Animation
Version:
45 Branch
Type:
defect
Priority:
Not set

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1244595

People

(Reporter: nils, Unassigned)

Details

(Keywords: testcase) 

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20160127070712

Steps to reproduce:

The following testcase crashes the lastest ASAN build of Firefox:

<script>
d = (new DOMParser()).parseFromString('','text/html');
d.all[0].animate([{flexFlow: 'column-reverse nowrap'},{flexFlow: 'column wrap-reverse'}],3);
</script>


Actual results:

Crash with the following ASAN output:

=================================================================
==8078==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f3e3f2392a4 at pc 0x7f3e362403c2 bp 0x7ffdc3945f10 sp 0x7ffdc3945f08
READ of size 4 at 0x7f3e3f2392a4 thread T0 (Web Content)
    #0 0x7f3e362403c1 in mozilla::dom::GetPropertyValuesPairs(JSContext*, JS::Handle<JSObject*>, mozilla::dom::ListAllowance, nsTArray<mozilla::dom::PropertyValuesPair>&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:1049
    #1 0x7f3e36232a86 in ConvertKeyframeSequence /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:1115
    #2 0x7f3e36232a86 in BuildAnimationPropertyListFromKeyframeSequence /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:1409
    #3 0x7f3e36232a86 in mozilla::dom::KeyframeEffectReadOnly::BuildAnimationPropertyList(JSContext*, mozilla::dom::Element*, JS::Handle<JSObject*>, nsTArray<mozilla::AnimationProperty>&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:1662
    #4 0x7f3e36236830 in mozilla::dom::KeyframeEffectReadOnly::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::Element*, JS::Handle<JSObject*>, mozilla::TimingParams const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:1686
    #5 0x7f3e3644efa7 in mozilla::dom::Element::Animate(JSContext*, JS::Handle<JSObject*>, mozilla::dom::UnrestrictedDoubleOrKeyframeAnimationOptions const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/Element.cpp:3341
    #6 0x7f3e37edee4b in mozilla::dom::ElementBinding::animate(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:3074
    #7 0x7f3e382dc796 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/bindings/BindingUtils.cpp:2715
    #8 0x7f3e3e09ac69 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
    #9 0x7f3e3e09ac69 in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:475
    #10 0x7f3e3e0865f3 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2799
    #11 0x7f3e3e066cad in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:425
    #12 0x7f3e3e09d0ab in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:681
    #13 0x7f3e3e09d6af in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:713
    #14 0x7f3e3db8f8c4 in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::StaticScope*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4451
    #15 0x7f3e3db90337 in Evaluate /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4478
    #16 0x7f3e3db90337 in JS::Evaluate(JSContext*, JS::AutoVectorRooter<JSObject*>&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4539
    #17 0x7f3e36754dcd in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:224
    #18 0x7f3e36755a41 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:286
    #19 0x7f3e367df983 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, JS::SourceBufferHolder&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:1151
    #20 0x7f3e367dc6e4 in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:970
    #21 0x7f3e367d5fb7 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:726
    #22 0x7f3e367d283e in nsScriptElement::MaybeProcessScript() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptElement.cpp:142
    #23 0x7f3e35a776a4 in operator-> /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsIScriptElement.h:221
    #24 0x7f3e35a776a4 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:666
    #25 0x7f3e35a75cf4 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:491
    #26 0x7f3e35a7becb in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5StreamParser.cpp:128
    #27 0x7f3e33f4d13f in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:995
    #28 0x7f3e33fc83ca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
    #29 0x7f3e34975378 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:127
    #30 0x7f3e348dfaec in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #31 0x7f3e348dfaec in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #32 0x7f3e348dfaec in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #33 0x7f3e39cf41d7 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:156
    #34 0x7f3e3bc3e382 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:789
    #35 0x7f3e348dfaec in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #36 0x7f3e348dfaec in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #37 0x7f3e348dfaec in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #38 0x7f3e3bc3da7a in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:625
    #39 0x48d760 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:237
    #40 0x7f3e3176ca3f in __libc_start_main /build/buildd/glibc-2.21/csu/libc-start.c:289
    #41 0x48cabc in _start (/home/nils/FF/firefox/plugin-container+0x48cabc)

0x7f3e3f2392a4 is located 84 bytes to the right of global variable 'nsCSSProps::kAnimTypeTable' from '/builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/layout/style/Unified_cpp_layout_style1.cpp' (0x7f3e3f238d80) of size 1232
SUMMARY: AddressSanitizer: global-buffer-overflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:1049 mozilla::dom::GetPropertyValuesPairs(JSContext*, JS::Handle<JSObject*>, mozilla::dom::ListAllowance, nsTArray<mozilla::dom::PropertyValuesPair>&)
Shadow bytes around the buggy address:
  0x0fe847e3f200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe847e3f210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe847e3f220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe847e3f230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe847e3f240: 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
=>0x0fe847e3f250: f9 f9 f9 f9[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0fe847e3f260: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0fe847e3f270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe847e3f280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe847e3f290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe847e3f2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==8078==ABORTING




Expected results:

No crash
Group: firefox-core-security → core-security
Component: Untriaged → DOM: Animation
Keywords: testcase
Product: Firefox → Core
Looks like a duplicate of bug 1244595 to me.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1244595
Group: core-security
You need to log in before you can comment on or make changes to this bug.