1277085 - null pointer in nsHTMLEditRules::GetNodesForOperation

Status: NEW

(Core :: DOM: Editor, defect)

Description

[Nils]

Testcase:
<script>
function start() {
        o4=window.getSelection();
        o15=document.createRange();
        o38=(new DOMParser()).parseFromString("",'text/html');
        o57=o38.createRange();
        document.designMode='on';
        o4.addRange(o57);
        o4.addRange(o15);
        document.execCommand('insertorderedlist',false,null);
}
</script>
<body onload="start()"></body>


Asan output:

ASAN:SIGSEGV
=================================================================
==9701==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7ff0216bd1e4 sp 0x7ffc663052c0 bp 0x7ffc66305690 T0)
    #0 0x7ff0216bd1e3 in get /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:261
    #1 0x7ff0216bd1e3 in operator-> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:298
    #2 0x7ff0216bd1e3 in NodeType /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsINode.h:555
    #3 0x7ff0216bd1e3 in operator nsIContent * /builds/slave/m-cen-l64-asan-000000000000000/build/src/editor/libeditor/nsEditor.cpp:3619
    #4 0x7ff0216bd1e3 in nsHTMLEditRules::GetNodesForOperation(nsTArray<RefPtr<nsRange> >&, nsTArray<mozilla::OwningNonNull<nsINode> >&, EditAction, nsHTMLEditRules::TouchContent) /builds/slave/m-cen-l64-asan-000000000000000/build/src/editor/libeditor/nsHTMLEditRules.cpp:5566
    #5 0x7ff0216b9cb1 in GetNodesFromSelection /builds/slave/m-cen-l64-asan-000000000000000/build/src/editor/libeditor/nsHTMLEditRules.cpp:6066
    #6 0x7ff0216b9cb1 in nsHTMLEditRules::GetListActionNodes(nsTArray<mozilla::OwningNonNull<nsINode> >&, nsHTMLEditRules::EntireList, nsHTMLEditRules::TouchContent) /builds/slave/m-cen-l64-asan-000000000000000/build/src/editor/libeditor/nsHTMLEditRules.cpp:5749
    #7 0x7ff0216a6230 in nsHTMLEditRules::WillMakeList(mozilla::dom::Selection*, nsAString_internal const*, bool, nsAString_internal const*, bool*, bool*, nsAString_internal const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/editor/libeditor/nsHTMLEditRules.cpp:2995
    #8 0x7ff021698c8a in nsHTMLEditRules::WillDoAction(mozilla::dom::Selection*, nsRulesInfo*, bool*, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/editor/libeditor/nsHTMLEditRules.cpp:646
    #9 0x7ff021726edb in nsHTMLEditor::MakeOrChangeList(nsAString_internal const&, bool, nsAString_internal const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/editor/libeditor/nsHTMLEditor.cpp:1946
    #10 0x7ff0217d5bc2 in nsListCommand::ToggleState(nsIEditor*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/editor/composer/nsComposerCommands.cpp:305
    #11 0x7ff0217d25d1 in nsBaseStateUpdatingCommand::DoCommand(char const*, nsISupports*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/editor/composer/nsComposerCommands.cpp:92
    #12 0x7ff022b87d73 in nsControllerCommandTable::DoCommand(char const*, nsISupports*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/embedding/components/commandhandler/nsControllerCommandTable.cpp:147
    #13 0x7ff022b7e9de in nsBaseCommandController::DoCommand(char const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/embedding/components/commandhandler/nsBaseCommandController.cpp:136
    #14 0x7ff022b85054 in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/embedding/components/commandhandler/nsCommandManager.cpp:214
    #15 0x7ff02011c8a3 in nsHTMLDocument::ExecCommand(nsAString_internal const&, bool, nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/html/nsHTMLDocument.cpp:3306
    #16 0x7ff01f7af2b6 in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:855
    #17 0x7ff01f9ed6b5 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/bindings/BindingUtils.cpp:2782
    #18 0x7ff02550db1e in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
    #19 0x7ff02550db1e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:480
    #20 0x7ff0254fc77c in CallFromStack /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:531
    #21 0x7ff0254fc77c in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2868
    #22 0x7ff0254ddb9e in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:426
    #23 0x7ff02550e26b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:498
    #24 0x7ff02550e801 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:544
    #25 0x7ff0250b8e77 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:2926
    #26 0x7ff01f4af923 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259
    #27 0x7ff01fdebe89 in Call<nsISupports *> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:356
    #28 0x7ff01fdebe89 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/JSEventHandler.cpp:214
    #29 0x7ff01fdb68b4 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:1111
    #30 0x7ff01fdb8813 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:1283
    #31 0x7ff01fd95921 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:379
    #32 0x7ff01fd99d3c in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:710
    #33 0x7ff021d6d1c0 in nsDocumentViewer::LoadComplete(nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsDocumentViewer.cpp:993
    #34 0x7ff022ab349d in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/docshell/base/nsDocShell.cpp:7533
    #35 0x7ff022aaf8a4 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/docshell/base/nsDocShell.cpp:7334
    #36 0x7ff022ab66cf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/docshell/base/Unified_cpp_docshell_base0.cpp:7341
    #37 0x7ff01ce20e8b in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/uriloader/base/nsDocLoader.cpp:1250
    #38 0x7ff01ce20173 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/uriloader/base/nsDocLoader.cpp:834
    #39 0x7ff01ce1ce53 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/uriloader/base/nsDocLoader.cpp:724
    #40 0x7ff01ce1f12f in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/uriloader/base/nsDocLoader.cpp:608
    #41 0x7ff01ce1fb3c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/uriloader/base/Unified_cpp_uriloader_base0.cpp:612
    #42 0x7ff01b288594 in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/netwerk/base/nsLoadGroup.cpp:633
    #43 0x7ff01dca799c in nsDocument::DoUnblockOnload() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsDocument.cpp:9229
    #44 0x7ff01dd5102f in nsUnblockOnloadEvent::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsDocument.cpp:9182
    #45 0x7ff01b0bb8db in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:1073
    #46 0x7ff01b135e2a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290
    #47 0x7ff01be4556e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:98
    #48 0x7ff01bdba22c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:235
    #49 0x7ff01bdba22c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:228
    #50 0x7ff01bdba22c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:208
    #51 0x7ff0214ce447 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:156
    #52 0x7ff0234e9342 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:809
    #53 0x7ff01bdba22c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:235
    #54 0x7ff01bdba22c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:228
    #55 0x7ff01bdba22c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:208
    #56 0x7ff0234e8a21 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:644
    #57 0x48df67 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:231
    #58 0x7ff0188f682f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #59 0x48cb3c in _start (/home/nils/fuzzer3/firefox/plugin-container+0x48cb3c)

Comment 1

[Daniel Veditz [:dveditz]]

This does not appear to be an exploitable crash

Comment 2

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Attachment: testcase

Comment 3

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

I cannot reproduce this crash with current Nightly. Is it reproducible only on ASAN build?