Open
Bug 1380146
Opened 8 years ago
Updated 2 months ago
Assertion failure: question > 0 [@/home/worker/workspace/build/src/dom/security/SRIMetadata.cpp:54]
Categories
(Core :: DOM: Security, defect, P3)
Core
DOM: Security
Tracking
()
People
(Reporter: jkratzer, Assigned: freddy)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [domsecurity-backlog1])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 20170710-91c943f73737.
Assertion failure: question > 0, at /home/worker/workspace/build/src/dom/security/SRIMetadata.cpp:54
ASAN:DEADLYSIGNAL
=================================================================
==32708==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f88d54cf25f bp 0x7ffc94e46eb0 sp 0x7ffc94e46d80 T0)
==32708==The signal is caused by a WRITE memory access.
==32708==Hint: address points to the zero page.
#0 0x7f88d54cf25e in mozilla::dom::SRIMetadata::SRIMetadata(nsACString const&) /home/worker/workspace/build/src/dom/security/SRIMetadata.cpp:54:5
#1 0x7f88d54ca720 in mozilla::dom::SRICheck::IntegrityMetadata(nsAString const&, nsACString const&, nsIConsoleReportCollector*, mozilla::dom::SRIMetadata*) /home/worker/workspace/build/src/dom/security/SRICheck.cpp:127:17
#2 0x7f88d5d7f057 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /home/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1266:11
#3 0x7f88d5d7e143 in mozilla::dom::ScriptElement::MaybeProcessScript() /home/worker/workspace/build/src/dom/script/ScriptElement.cpp:149:18
#4 0x7f88d5d7dc20 in non-virtual thunk to mozilla::dom::ScriptElement::AttributeChanged(nsIDocument*, mozilla::dom::Element*, int, nsIAtom*, int, nsAttrValue const*) /home/worker/workspace/build/src/dom/script/ScriptElement.cpp:89:16
#5 0x7f88d3048867 in nsNodeUtils::AttributeChanged(mozilla::dom::Element*, int, nsIAtom*, int, nsAttrValue const*) /home/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:145:3
#6 0x7f88d2dc035c in mozilla::dom::Element::SetAttrAndNotify(int, nsIAtom*, nsIAtom*, nsAttrValue const*, nsAttrValue&, unsigned char, bool, bool, bool, nsIDocument*, mozAutoDocUpdate const&) /home/worker/workspace/build/src/dom/base/Element.cpp:2632:5
#7 0x7f88d2dbf899 in mozilla::dom::Element::SetAttr(int, nsIAtom*, nsIAtom*, nsAString const&, bool) /home/worker/workspace/build/src/dom/base/Element.cpp:2468:10
#8 0x7f88d4c0d27e in mozilla::dom::HTMLScriptElement::SetSrc(nsAString const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/HTMLScriptElement.cpp:174:8
#9 0x7f88d45778a6 in mozilla::dom::HTMLScriptElementBinding::set_src(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLScriptElement*, JSJitSetterCallArgs) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLScriptElementBinding.cpp:50:9
#10 0x7f88d46b1d9c in mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2996:8
#11 0x7f88d95ac021 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#12 0x7f88d95abb3d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470:16
#13 0x7f88d95aca65 in InternalCall(JSContext*, js::AnyInvokeArgs const&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:515:12
#14 0x7f88d95acc7c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
#15 0x7f88d95ae173 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:663:12
|
||
Comment 1•8 years ago
|
||
(In reply to Jason Kratzer [:jkratzer] from comment #0)
> Created attachment 8885445 [details]
> trigger.html
>
> Testcase found while fuzzing mozilla-central rev 20170710-91c943f73737.
>
> Assertion failure: question > 0, at
> /home/worker/workspace/build/src/dom/security/SRIMetadata.cpp:54
I guess if the '?' is at index 0, then the assertion
> MOZ_ASSERT(question > 0);
still fires.
Francois, wanna update?
Flags: needinfo?(francois)
|
|
||
Updated•8 years ago
|
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
|
||
Updated•8 years ago
|
Flags: needinfo?(francois)
|
||
Comment 2•8 years ago
|
||
Assertion goes back more than a year, which is the furthest back mozregression can bisect debug builds.
Has Regression Range: --- → no
status-firefox56:
--- → wontfix
status-firefox57:
--- → wontfix
status-firefox58:
--- → fix-optional
status-firefox-esr52:
--- → wontfix
|
||
Comment 3•8 years ago
|
||
status-firefox59:
--- → ?
|
||
Updated•3 years ago
|
Severity: normal → S3
|
||
Updated•2 years ago
|
status-firefox115:
--- → affected
status-firefox-esr102:
--- → affected
|
|
||
Comment 4•3 months ago
|
||
I am reviewing some longstanding assertions and I can still reproduce the issue with the attached testcase.
freddy: Is there anyone that could have a look at this?
Flags: needinfo?(fbraun)
|
Assignee | |
Comment 5•2 months ago
|
||
Famous last words but this look simple :D
Assignee: nobody → fbraun
Flags: needinfo?(fbraun)
|
|
Assignee | |
Updated•2 months ago
|
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 6•2 months ago
|
||
Remove overly restrictive MOZ_ASSERT(question > 0) in SRIMetadata constructor
that caused crashes on malformed integrity values like "?-=". The subsequent
check for question <= hashStart already handles this case correctly by
returning early with an error.
Also add WPT tests for various malformed integrity edge cases to ensure
cross-browser interoperability.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
You need to log in
before you can comment on or make changes to this bug.
Description
•