Closed Bug 1400763 Opened 3 years ago Closed 2 years ago

heap-buffer-overflow [@ char16_t* nsTextFrameUtils::TransformText<char16_t>] with READ of size 2

Categories

(Core :: Layout: Text and Fonts, defect, P2, critical)

defect

Tracking

()

RESOLVED FIXED
mozilla58
Tracking Status
firefox-esr52 57+ fixed
firefox56 --- wontfix
firefox57 - fixed
firefox58 + fixed

People

(Reporter: jkratzer, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [adv-main57+][adv-esr52.5+][post-critsmash-triage] fixed by bug 1402442)

Attachments

(3 files, 1 obsolete file)

Found while fuzzing mozilla-central rev 20170916-34e2566a71f1.  Will update with testcase shortly.

==27281==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200030b86e at pc 0x7fd615285985 bp 0x7ffe2c992080 sp 0x7ffe2c992078
READ of size 2 at 0x61200030b86e thread T0
    #0 0x7fd615285984 in char16_t* nsTextFrameUtils::TransformText<char16_t>(char16_t const*, unsigned int, char16_t*, nsTextFrameUtils::CompressionMode, unsigned char*, gfxSkipChars*, nsTextFrameUtils::Flags*) /builds/worker/workspace/build/src/layout/generic/nsTextFrameUtils.cpp:252:18
    #1 0x7fd61528a4f1 in BuildTextRunsScanner::BuildTextRunForFrames(void*) /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:2224:26
    #2 0x7fd615286576 in BuildTextRunsScanner::FlushFrames(bool, bool) /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1698:17
    #3 0x7fd61528fdfa in BuildTextRunsScanner::ScanFrame(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1944:9
    #4 0x7fd6152906ff in BuildTextRunsScanner::ScanFrame(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1983:5
    #5 0x7fd61529687b in BuildTextRuns /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1599:15
    #6 0x7fd61529687b in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*) /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:2871
    #7 0x7fd6152d99e3 in nsTextFrame::ReflowText(nsLineLayout&, int, mozilla::gfx::DrawTarget*, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:9533:5
    #8 0x7fd61521117c in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:924:7
    #9 0x7fd615081804 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4218:15
    #10 0x7fd615080418 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4014:5
    #11 0x7fd615077ed9 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3888:9
    #12 0x7fd615071ad8 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2871:5
    #13 0x7fd6150675df in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2407:7
    #14 0x7fd61505e392 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1233:3
    #15 0x7fd6150ba4ca in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14
    #16 0x7fd6150bf5d2 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:808:7
    #17 0x7fd6150c4a9f in ReflowColumns /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:506:19
    #18 0x7fd6150c4a9f in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1245
    #19 0x7fd6150ba4ca in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14
    #20 0x7fd6150b8db6 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:754:5
    #21 0x7fd6150ba4ca in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14
    #22 0x7fd615178088 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:548:3
    #23 0x7fd61517973e in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:660:3
    #24 0x7fd61517c8e9 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1036:3
    #25 0x7fd6150453e3 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:976:14
    #26 0x7fd615043d0a in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:332:7
    #27 0x7fd614e46677 in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9407:11
    #28 0x7fd614e5a631 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9580:24
    #29 0x7fd614e598d0 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4207:11
    #30 0x7fd610db8cad in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:557:5
    #31 0x7fd610db8cad in nsDocument::FlushPendingNotifications(mozilla::FlushType) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8343
    #32 0x7fd610b6e041 in GetPrimaryFrame /builds/worker/workspace/build/src/dom/base/Element.cpp:2260:10
    #33 0x7fd610b6e041 in mozilla::dom::Element::GetStyledFrame() /builds/worker/workspace/build/src/dom/base/Element.cpp:665
    #34 0x7fd61305f03b in nsGenericHTMLElement::GetOffsetRect(mozilla::gfx::IntRectTyped<mozilla::CSSPixel>&) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:282:21
    #35 0x7fd6125e4e48 in GetOffsetParent /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.h:209:12
    #36 0x7fd6125e4e48 in mozilla::dom::HTMLElementBinding::get_offsetParent(JSContext*, JS::Handle<JSObject*>, nsGenericHTMLElement*, JSJitGetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLElementBinding.cpp:991
    #37 0x7fd6128b31c6 in mozilla::dom::GenericBindingGetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2924:13
    #38 0x7fd618f17864 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
    #39 0x7fd618f17864 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
    #40 0x7fd618f1929f in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540:12
    #41 0x7fd618f1929f in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559
    #42 0x7fd618f1929f in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:674
    #43 0x7fd619ec7bf5 in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2123:16
    #44 0x7fd619ec7bf5 in GetExistingProperty<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2171
    #45 0x7fd619ec7bf5 in NativeGetPropertyInline<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2385
    #46 0x7fd619ec7bf5 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2421
    #47 0x7fd618f21c98 in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1540:12
    #48 0x7fd618f21c98 in GetProperty /builds/worker/workspace/build/src/js/src/jsobj.h:834
    #49 0x7fd618f21c98 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:4426
    #50 0x7fd618f0451c in GetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:218:12
    #51 0x7fd618f0451c in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2803
    #52 0x7fd618ee898b in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
    #53 0x7fd618f1a177 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:724:15
    #54 0x7fd618f1a9e2 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:756:12
    #55 0x7fd61997fb89 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4667:12
    #56 0x7fd610eb5f99 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:265:8
    #57 0x7fd61458ff78 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2244:25
    #58 0x7fd61458b3ac in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1884:10
    #59 0x7fd61456ec15 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1585:10
    #60 0x7fd61456b178 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:149:18
    #61 0x7fd60fdcce5f in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:225:18
    #62 0x7fd60fdcce5f in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:701
    #63 0x7fd60fdc67aa in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:502:7
    #64 0x7fd60fdd167f in nsHtml5ExecutorReflusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:55:18
    #65 0x7fd60e2444fd in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
    #66 0x7fd60e24a238 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:521:10
    #67 0x7fd60efedd31 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #68 0x7fd60ef4fbfb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #69 0x7fd60ef4fbfb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #70 0x7fd60ef4fbfb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #71 0x7fd6146eecef in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #72 0x7fd618849b21 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30
    #73 0x7fd618a2a58b in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4701:22
    #74 0x7fd618a2c188 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4865:8
    #75 0x7fd618a2d5bb in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4960:21
    #76 0x4ebea3 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22
    #77 0x4ebea3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:309
    #78 0x7fd62b42382f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #79 0x41d9f8 in _start (/home/mozilla/builds/mc-asan/firefox+0x41d9f8)

0x61200030b86e is located 0 bytes to the right of 302-byte region [0x61200030b740,0x61200030b86e)
allocated by thread T0 here:
    #0 0x4bc27c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x7fd60e08bc75 in nsStringBuffer::Alloc(unsigned long) /builds/worker/workspace/build/src/xpcom/string/nsSubstring.cpp:238:22
    #2 0x7fd610f3f9be in nsTextFragment::SetTo(char16_t const*, int, bool, bool) /builds/worker/workspace/build/src/dom/base/nsTextFragment.cpp:273:11
    #3 0x7fd610e67558 in nsGenericDOMDataNode::SetTextInternal(unsigned int, unsigned int, char16_t const*, unsigned int, bool, CharacterDataChangeInfo::Details*) /builds/worker/workspace/build/src/dom/base/nsGenericDOMDataNode.cpp:326:13
    #4 0x7fd610e6c6be in nsGenericDOMDataNode::SetText(char16_t const*, unsigned int, bool) /builds/worker/workspace/build/src/dom/base/nsGenericDOMDataNode.cpp:989:10
    #5 0x7fd610f422c2 in SetText /builds/worker/workspace/build/src/dom/base/nsGenericDOMDataNode.h:150:12
    #6 0x7fd610f422c2 in UpdateText /builds/worker/workspace/build/src/dom/base/nsTextNode.cpp:301
    #7 0x7fd610f422c2 in nsAttributeTextNode::UpdateText() /builds/worker/workspace/build/src/dom/base/nsTextNode.cpp:75
    #8 0x7fd610f8e4b2 in applyImpl<nsAttributeTextNode, void (nsAttributeTextNode::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1142:12
    #9 0x7fd610f8e4b2 in apply<nsAttributeTextNode, void (nsAttributeTextNode::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1148
    #10 0x7fd610f8e4b2 in mozilla::detail::RunnableMethodImpl<nsAttributeTextNode*, void (nsAttributeTextNode::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1192
    #11 0x7fd6109a11ff in nsContentUtils::RemoveScriptBlocker() /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5641:15
    #12 0x7fd610b7fdaf in ~mozAutoDocUpdate /builds/worker/workspace/build/src/dom/base/mozAutoDocUpdate.h:43:7
    #13 0x7fd610b7fdaf in mozilla::dom::Element::SetAttr(int, nsIAtom*, nsIAtom*, nsTSubstring<char16_t> const&, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2503
    #14 0x7fd6126773b0 in SetAttr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:671:12
    #15 0x7fd6126773b0 in SetAttr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:1365
    #16 0x7fd6126773b0 in SetHTMLAttr /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.h:810
    #17 0x7fd6126773b0 in SetAlt /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/HTMLImageElement.h:143
    #18 0x7fd6126773b0 in mozilla::dom::HTMLImageElementBinding::set_alt(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLImageElement*, JSJitSetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLImageElementBinding.cpp:117
    #19 0x7fd6128b4c2a in mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3016:8
    #20 0x7fd618f17864 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
    #21 0x7fd618f17864 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
    #22 0x7fd618f19979 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540:12
    #23 0x7fd618f19979 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559
    #24 0x7fd618f19979 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:688
    #25 0x7fd619ed7fcc in SetExistingProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2755:10
    #26 0x7fd619ed0832 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2791:20
    #27 0x7fd618efafd7 in SetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1557:12
    #28 0x7fd618efafd7 in SetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:269
    #29 0x7fd618efafd7 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2881
    #30 0x7fd618ee898b in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
    #31 0x7fd618f1a177 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:724:15
    #32 0x7fd618f1a9e2 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:756:12
    #33 0x7fd61997fb89 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4667:12
    #34 0x7fd610eb5f99 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:265:8
    #35 0x7fd61458ff78 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2244:25
    #36 0x7fd61458b3ac in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1884:10
    #37 0x7fd61456ec15 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1585:10
    #38 0x7fd61456b178 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:149:18
    #39 0x7fd60fdcce5f in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:225:18
    #40 0x7fd60fdcce5f in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:701
    #41 0x7fd60fdc67aa in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:502:7
    #42 0x7fd60fdd167f in nsHtml5ExecutorReflusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:55:18
    #43 0x7fd60e2444fd in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
    #44 0x7fd60e24a238 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:521:10

SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/build/src/layout/generic/nsTextFrameUtils.cpp:252:18 in char16_t* nsTextFrameUtils::TransformText<char16_t>(char16_t const*, unsigned int, char16_t*, nsTextFrameUtils::CompressionMode, unsigned char*, gfxSkipChars*, nsTextFrameUtils::Flags*)
Shadow bytes around the buggy address:
  0x0c24800596b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c24800596c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c24800596d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 06 fa fa
  0x0c24800596e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c24800596f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2480059700: 00 00 00 00 00 00 00 00 00 00 00 00 00[06]fa fa
  0x0c2480059710: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2480059720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2480059730: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x0c2480059740: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2480059750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27281==ABORTING
Attached file trigger.html (obsolete) —
Group: core-security → layout-core-security
Fwiw, I can't reproduce this crash in my Linux64 ASAN build,
not even after updating to rev 34e2566a71f1.  I'm using
a profile that has the domfuzz helper extension, do I need
anything else?

I'm seeing this on the console when I load the testcase:
JavaScript error: chrome://xbl-marquee/content/xbl-marquee.xml, line 539: TypeError: Argument 1 of Window.getComputedStyle does not implement interface Element.
Attached file trigger.html
Attachment #8909189 - Attachment is obsolete: true
(In reply to Mats Palmgren (:mats) from comment #2)
> Fwiw, I can't reproduce this crash in my Linux64 ASAN build,
> not even after updating to rev 34e2566a71f1.  I'm using
> a profile that has the domfuzz helper extension, do I need
> anything else?
> 
> I'm seeing this on the console when I load the testcase:
> JavaScript error: chrome://xbl-marquee/content/xbl-marquee.xml, line 539:
> TypeError: Argument 1 of Window.getComputedStyle does not implement
> interface Element.

My apologies - I uploaded the wrong testcase.  The testcase in comment #3 should work.
Thanks, I can reproduce it now.
Attached file frame dumps
So we have a text node (marked red) that is broken up into three
frames due to bidi (the last three text frames in the first frame
dump).  The content length is 5 at that point, with the frames
mapping [0,1] [1,3] [4,1] respectively.  All good so far.

The call to SetText changes the content length from 5 to 2
and now the frame offsets are stale, as the frame dump from
the next nsBlockFrame::Reflow shows (2nd frame dump).
The last frame is now reported as mapping [4,-2]!

Note that the nsBlockFrame::Reflow calls nsBidiPresUtils::Resolve
which changes the frame tree slightly, it changes the first two
text frame continuations from being static to fluid continuations
(the 3rd frame dump, which now says "next-in-flow"/"prev-in-flow")
But it didn't fix the offsets in any way it seems.

Then when we try to reflow these text frames we use all sorts
of invalid offsets and lengths and we crash...
BTW, there are no CharacterDataChanged notifications for that SetText
call as far as I can tell...

The "Inline(_moz_generated_content_before)" frames is for the <img>
'alt' attribute, from this rule in html.css I think:
http://searchfox.org/mozilla-central/rev/d08b24e613cac8c9c5a4131452459241010701e0/layout/style/res/html.css#648
Mats, it sounds like you made a start at debugging here -- are you continuing to look into this at all?
Flags: needinfo?(mats)
Priority: -- → P3
Yeah, I got interrupted by other stuff...  If you want to help out
or take it that's always welcome of course ;-)

I think the next step would be to debug nsBidiPresUtils::Resolve to see
if that last bidi text frame should have been removed, and look into how
we use text frame GetContentOffset/Length there in general - do we
blindly trust it even though the frame offsets might be stale visavi
the actual text content?

I think ReflowText can probably fixup the offsets for some situations
but it's not clear to me if that's how we should handle this in general.
Flags: needinfo?(mats)
Priority: P3 → P2
Lots of non-fatal assertions on debug builds too:
ASSERTION: negative length: 'GetContentEnd() - mContentOffset >= 0', file layout\generic\nsTextFrame.h, line 556
ASSERTION: Frame offsets don't fit in content: '!(contentTextLength < end - start)', file layout/base/nsBidiPresUtils.cpp, line 883
ASSERTION: negative length: 'GetContentEnd() - mContentOffset >= 0', file layout\generic\nsTextFrame.h, line 556
ASSERTION: negative length: 'GetContentEnd() - mContentOffset >= 0', file layout\generic\nsTextFrame.h, line 556
ASSERTION: negative length: 'GetContentEnd() - mContentOffset >= 0', file layout\generic\nsTextFrame.h, line 556
ASSERTION: Should have been cleared: 'mBreakSinks.IsEmpty()', file layout/generic/nsTextFrame.cpp, line 1015
ASSERTION: Should have been cleared: 'mMappedFlows.IsEmpty()', file layout/generic/nsTextFrame.cpp, line 1017
ASSERTION: Should have Reset() before destruction!: 'mCurrentWord.Length() == 0', file dom/base/nsLineBreaker.cpp, line 26
ASSERTION: Content offset/length out of bounds: 'offset + limitLength == int32_t(frag->GetLength())', file layout/generic/nsTextFrame.cpp, line 9607
ASSERTION: negative length: 'GetContentEnd() - mContentOffset >= 0', file layout\generic\nsTextFrame.h, line 556

They unfortunately go back further than can be bisected by mozregression (1 year).

What ends up being fatal on debug builds is the following assertion:
Assertion failure: [GFX1]: invalid offset -2 for gfxSkipChars length 1, at c:\builds\moz2_slave\m-in-w64-d-0000000000000000000\build\src\obj-firefox\dist\include\mozilla/gfx/Logging.h:518

Which bisects back to bug 1343552, which I guess isn't a shocking result.
INFO: Last good revision: 958099fd35ae6a9f4a1ad2a0f6335edf8ee6fbed
INFO: First bad revision: 80d9e84735e7a19fb2c064605821065b38946a4d
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=958099fd35ae6a9f4a1ad2a0f6335edf8ee6fbed&tochange=80d9e84735e7a19fb2c064605821065b38946a4d
Has Regression Range: --- → no
Keywords: assertion
Given that this bug doesn't have an owner and was wontfix'd for 56, my guess is that we won't get to this in 57. If a fix is ready soon, please nominate for uplift to beta57.
Tentatively tracking for 58.
Assignee: nobody → jfkthame
Like bug 1402036, this no longer reproduces for me on trunk, and looks like it was fixed by bug 1402442 (changeset faa69ac1c14b, merged to m-c on 2017-10-07).

Jason, can you confirm this is fixed?
Flags: needinfo?(jkratzer)
(In reply to Jonathan Kew (:jfkthame) from comment #13)
> Like bug 1402036, this no longer reproduces for me on trunk, and looks like
> it was fixed by bug 1402442 (changeset faa69ac1c14b, merged to m-c on
> 2017-10-07).
> 
> Jason, can you confirm this is fixed?

Jonathon, I am no longer able to reproduce this issue using the latest nightly.
Flags: needinfo?(jkratzer)
OK, thanks; resolving as dupe of bug 1402442. (The key factor in common seems to be the presence of display:contents, and subsequent DOM mutation.)
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1402442
Does this affect esr52? It's marked as affected here, but for the duplicate, bug 1402442, ESR is unaffected.
Flags: needinfo?(jfkthame)
According to bug 1402442 comment 13, we've actually had the bug since Firefox 37; the specific testcase in that bug triggered a panic within servo (stylo) code, so that exact symptom wouldn't show up on ESR or other non-stylo releases, but the underlying bug was present and there are non-stylo-dependent ways to hit it. So I think marking bug 1402442 as esr-unaffected is perhaps a bit misleading: it's true we won't hit that exact issue (stylo panic) on ESR, but the bug is still present and could lead to other kinds of failure.

Ryan's investigation in comment 10 here also supports the idea that this is present in older releases, so I think it's a safe bet that ESR52 is affected.

It's unclear to me how easily a crash or other problem could be reproduced in a non-ASAN build, but we should assume that an out-of-bounds access like this has potentially serious implications.
Flags: needinfo?(jfkthame)
OK. Based on comment 17, should we un-dupe this bug and reopen it? If it's still a sec-high issue for esr52, we might have a chance to fix it (Since we'll still be supporting esr52 till mid-2018). 

Dan, what do you think? I will leave it to you or jfkthame to reopen or file a followup bug.
Flags: needinfo?(dveditz)
Re-opening and making it "depend on" bug 1402442. We should uplift this fix to ESR-52.

jkratzer: now that bug 1402442 has been uplifted to beta please verify that this is fixed in 57 as well as a double-check.
Status: RESOLVED → REOPENED
Depends on: 1402442
Flags: needinfo?(dveditz) → needinfo?(jkratzer)
Resolution: DUPLICATE → ---
Whiteboard: fixed by bug 1402442
(In reply to Daniel Veditz [:dveditz] from comment #19)
> Re-opening and making it "depend on" bug 1402442. We should uplift this fix
> to ESR-52.
> 
> jkratzer: now that bug 1402442 has been uplifted to beta please verify that
> this is fixed in 57 as well as a double-check.

I can confirm that this is fixed in 57.
Flags: needinfo?(jkratzer)
Hmm, it appears that the patch that landed on trunk and beta for bug 1402442 will need some rebasing if we want to fix this for esr-52 as well. Emilio, would you be able to look into that?
Flags: needinfo?(emilio)
(In reply to Jonathan Kew (:jfkthame) from comment #21)
> Hmm, it appears that the patch that landed on trunk and beta for bug 1402442
> will need some rebasing if we want to fix this for esr-52 as well. Emilio,
> would you be able to look into that?

Hmm... ESR doesn't have bug 1355351, and without it it's probably not possible to fix it the same way... I know something that should work too, but I'll need a reviewer :)
Still building, but I'm moderately confident this is the right fix if we don't want to uplift the other bug too.
Flags: needinfo?(emilio)
Attachment #8924594 - Flags: review?(mats)
I can confirm that the patch fixes both all the bugs related to bug 1402442.
Comment on attachment 8924594 [details] [diff] [review]
Proposed ESR patch.

Looks like a safe wallpaper for older branches.
Attachment #8924594 - Flags: review?(mats) → review+
Comment on attachment 8924594 [details] [diff] [review]
Proposed ESR patch.

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: Sec bugs. Also, correctness bugs with display: contents in <frameset> and other similar elements + pseudo-elements.
Fix Landed on Version: 57 + 58 have bug 1402442 (which is the real fix).
Risk to taking this patch (and alternatives if risky): not real risk, I think. This is just a safe wallpaper to prevent having to uplift bug 1355351 and bug 1402442.
String or UUID changes made by this patch: none

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8924594 - Flags: approval-mozilla-esr52?
Comment on attachment 8924594 [details] [diff] [review]
Proposed ESR patch.

Fix for sec-high issue, rebased for ESR52.4.0. Thanks Emilio!
Attachment #8924594 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
https://hg.mozilla.org/releases/mozilla-esr52/rev/de336078d36b0f6f88b0fc566a1e4132f54a78e1
Status: REOPENED → RESOLVED
Closed: 3 years ago2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
Whiteboard: fixed by bug 1402442 → [adv-main57+][adv-esr52.5+] fixed by bug 1402442
Flags: qe-verify-
Whiteboard: [adv-main57+][adv-esr52.5+] fixed by bug 1402442 → [adv-main57+][adv-esr52.5+][post-critsmash-triage] fixed by bug 1402442
Group: layout-core-security → core-security-release
Flags: in-testsuite?
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.