Closed
Bug 1418000
Opened 7 years ago
Closed 7 years ago
heap-buffer-overflow in nsHtml5TreeBuilder::popOnEof
Categories
(Core :: DOM: HTML Parser, defect)
Tracking
()
VERIFIED
FIXED
mozilla59
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox57 | --- | unaffected |
| firefox58 | + | verified |
| firefox59 | + | verified |
People
(Reporter: nils, Assigned: hsivonen)
References
Details
(5 keywords, Whiteboard: [post-critsmash-triage])
Attachments
(3 files)
|
404 bytes,
text/html
|
Details | |
|
26.11 KB,
text/plain
|
Details | |
|
1.04 KB,
patch
|
smaug
:
review+
gchang
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
The following testcase crashes the latest ASAN build of Firefox 59.0a1 (SourceStamp=2c78cf003670a4beeb8730a78daf1edf9e744c1c).
crash.html:
<script>
function spin (x) {
console.log(x);
var x=new x.xhrp();
x.open("POST","https://mozilla.org",false);
try{x.send("X");}catch(e){}
}
function start() {
o1=window.document;
o3 = this;
o1.write("<script><"+"/script>");
o1.onreadystatechange=fun1;
o1.close();
}
function fun1() {
var x={};
x.xhrp = o3.XMLHttpRequest;
spin(x);
}
</script>
<body onload="start()"></body>
ASAN output:
=================================================================
==20041==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000289b78 at pc 0x7f5cc274f676 bp 0x7ffd3a118840 sp 0x7ffd3a118838
READ of size 8 at 0x615000289b78 thread T0 (file:// Content)
#0 0x7f5cc274f675 in nsHtml5TreeBuilder::popOnEof() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeBuilder.cpp:4130:28
#1 0x7f5cc26d8b2f in nsHtml5Parser::ParseUntilBlocked() /builds/worker/workspace/build/src/parser/html/nsHtml5Parser.cpp:650:25
#2 0x7f5cc2768326 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:459:34
#3 0x7f5cc2774b8f in nsHtml5ExecutorReflusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:56:18
#4 0x7f5cc09277d1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
#5 0x7f5cc094d016 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
#6 0x7f5cc0967b18 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
#7 0x7f5cc6fcefc7 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3110:31)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25
#8 0x7f5cc6fcefc7 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3110
#9 0x7f5cc6fd0835 in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2939:11
#10 0x7f5cc4b2b35b in mozilla::dom::XMLHttpRequestBinding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1249:9
#11 0x7f5cc52ee6a0 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3040:13
#12 0x7f5ccb78bcf0 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#13 0x7f5ccb78bcf0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
#14 0x7f5ccb78cce2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
#15 0x7f5ccc47451e in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:176:12
#16 0x7f5ccc429d95 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:358:23
#17 0x7f5ccc4541c3 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:511:21
#18 0x7f5ccc4568a7 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:770:12
#19 0x7f5ccb78c06f in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#20 0x7f5ccb78c06f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:455
#21 0x7f5ccb77722c in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
#22 0x7f5ccb77722c in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3098
#23 0x7f5ccb75f2ba in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
#24 0x7f5ccb78bdef in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
#25 0x7f5ccb78cce2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
#26 0x7f5ccc47451e in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:176:12
#27 0x7f5ccc429d95 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:358:23
#28 0x7f5ccc4541c3 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:511:21
#29 0x7f5ccc4568a7 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:770:12
#30 0x7f5ccb78c06f in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#31 0x7f5ccb78c06f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:455
#32 0x7f5ccb78cce2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
#33 0x7f5ccc1d1f1b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3032:12
#34 0x7f5cc4d0a255 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
#35 0x7f5cc571480d in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
#36 0x7f5cc571480d in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
#37 0x7f5cc56dc896 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1118:51
#38 0x7f5cc56dea62 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1293:20
#39 0x7f5cc56bfd01 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:462:16
#40 0x7f5cc56c31d2 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:826:9
#41 0x7f5cc5692a5a in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:895:12
#42 0x7f5cc385b0b1 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1356:5
#43 0x7f5cc565de95 in mozilla::AsyncEventDispatcher::Run() /builds/worker/workspace/build/src/dom/events/AsyncEventDispatcher.cpp:70:12
#44 0x7f5cc336f413 in AddScriptRunner /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5809:13
#45 0x7f5cc336f413 in nsContentUtils::AddScriptRunner(nsIRunnable*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5816
#46 0x7f5cc565eea3 in mozilla::AsyncEventDispatcher::RunDOMEventWhenSafe() /builds/worker/workspace/build/src/dom/events/AsyncEventDispatcher.cpp:104:3
#47 0x7f5cc3795a3e in nsDocument::SetReadyStateInternal(nsIDocument::ReadyState) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9869:20
#48 0x7f5cc36e02b6 in nsContentSink::DidBuildModelImpl(bool) /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:1543:16
#49 0x7f5cc27667d2 in nsHtml5TreeOpExecutor::DidBuildModel(bool) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:169:3
#50 0x7f5cc276f652 in nsHtml5TreeOpExecutor::FlushDocumentWrite() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:628:5
#51 0x7f5cc26d8bb2 in nsHtml5Parser::ParseUntilBlocked() /builds/worker/workspace/build/src/parser/html/nsHtml5Parser.cpp:658:22
#52 0x7f5cc26d657f in nsHtml5Parser::Parse(nsTSubstring<char16_t> const&, void*, nsTSubstring<char> const&, bool, nsDTDMode) /builds/worker/workspace/build/src/parser/html/nsHtml5Parser.cpp:273:14
#53 0x7f5cc5ae8cc5 in nsHTMLDocument::Close(mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:1831:54
#54 0x7f5cc4ffb88d in mozilla::dom::HTMLDocumentBinding::close(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:601:9
#55 0x7f5cc52ee6a0 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3040:13
#56 0x7f5ccb78bcf0 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#57 0x7f5ccb78bcf0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
#58 0x7f5ccb78cce2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
#59 0x7f5ccc47451e in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:176:12
#60 0x7f5ccc429d95 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:358:23
#61 0x7f5ccc4541c3 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:511:21
#62 0x7f5ccc4568a7 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:770:12
#63 0x7f5ccb78c06f in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#64 0x7f5ccb78c06f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:455
#65 0x7f5ccb77722c in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
#66 0x7f5ccb77722c in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3098
#67 0x7f5ccb75f2ba in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
#68 0x7f5ccb78bdef in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
#69 0x7f5ccb78cce2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
#70 0x7f5ccc1d1f1b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3032:12
#71 0x7f5cc4d0a255 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
#72 0x7f5cc571480d in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
#73 0x7f5cc571480d in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
#74 0x7f5cc56dc896 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1118:51
#75 0x7f5cc56dea62 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1293:20
#76 0x7f5cc56bfd01 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:462:16
#77 0x7f5cc56c31d2 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:826:9
#78 0x7f5cc7a2b2be in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1064:7
#79 0x7f5ccaacbdd1 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7779:21
#80 0x7f5ccaac7df4 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7577:7
#81 0x7f5ccaacf68f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7474:13
#82 0x7f5cc259ae23 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1321:3
#83 0x7f5cc2599f8c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:862:14
#84 0x7f5cc2597018 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:751:9
#85 0x7f5cc2598f32 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:633:5
#86 0x7f5cc2599b8c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:489:14
#87 0x7f5cc0af5630 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
#88 0x7f5cc378fefd in nsDocument::DoUnblockOnload() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9379:18
#89 0x7f5cc378fac1 in nsDocument::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9301:9
#90 0x7f5cc3769709 in nsDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5666:3
#91 0x7f5cc380ae22 in applyImpl<nsDocument, void (nsDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1142:12
#92 0x7f5cc380ae22 in apply<nsDocument, void (nsDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1148
#93 0x7f5cc380ae22 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1192
#94 0x7f5cc09277d1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
#95 0x7f5cc094d016 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
#96 0x7f5cc0967b18 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
#97 0x7f5cc173fea1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#98 0x7f5cc16a061b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#99 0x7f5cc16a061b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#100 0x7f5cc16a061b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#101 0x7f5cc71a318f in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:159:27
#102 0x7f5ccb4e1557 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
#103 0x7f5cc16a061b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#104 0x7f5cc16a061b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#105 0x7f5cc16a061b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#106 0x7f5ccb4e0f0a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
#107 0x4ebb0e in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
#108 0x4ebb0e in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#109 0x7f5cde18082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#110 0x41d3f8 in _start (/fuzzer3/firefox/firefox+0x41d3f8)
0x615000289b78 is located 8 bytes to the left of 512-byte region [0x615000289b80,0x615000289d80)
allocated by thread T0 (file:// Content) here:
#0 0x4bbc7c in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
#1 0x4ed08d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17
#2 0x7f5cc2713e97 in operator new[] /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:218:12
#3 0x7f5cc2713e97 in newJArray /builds/worker/workspace/build/src/parser/html/jArray.h:53
#4 0x7f5cc2713e97 in nsHtml5TreeBuilder::startTokenization(nsHtml5Tokenizer*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeBuilder.cpp:78
#5 0x7f5cc26d63c8 in nsHtml5Parser::Parse(nsTSubstring<char16_t> const&, void*, nsTSubstring<char> const&, bool, nsDTDMode) /builds/worker/workspace/build/src/parser/html/nsHtml5Parser.cpp:243:17
#6 0x7f5cc5aea218 in nsHTMLDocument::WriteCommon(JSContext*, nsTSubstring<char16_t> const&, bool) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:1997:56
#7 0x7f5cc5ae9149 in nsHTMLDocument::WriteCommon(JSContext*, mozilla::dom::Sequence<nsTString<char16_t> > const&, bool, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:1882:10
#8 0x7f5cc4ffbf52 in mozilla::dom::HTMLDocumentBinding::write(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:652:9
#9 0x7f5cc52ee6a0 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3040:13
#10 0x7f5ccb78bcf0 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#11 0x7f5ccb78bcf0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
#12 0x7f5ccb77722c in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
#13 0x7f5ccb77722c in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3098
#14 0x7f5ccb75f2ba in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
#15 0x7f5ccb78bdef in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
#16 0x7f5ccb78cce2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
#17 0x7f5ccc1d1f1b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3032:12
#18 0x7f5cc4d0a255 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
#19 0x7f5cc571480d in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
#20 0x7f5cc571480d in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
#21 0x7f5cc56dc896 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1118:51
#22 0x7f5cc56dea62 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1293:20
#23 0x7f5cc56bfd01 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:462:16
#24 0x7f5cc56c31d2 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:826:9
#25 0x7f5cc7a2b2be in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1064:7
#26 0x7f5ccaacbdd1 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7779:21
#27 0x7f5ccaac7df4 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7577:7
#28 0x7f5ccaacf68f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7474:13
#29 0x7f5cc259ae23 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1321:3
#30 0x7f5cc2599f8c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:862:14
#31 0x7f5cc2597018 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:751:9
#32 0x7f5cc2598f32 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:633:5
#33 0x7f5cc2599b8c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:489:14
#34 0x7f5cc0af5630 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/build/src/parser/html/nsHtml5TreeBuilder.cpp:4130:28 in nsHtml5TreeBuilder::popOnEof()
Shadow bytes around the buggy address:
0x0c2a80049310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a80049320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a80049330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a80049340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a80049350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a80049360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c2a80049370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a80049380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a80049390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a800493a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a800493b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20041==ABORTING
|
||
Comment 2•7 years ago
|
||
Can you take a look, Henri? Thanks.
Group: core-security → dom-core-security
Flags: needinfo?(hsivonen)
Keywords: csectype-bounds,
sec-high
|
||
Comment 3•7 years ago
|
||
Debug builds also hit the below assertion:
Assertion failure: index >= 0 (Array access with negative index.), at z:\build\build\src\parser\html\jArray.h:96
INFO: Last good revision: 8fb7879b388f48c66712e23fd69bc8919436b834
INFO: First bad revision: 388ffddeb4623b932ed67554f2ddc434b1fed8fb
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8fb7879b388f48c66712e23fd69bc8919436b834&tochange=388ffddeb4623b932ed67554f2ddc434b1fed8fb
Has Regression Range: --- → yes
status-firefox57:
--- → unaffected
status-firefox58:
--- → affected
status-firefox-esr52:
--- → unaffected
tracking-firefox58:
--- → ?
tracking-firefox59:
--- → ?
Version: 59 Branch → 58 Branch
|
Assignee | |
Comment 4•7 years ago
|
||
Perhaps mInsertionPointPermanentlyUndefined should be renamed to mEOFTokenized for its use to make more sense here.
Again, the purpose is the same as before: We need the "parse has ended" effects of the document and executor having dropped reference to the parser but we can't just go drop those references when it would make sense, because end-of-parse event machinery expects those refernces to say around for a bit longer, so we need to check another signal that we've already processed the EOF and must not attempt to call into the tokenizer again.
Assignee: nobody → hsivonen
Status: NEW → ASSIGNED
Flags: needinfo?(hsivonen)
Attachment #8929408 -
Flags: review?(bugs)
|
||
Updated•7 years ago
|
Attachment #8929408 -
Flags: review?(bugs) → review+
|
|
Assignee | |
Comment 5•7 years ago
|
||
Comment on attachment 8929408 [details] [diff] [review]
Check mInsertionPointPermanentlyUndefined when checking for executor completion
[Security approval request comment]
> How easily could an exploit be constructed based on the patch?
Not obvious but could be guessed with enough pondering and knowledge about Gecko architecture.
> Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No.
> Which older supported branches are affected by this flaw?
58
> If not all supported branches, which bug introduced the flaw?
Bug 1364399.
> Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
The same patch should apply.
> How likely is this patch to cause regressions; how much testing does it need?
Very unlikely to break anything, because the patch prevents call into an object that's on an invalid state, so where the patch makes a difference, the behavior without the patch is sure to be worse.
Attachment #8929408 -
Flags: sec-approval?
|
||
Updated•7 years ago
|
Attachment #8929408 -
Flags: sec-approval? → sec-approval+
|
|
Assignee | |
Updated•7 years ago
|
Keywords: checkin-needed
|
|
||
Comment 7•7 years ago
|
||
Blocks: 1364399
Keywords: checkin-needed
|
||
Comment 8•7 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
|
|
||
Comment 9•7 years ago
|
||
Olli, can you please do the Beta approval request since Henri is away for awhile? Thanks!
Flags: needinfo?(bugs)
|
|
||
Comment 10•7 years ago
|
||
Comment on attachment 8929408 [details] [diff] [review]
Check mInsertionPointPermanentlyUndefined when checking for executor completion
Approval Request Comment
[Feature/Bug causing the regression]: bug 1364399
[User impact if declined]: crashes, heap-buffer-overflow
[Is this code covered by automated tests?]: only the test in this bug
[Has the fix been verified in Nightly?]: test passes
[Needs manual test from QE? If yes, steps to reproduce]: run the test
[List of other uplifts needed for the feature/fix]: NA
[Is the change risky?]: This is basically adding a check which was missed in bug 1364399
[Why is the change risky/not risky?]: see above
[String changes made/needed]:NA
Flags: needinfo?(bugs)
Attachment #8929408 -
Flags: approval-mozilla-beta?
|
||
Comment 11•7 years ago
|
||
Comment on attachment 8929408 [details] [diff] [review]
Check mInsertionPointPermanentlyUndefined when checking for executor completion
Fix a sec-high. Beta58+.
Attachment #8929408 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Comment 12•7 years ago
|
||
| uplift | ||
|
||
Updated•7 years ago
|
Group: dom-core-security → core-security-release
|
||
Updated•7 years ago
|
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
|
|
||
Updated•7 years ago
|
Flags: sec-bounty?
|
||
Comment 14•7 years ago
|
||
I reproduced this issue using the ASAN build from 2017-11-16 (Fx 59.0a1), using Windows 10 x64.
I can confirm this issue is fixed, I verified using the latest ASAN build (Fx 59.0a1) and Fx 58.0(ASAN), using Windows 10 x64, mac OS X 10.13.3 and Ubuntu 14.04 LTS x64.
Status: RESOLVED → VERIFIED
Flags: qe-verify+
|
|
||
Updated•7 years ago
|
Group: core-security-release
|
|
||
Updated•7 years ago
|
Flags: sec-bounty? → sec-bounty+
|
||
Updated•6 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•