Closed Bug 1419751 Opened 7 years ago Closed 7 years ago

Crash in nsHtml5TreeBuilder::appendToCurrentNodeAndPushElementMayFoster

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Version:
58 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1414490
Tracking Flags:
Tracking Status
firefox58 + fixed
firefox59 --- ?

People

(Reporter: jcristau, Unassigned)

Details

(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [adv-main58-])

Crash Data

This bug was filed from the Socorro interface and is report bp-82b64577-42d7-437d-a074-033120171122. ============================================================= Top 10 frames of crashing thread: 0 xul.dll nsHtml5TreeBuilder::appendToCurrentNodeAndPushElementMayFoster parser/html/nsHtml5TreeBuilder.cpp:4257 1 xul.dll nsHtml5TreeBuilder::startTag parser/html/nsHtml5TreeBuilder.cpp:1109 2 xul.dll nsHtml5Tokenizer::emitCurrentTagToken parser/html/nsHtml5Tokenizer.cpp:342 3 xul.dll nsHtml5Tokenizer::stateLoop<nsHtml5SilentPolicy> parser/html/nsHtml5Tokenizer.cpp:2329 4 xul.dll nsHtml5Tokenizer::tokenizeBuffer parser/html/nsHtml5Tokenizer.cpp:449 5 xul.dll nsHtml5Parser::Parse parser/html/nsHtml5Parser.cpp:388 6 xul.dll nsHTMLDocument::WriteCommon dom/html/nsHTMLDocument.cpp:2029 7 xul.dll nsHTMLDocument::WriteCommon dom/html/nsHTMLDocument.cpp:1917 8 xul.dll mozilla::dom::HTMLDocumentBinding::write dom/bindings/HTMLDocumentBinding.cpp:652 9 xul.dll mozilla::dom::GenericBindingMethod dom/bindings/BindingUtils.cpp:3040 ============================================================= This signature spikes in 58.0b4 and socorro shows a number of crashes at 0xffffffffe5e5e5e9, so filing as security sensitive.
Almost all the related urls start with "http://www.phimmoi.net".
Group: core-security → dom-core-security
(In reply to Julien Cristau [:jcristau] from comment #0) > This signature spikes in 58.0b4 and socorro shows a number of crashes at > 0xffffffffe5e5e5e9, so filing as security sensitive. And even more crash at 0xffffffffffffffff, and when you look at the registers in those usually r15 is 0xe5e5e5e5e5e5e5e5e5e5 -- also appears to be a use after free (though could be an uninitialized value allocated on reused memory?) (In reply to Calixte Denizet (:calixte) from comment #1) > Almost all the related urls start with "http://www.phimmoi.net". And of the handful that aren't most of the rest are also Vietnamese sites (plus one instance of www.mtv.fi and a couple aliexpress). I don't see anything changing in nsHtml5TreeBuilder between 58b3 and 58b4 except renaming nsIAtom to nsAtom, and hard to imagine that could cause a crash spike. But if the problem were with the site itself I'd expect to see a spike in Release crashes, too. Maybe something in the HTML parser that landed earlier in 58, plus a site change? [Tracking Requested - why for this release]: 800+ crashes in a week -- this will be a release blocker.
tracking-firefox58: --- → ?
Flags: needinfo?(hsivonen)
Keywords: csectype-uaf, sec-high
Based on crash-stat and stack trace, it looks like so.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
status-firefox58: affectedfixed
Flags: needinfo?(hsivonen)
Whiteboard: [adv-main58-]
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.