Closed Bug 1454133 Opened 7 years ago Closed 7 years ago

heap-buffer-overflow in [@ NonMappedAttrCount]

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1454126
Tracking Flags:
Tracking Status
firefox61 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(1 file)

testcase.html
732 bytes, text/html
Details
Attached file testcase.html
==86815==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000c19fd0 at pc 0x7ff80132780b bp 0x7ffd8b3942c0 sp 0x7ffd8b3942b8 READ of size 8 at 0x603000c19fd0 thread T0 #0 0x7ff80132780a in NonMappedAttrCount src/dom/base/nsAttrAndChildArray.cpp:714:24 #1 0x7ff80132780a in nsAttrAndChildArray::AttrCount() const src/dom/base/nsAttrAndChildArray.cpp:296 #2 0x7ff80124d261 in mozilla::dom::FragmentOrElement::cycleCollection::TraverseNative(void*, nsCycleCollectionTraversalCallback&) src/dom/base/FragmentOrElement.cpp:2029:45 #3 0x7ff7fe16d7be in TraverseNativeAndJS src/xpcom/base/nsCycleCollectionParticipant.h:133:19 #4 0x7ff7fe16d7be in CCGraphBuilder::BuildGraph(js::SliceBudget&) src/xpcom/base/nsCycleCollector.cpp:2336 #5 0x7ff7fe17555e in nsCycleCollector::MarkRoots(js::SliceBudget&) src/xpcom/base/nsCycleCollector.cpp:2957:33 #6 0x7ff7fe17c47c in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) src/xpcom/base/nsCycleCollector.cpp:3750:9 #7 0x7ff7fe180032 in nsCycleCollector_collect(nsICycleCollectorListener*) src/xpcom/base/nsCycleCollector.cpp:4315:21 #8 0x7ff8014eebde in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) src/dom/base/nsJSEnvironment.cpp:1488:3 #9 0x7ff80106730b in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*) src/dom/base/nsDOMWindowUtils.cpp:1271:3 #10 0x7ff7fe3148a1 in NS_InvokeByIndex src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106 #11 0x7ff7ffbb244e in Invoke src/js/xpconnect/src/XPCWrappedNative.cpp:1951:12 #12 0x7ff7ffbb244e in Call src/js/xpconnect/src/XPCWrappedNative.cpp:1267 #13 0x7ff7ffbb244e in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) src/js/xpconnect/src/XPCWrappedNative.cpp:1234 #14 0x7ff7ffbb90e8 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:911:12 #15 0x7ff80a13aad7 in CallJSNative src/js/src/vm/JSContext-inl.h:290:15 #16 0x7ff80a13aad7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:467 #17 0x7ff80a1255cb in CallFromStack src/js/src/vm/Interpreter.cpp:522:12 #18 0x7ff80a1255cb in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3084 #19 0x7ff80a10bcc7 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:417:12 #20 0x7ff80a13a855 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:489:15 #21 0x7ff80a13bad2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:535:10 #22 0x7ff80ac2b5cd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2977:12 #23 0x7ff7ffadbfbc in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/ExportHelpers.cpp:319:18 #24 0x7ff80a13aad7 in CallJSNative src/js/src/vm/JSContext-inl.h:290:15 #25 0x7ff80a13aad7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:467 #26 0x7ff80a1255cb in CallFromStack src/js/src/vm/Interpreter.cpp:522:12 #27 0x7ff80a1255cb in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3084 #28 0x7ff80a10bcc7 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:417:12 #29 0x7ff80a13a855 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:489:15 #30 0x7ff80a13bad2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:535:10 #31 0x7ff80ac2b5cd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2977:12 #32 0x7ff8030216ef in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventListenerBinding.cpp:51:8 #33 0x7ff803fbc9f1 in HandleEvent<mozilla::dom::EventTarget *> src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12 #34 0x7ff803fbc9f1 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1118 #35 0x7ff803fbe21c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) src/dom/events/EventListenerManager.cpp:1290:20 #36 0x7ff803fa8687 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:527:16 #37 0x7ff803fac423 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:933:9 #38 0x7ff806270218 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1066:7 #39 0x7ff8093fe84b in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:7217:21 #40 0x7ff8093fac49 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:7010:7 #41 0x7ff80940254f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp #42 0x7ff80008d0f7 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1315:3 #43 0x7ff80008c17a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:858:14 #44 0x7ff800088d55 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:747:9 #45 0x7ff80008ad1c in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:632:5 #46 0x7ff80008bd3c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp #47 0x7ff7fe4c1d2a in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:629:28 #48 0x7ff8014279da in DoUnblockOnload src/dom/base/nsDocument.cpp:8409:18 #49 0x7ff8014279da in nsDocument::UnblockOnload(bool) src/dom/base/nsDocument.cpp:8331 #50 0x7ff80140833a in nsIDocument::DispatchContentLoadedEvents() src/dom/base/nsDocument.cpp:5314:3 #51 0x7ff801523e74 in applyImpl<nsIDocument, void (nsIDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1164:12 #52 0x7ff801523e74 in apply<nsIDocument, void (nsIDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1170 #53 0x7ff801523e74 in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1215 #54 0x7ff7fe2e8c89 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1096:14 #55 0x7ff7fe3046c0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #56 0x7ff7ff1cd74a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #57 0x7ff7ff122289 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10 #58 0x7ff7ff122289 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319 #59 0x7ff7ff122289 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299 #60 0x7ff805bd0d3a in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27 #61 0x7ff809c6006b in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:290:30 #62 0x7ff809e68c1c in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4834:22 #63 0x7ff809e6bd5c in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4979:8 #64 0x7ff809e6d224 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5071:21 #65 0x4f168b in do_main src/browser/app/nsBrowserApp.cpp:231:22 #66 0x4f168b in main src/browser/app/nsBrowserApp.cpp:304 #67 0x7ff81da0582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #68 0x420f48 in _start (firefox+0x420f48) 0x603000c19fd6 is located 0 bytes to the right of 22-byte region [0x603000c19fc0,0x603000c19fd6) allocated by thread T0 here: #0 0x4c1c93 in malloc src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x7ff7fe1225a1 in nsStringBuffer::Alloc(unsigned long) src/xpcom/string/nsSubstring.cpp:256:22 #2 0x7ff80159be4d in nsTextFragment::SetTo(char16_t const*, int, bool, bool) src/dom/base/nsTextFragment.cpp:302:11 #3 0x7ff8011981cf in mozilla::dom::CharacterData::SetTextInternal(unsigned int, unsigned int, char16_t const*, unsigned int, bool, CharacterDataChangeInfo::Details*) src/dom/base/CharacterData.cpp:304:13 #4 0x7ff80119b26e in mozilla::dom::CharacterData::SetText(char16_t const*, unsigned int, bool) src/dom/base/CharacterData.cpp:715:10 #5 0x7ff8066f60f7 in SetText src/obj-firefox/dist/include/mozilla/dom/CharacterData.h:150:12 #6 0x7ff8066f60f7 in nsTextControlFrame::UpdateValueDisplay(bool, bool, nsTSubstring<char16_t> const*) src/layout/forms/nsTextControlFrame.cpp:1326 #7 0x7ff8043c2c4d in nsTextEditorState::SetValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, unsigned int) src/dom/html/nsTextEditorState.cpp:2509:22 #8 0x7ff8042173f2 in mozilla::dom::HTMLInputElement::SetValueInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const*, unsigned int) src/dom/html/HTMLInputElement.cpp:2867:33 #9 0x7ff8043c19b6 in nsTextEditorState::SetRangeText(nsTSubstring<char16_t> const&, unsigned int, unsigned int, mozilla::dom::SelectionMode, mozilla::ErrorResult&, mozilla::Maybe<unsigned int> const&, mozilla::Maybe<unsigned int> const&) src/dom/html/nsTextEditorState.cpp:1933:35 #10 0x7ff80423b71f in mozilla::dom::HTMLInputElement::SetRangeText(nsTSubstring<char16_t> const&, unsigned int, unsigned int, mozilla::dom::SelectionMode, mozilla::ErrorResult&) src/dom/html/HTMLInputElement.cpp:5919:10 #11 0x7ff803523123 in mozilla::dom::HTMLInputElementBinding::setRangeText(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLInputElement*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/HTMLInputElementBinding.cpp:3627:13 #12 0x7ff80388d501 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3242:13 #13 0x7ff80a13aad7 in CallJSNative src/js/src/vm/JSContext-inl.h:290:15 #14 0x7ff80a13aad7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:467 #15 0x7ff80a1255cb in CallFromStack src/js/src/vm/Interpreter.cpp:522:12 #16 0x7ff80a1255cb in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3084 #17 0x7ff80a10bcc7 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:417:12 #18 0x7ff80a13a855 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:489:15 #19 0x7ff80a13bad2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:535:10 #20 0x7ff80ac2b5cd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2977:12 #21 0x7ff80301c93e in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37 #22 0x7ff803ff6890 in Call<nsISupports *> src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12 #23 0x7ff803ff6890 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) src/dom/events/JSEventHandler.cpp:215 #24 0x7ff803fbca3c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1121:51 #25 0x7ff803fbe21c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) src/dom/events/EventListenerManager.cpp:1290:20 #26 0x7ff803fa8687 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:527:16 #27 0x7ff803fac423 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:933:9 #28 0x7ff806270218 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1066:7 #29 0x7ff8093fe84b in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:7217:21 #30 0x7ff8093fac49 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:7010:7 #31 0x7ff80940254f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp #32 0x7ff80008d0f7 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1315:3 #33 0x7ff80008c17a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:858:14
Flags: in-testsuite?
Depends on: 1454126
No longer depends on: 1454126
See Also: → 1454126
Comment on attachment 8967919 [details] testcase.html Although, I don't create fuzzPriv extension environment, it seems that this might be fixed by bug 1454126 since this testcase tries to modify the DOM tree in <input> element.
Tyson, can you see if this still reproduces? If not, it sounds like we could dupe it. Thanks.
Flags: needinfo?(twsmith)
Keywords: sec-high
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(twsmith)
Resolution: --- → DUPLICATE

Removing employee no longer with company from CC list of private bugs.

Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: