Closed
Bug 1459648
Opened 6 years ago
Closed 6 years ago
AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:892:19 in nsFloatManager::EllipseShapeInfo::EllipseShapeInfo(nsPoint const&, nsSize const&, int, int
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1457288
People
(Reporter: rs, Unassigned)
Details
Attachments
(1 file)
|
1.34 KB,
application/gzip
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3418.2 Safari/537.36
Steps to reproduce:
<style>
* { -webkit-animation-fill-mode: none; float: right; -webkit-transform: rotate(0deg); -webkit-border-top-right-radius: 1px 1px; box-shadow: 30px 0px 1px; flex-grow: 0; overflow-wrap: normal; stroke-opacity: 0; shape-margin: 27%; marker-mid: url(data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7); word-break: solid; user-zoom: zoom; -webkit-column-fill: auto; animation: anim 4s infinite alternate; column-rule: -1px solid; -webkit-backface-visibility: visible; --cssvarb: after; background-blend-mode: color-dodge, normal; -webkit-border-before: 1px solid; marker-mid: url(#svgvar00002) }
.class8, #htmlvar00009, dfn:only-child, .class2 { -webkit-app-region: drag; weight: *; columns: 82; font-variant-ligatures: common-ligatures; translate: inherit; -webkit-rtl-ordering: visual; border-left-style: hidden; counter-increment: c; min-height: 1vmax; flood-color: rgb(114,197,221); font: normal 46 69%/0 sans-serif; column-span: all; -webkit-flow-from: flow1; -webkit-mask-box-image-repeat: stretch; align-self: left unsafe; -webkit-box-flex: 57; content: counter(c, lower-alpha); user-select: none; -webkit-border-top-right-radius: 1px -1px; -webkit-marquee-speed: 0 }
</style>
<dl id="htmlvar00009" compact="compact" style="box-pack: end; -webkit-border-before-color: white; opacity: 0; order: inherit; shape-outside: padding-box ellipse(22% 46% at center right)" style="-webkit-column-break-inside: avoid; border-right-color: ; -webkit-text-decorations-in-effect: underline; overflow-y: overlay; vertical-align: -1vh" compact="compact" tabindex="1" left="22" onsuspend="eventhandler3()" list="htmlvar00002" poster="6aJ>Uol"yZNQL5%:AQX" rowspan="1">
<dt id="htmlvar00011" style="-webkit-border-after-width: 0px; -webkit-box-flex: -1; -webkit-mask-repeat: space space; -webkit-padding-after: 0px; grid-row-start: last" class="class2" contenteditable="plaintext-only" style="font-face: Arial; scale: 0.7856741268533086 0 0; -webkit-border-bottom-left-radius: 1px 0px; -webkit-mask: below url(data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7); mso-font-kerning: 0pt" tabindex="1" abbr="UblM`WXMZ" select="#htmlvar00003" inner="1" archive=".6H|6nzQGMv~" itemtype=".zX++`(zX`=<sZ">/`&{vi\lb8E7E`XU4s</dt>
Actual results:
==20623==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f90d8d02422 at pc 0x7f90fbb914d5 bp 0x7ffd93d9cad0 sp 0x7ffd93d9cac8
WRITE of size 2 at 0x7f90d8d02422 thread T0 (file:// Content)
#0 0x7f90fbb914d4 in nsFloatManager::EllipseShapeInfo::EllipseShapeInfo(nsPoint const&, nsSize const&, int, int) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:892:19
#1 0x7f90fbb9c911 in MakeUnique<nsFloatManager::EllipseShapeInfo, nsPoint &, nsSize &, int &, int &> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:680:27
#2 0x7f90fbb9c911 in nsFloatManager::ShapeInfo::CreateCircleOrEllipse(mozilla::UniquePtr<mozilla::StyleBasicShape, mozilla::DefaultDelete<mozilla::StyleBasicShape> > const&, int, nsIFrame*, mozilla::LogicalRect const&, mozilla::WritingMode, nsSize const&) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:2330
#3 0x7f90fbb9835e in CreateBasicShape /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:2197:14
#4 0x7f90fbb9835e in nsFloatManager::FloatInfo::FloatInfo(nsIFrame*, int, int, mozilla::LogicalRect const&, mozilla::WritingMode, nsSize const&) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:2005
#5 0x7f90fbb2f74f in nsFloatManager::AddFloat(nsIFrame*, mozilla::LogicalRect const&, mozilla::WritingMode, nsSize const&) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:260:13
#6 0x7f90fba8eacb in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:994:19
#7 0x7f90fba8be1f in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:627:14
#8 0x7f90fbce85a1 in AddFloat /builds/worker/workspace/build/src/layout/generic/nsLineLayout.h:182:22
#9 0x7f90fbce85a1 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:966
#10 0x7f90fbb1d6cd in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4158:15
#11 0x7f90fbb1c077 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3958:5
#12 0x7f90fbb12d99 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3832:9
#13 0x7f90fbb0b2f0 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2816:5
#14 0x7f90fbb00b70 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2352:7
#15 0x7f90fbaf8384 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1225:3
#16 0x7f90fbb195f7 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11
#17 0x7f90fbb2d79a in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6333:9
#18 0x7f90fba8dcfd in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:916:13
#19 0x7f90fba8be1f in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:627:14
#20 0x7f90fbce85a1 in AddFloat /builds/worker/workspace/build/src/layout/generic/nsLineLayout.h:182:22
#21 0x7f90fbce85a1 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:966
#22 0x7f90fbb1d6cd in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4158:15
#23 0x7f90fbb1c077 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3958:5
#24 0x7f90fbb12d99 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3832:9
#25 0x7f90fbb0b2f0 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2816:5
#26 0x7f90fbb00b70 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2352:7
#27 0x7f90fbaf8384 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1225:3
#28 0x7f90fbb58846 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
#29 0x7f90fbb57092 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:713:5
#30 0x7f90fbb58846 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
#31 0x7f90fbc3fb28 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:555:3
#32 0x7f90fbc40f49 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:678:3
#33 0x7f90fbc44f28 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1055:3
#34 0x7f90fbadc6de in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:995:14
#35 0x7f90fbadb25e in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:335:7
#36 0x7f90fb8c08a0 in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:8960:11
#37 0x7f90fb8d64b0 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9133:24
#38 0x7f90fb8d48b9 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4342:11
#39 0x7f90f6b671b8 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:592:5
#40 0x7f90f6b671b8 in nsIDocument::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:7587
#41 0x7f90f6946541 in GetPrimaryFrame /builds/worker/workspace/build/src/dom/base/Element.cpp:2295:10
#42 0x7f90f6946541 in mozilla::dom::Element::GetScrollFrame(nsIFrame**, mozilla::FlushType) /builds/worker/workspace/build/src/dom/base/Element.cpp:680
#43 0x7f90f6949b4e in mozilla::dom::Element::GetClientAreaRect() /builds/worker/workspace/build/src/dom/base/Element.cpp:1049:28
#44 0x7f90f8864f2f in ClientHeight /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:1310:50
#45 0x7f90f8864f2f in mozilla::dom::ElementBinding::get_clientHeight(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitGetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:3385
#46 0x7f90f8fad951 in bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3136:13
#47 0x7f90ff86ce87 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15
#48 0x7f90ff86ce87 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
#49 0x7f90ff86de82 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
#50 0x7f910039d04a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2989:12
#51 0x7f90f5128131 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/jsapi.h:3082:12
#52 0x7f90f5128131 in xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::DOMXrayTraits>::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const /builds/worker/workspace/build/src/js/xpconnect/wrappers/XrayWrapper.cpp:2387
#53 0x7f9100456ee4 in getInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:351:21
#54 0x7f9100456ee4 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:361
#55 0x7f910045711e in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1639:16
#56 0x7f910045711e in getInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:347
#57 0x7f910045711e in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:361
#58 0x7f910045711e in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1639:16
#59 0x7f910045711e in getInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:347
#60 0x7f910045711e in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:361
#61 0x7f910045711e in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1639:16
#62 0x7f910045711e in getInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:347
#63 0x7f910045711e in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:361
#64 0x7f910045711e in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1639:16
#65 0x7f910045711e in getInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:347
#66 0x7f910045711e in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:361
#67 0x7f90ff878872 in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1639:16
#68 0x7f90ff878872 in GetProperty /builds/worker/workspace/build/src/js/src/vm/JSObject.h:800
#69 0x7f90ff878872 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:4397
#70 0x7f90ff85a9f7 in GetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:213:12
#71 0x7f90ff85a9f7 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2803
#72 0x7f90ff83e087 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
#73 0x7f90ff86cc05 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
#74 0x7f90ffa4b06c in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2380:14
#75 0x3825c82302f7 (<unknown module>)
0x7f90d8d02422 is located 0 bytes to the right of 3941375010-byte region [0x7f8fede38800,0x7f90d8d02422)
allocated by thread T0 (file:// Content) here:
#0 0x4c54b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x7f90fbb90c72 in operator new[] /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:174:12
#2 0x7f90fbb90c72 in MakeUniqueFallible<unsigned short []> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtrExtensions.h:33
#3 0x7f90fbb90c72 in nsFloatManager::EllipseShapeInfo::EllipseShapeInfo(nsPoint const&, nsSize const&, int, int) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:827
#4 0x7f90fbb9c911 in MakeUnique<nsFloatManager::EllipseShapeInfo, nsPoint &, nsSize &, int &, int &> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:680:27
#5 0x7f90fbb9c911 in nsFloatManager::ShapeInfo::CreateCircleOrEllipse(mozilla::UniquePtr<mozilla::StyleBasicShape, mozilla::DefaultDelete<mozilla::StyleBasicShape> > const&, int, nsIFrame*, mozilla::LogicalRect const&, mozilla::WritingMode, nsSize const&) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:2330
#6 0x7f90fbb9835e in CreateBasicShape /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:2197:14
#7 0x7f90fbb9835e in nsFloatManager::FloatInfo::FloatInfo(nsIFrame*, int, int, mozilla::LogicalRect const&, mozilla::WritingMode, nsSize const&) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:2005
#8 0x7f90fbb2f74f in nsFloatManager::AddFloat(nsIFrame*, mozilla::LogicalRect const&, mozilla::WritingMode, nsSize const&) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:260:13
#9 0x7f90fba8eacb in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:994:19
#10 0x7f90fba8be1f in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:627:14
#11 0x7f90fbce85a1 in AddFloat /builds/worker/workspace/build/src/layout/generic/nsLineLayout.h:182:22
#12 0x7f90fbce85a1 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:966
#13 0x7f90fbb1d6cd in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4158:15
#14 0x7f90fbb1c077 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3958:5
#15 0x7f90fbb12d99 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3832:9
#16 0x7f90fbb0b2f0 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2816:5
#17 0x7f90fbb00b70 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2352:7
#18 0x7f90fbaf8384 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1225:3
#19 0x7f90fbb195f7 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11
#20 0x7f90fbb2d79a in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6333:9
#21 0x7f90fba8dcfd in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:916:13
#22 0x7f90fba8be1f in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:627:14
#23 0x7f90fbce85a1 in AddFloat /builds/worker/workspace/build/src/layout/generic/nsLineLayout.h:182:22
#24 0x7f90fbce85a1 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:966
#25 0x7f90fbb1d6cd in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4158:15
#26 0x7f90fbb1c077 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3958:5
#27 0x7f90fbb12d99 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3832:9
#28 0x7f90fbb0b2f0 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2816:5
#29 0x7f90fbb00b70 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2352:7
#30 0x7f90fbaf8384 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1225:3
#31 0x7f90fbb58846 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
#32 0x7f90fbb57092 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:713:5
#33 0x7f90fbb58846 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
#34 0x7f90fbc3fb28 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:555:3
#35 0x7f90fbc40f49 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:678:3
SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:892:19 in nsFloatManager::EllipseShapeInfo::EllipseShapeInfo(nsPoint const&, nsSize const&, int, int)
Shadow bytes around the buggy address:
0x0ff29b198430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff29b198440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff29b198450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff29b198460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff29b198470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff29b198480: 00 00 00 00[02]fa fa fa fa fa fa fa fa fa fa fa
0x0ff29b198490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff29b1984a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff29b1984b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff29b1984c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff29b1984d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20623==ABORTING
Expected results:
Mozilla Firefox 61.0a1 build ID 20180430095344. It does not fail in today's build
|
||
Updated•6 years ago
|
Group: firefox-core-security → layout-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Component: Untriaged → Layout
Product: Firefox → Core
Resolution: --- → DUPLICATE
|
||
Updated•3 years ago
|
Group: layout-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•