Open Bug 1471312 Opened 6 years ago Updated 2 years ago

ExternalHelperAppParent::RecvOnDataAvailable and ExternalHelperAppParent::RecvOnStopRequest do not handle mListener not being set

Categories

(Core :: Networking: HTTP, defect, P5)

Product:
Core
Component:
Networking: HTTP
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox63 --- affected

People

(Reporter: Alex_Gaynor, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-triaged])

https://searchfox.org/mozilla-central/source/uriloader/exthandler/ExternalHelperAppParent.cpp#155-184 These two functions will die on a null-ptr-deref if |mListener| hasn't been sent. The IPC fuzzer has discovered this :-)
Ooops, forgot to include the stack: ==17436==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f460c38f212 bp 0x7ffce4b40c70 sp 0x7ffce4b40c40 T0) ==17436==The signal is caused by a READ memory access. ==17436==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x7f460c38f211 in mozilla::dom::ExternalHelperAppParent::RecvOnStopRequest(nsresult const&) uriloader/exthandler/ExternalHelperAppParent.cpp:180:14 #1 0x7f460b2f266f in mozilla::dom::PExternalHelperAppParent::OnMessageReceived(IPC::Message const&) obj-firefox/ipc/ipdl/PExternalHelperAppParent.cpp:229:20 #2 0x7f460b1a6cb6 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) obj-firefox/ipc/ipdl/PContentParent.cpp:3524:28 #3 0x7f4619c911f8 in void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) obj-firefox/dist/include/ProtocolFuzzer.h:49:18 #4 0x7f4619c90d1a in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:33:3 #5 0x5925dd in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:517:13 #6 0x591e5b in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:442:3 #7 0x59334d in fuzzer::Fuzzer::MutateAndTestOne() tools/fuzzing/libfuzzer/FuzzerLoop.cpp:650:19 #8 0x593d05 in fuzzer::Fuzzer::Loop(std::vector<std::string, fuzzer::fuzzer_allocator<std::string> > const&) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:773:5 #9 0x58b3a5 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) tools/fuzzing/libfuzzer/FuzzerDriver.cpp:754:6 #10 0x7f4617f39896 in mozilla::FuzzerRunner::Run(int*, char***) tools/fuzzing/interface/harness/FuzzerRunner.cpp:60:10 #11 0x7f4617e56a4a in XREMain::XRE_mainStartup(bool*) toolkit/xre/nsAppRunner.cpp:3932:35 #12 0x7f4617e6b613 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4876:12 #13 0x7f4617e6d18e in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4983:21 #14 0x4f52dc in do_main browser/app/nsBrowserApp.cpp:233:22 #15 0x4f52dc in main browser/app/nsBrowserApp.cpp:311 #16 0x7f46318951c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0) #17 0x4248bc in _start (/home/worker/firefox/firefox+0x4248bc) DEDUP_TOKEN: mozilla::dom::ExternalHelperAppParent::RecvOnStopRequest(nsresult const&) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV uriloader/exthandler/ExternalHelperAppParent.cpp:180:14 in mozilla::dom::ExternalHelperAppParent::RecvOnStopRequest(nsresult const&) Command: ./firefox/firefox -print_pcs=1 -handle_segv=0 -handle_bus=0 -handle_abrt=0 ./corpora/ -handle_ill=0 -handle_fpe=0
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.