Crash in encoding_rs::utf_8::Utf8Decoder::decode_to_utf16_raw

RESOLVED FIXED in Firefox 65

Status

()

defect
--
critical
RESOLVED FIXED
8 months ago
8 months ago

People

(Reporter: calixte, Assigned: hsivonen)

Tracking

(Blocks 1 bug, {crash, regression})

Trunk
mozilla65
Unspecified
Windows 10
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox63 unaffected, firefox64 unaffected, firefox65+ fixed)

Details

(crash signature)

Attachments

(1 attachment)

This bug was filed from the Socorro interface and is
report bp-3ddf8112-4b1a-4225-92eb-4c4690181123.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll ?MOZ_CrashOOL@@YAXPEBDH0@Z.llvm.17252753682276159622 mfbt/Assertions.h:311
1 xul.dll GeckoCrashOOL toolkit/xre/nsAppRunner.cpp:5350
2 xul.dll static void gkrust_shared::panic_hook toolkit/library/rust/shared/lib.rs:234
3 xul.dll static void core::ops::function::Fn::call<fn /libcore/ops/function.rs:78
4 xul.dll static void std::panicking::rust_panic_with_hook /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:481
5 xul.dll static void std::panicking::continue_panic_fmt /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:391
6 xul.dll static void std::panicking::rust_begin_panic /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:326
7 xul.dll static void core::panicking::panic_fmt /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libcore/panicking.rs:77
8 xul.dll static void core::panicking::panic_bounds_check /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libcore/panicking.rs:59
9 xul.dll static struct  third_party/rust/encoding_rs/src/macros.rs:70

=============================================================

There are 22 crashes (from 21 installations) in nightly 65 starting with buildid 20181122220059. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1507726.

[1] https://hg.mozilla.org/mozilla-central/rev?node=3691033d6e78
Flags: needinfo?(hsivonen)
This code withstood a few days of fuzzing before landing. This is a panic, so safe code is in an unexpected state.

I don't have access to crash report URLs. Steps to reproduce would be really helpful. Meanwhile, I'll run the fuzzer some more.
(In reply to Henri Sivonen (:hsivonen) from comment #1)
> This is a panic,
> so safe code is in an unexpected state.

Specifically: index out of bounds: the len is 1024 but the index is 1024
1024 is the size of the output buffer, in UTF-16 code units, in the HTML parser, so chances are this is a write to the output slice.
Assignee: nobody → hsivonen
Status: NEW → ASSIGNED
Flags: needinfo?(hsivonen)
Pushed by hsivonen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e9eedbf1bd4b
Update to encoding_rs 0.8.13 to fix a panic in UTF-8 to UTF-16 decode. r=m_kato
https://hg.mozilla.org/mozilla-central/rev/e9eedbf1bd4b
Status: ASSIGNED → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
You need to log in before you can comment on or make changes to this bug.