Closed Bug 1510022 Opened Last year Closed Last year

Hit MOZ_CRASH(index out of bounds: the len is 1024 but the index is 1024) at third_party/rust/encoding_rs/src/utf_8.rs:408

Categories

(Core :: Internationalization, defect)

defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 1509507

People

(Reporter: bc, Unassigned)

References

(Blocks 1 open bug, )

Details

(Keywords: crash, regression, reproducible)

1. https://net.jogtar.hu/jogszabaly?docid=A1200020.EMM

May need to reload, maybe not. ymmv. Linux/Windows Nightly 65 but not Beta 64.

Hit MOZ_CRASH(index out of bounds: the len is 1024 but the index is 1024) at third_party/rust/encoding_rs/src/utf_8.rs:408

#01: MOZ_CrashOOL(char const*, int, char const*) (firefox-debug/dist/include/mozilla/Assertions.h:306)
#02: gkrust_shared::panic_hook (toolkit/library/rust/shared/lib.rs:234)
#03: core::ops::function::Fn::call (4ngih35gr3b6n1xc:?)
#04: core::sync::atomic::atomic_sub (/rustc/1433507eba7d1a114e4c6f27ae0e1a74f60f20de/src/libcore/sync/atomic.rs:2007)
#05: std::panicking::continue_panic_fmt (std.89gdwp76-cgu.11:?)
#06: rust_begin_unwind (/rustc/1433507eba7d1a114e4c6f27ae0e1a74f60f20de/src/libstd/panicking.rs:326)
#07: core::panicking::panic_fmt (/rustc/1433507eba7d1a114e4c6f27ae0e1a74f60f20de/src/libcore/panicking.rs:77)
#08: core::panicking::panic_bounds_check (/rustc/1433507eba7d1a114e4c6f27ae0e1a74f60f20de/src/libcore/panicking.rs:59)
#09: encoding_rs::utf_8::Utf8Decoder::decode_to_utf16_raw (firefox-debug/dist/bin/libxul.so)
#10: encoding_rs::variant::VariantDecoder::decode_to_utf16_raw (:?)
#11: encoding_rs::Decoder::decode_to_utf16_checking_end (third_party/rust/encoding_rs/src/macros.rs:1613)
#12: encoding_rs::Decoder::decode_to_utf16 (third_party/rust/encoding_rs/src/lib.rs:4154)
#13: decoder_decode_to_utf16 (third_party/rust/encoding_c/src/lib.rs:830)
#14: nsHtml5StreamParser::WriteStreamBytes(unsigned char const*, unsigned int, unsigned int*) (:?)
#15: nsHtml5StreamParser::DoDataAvailable(unsigned char const*, unsigned int) (:?)
#16: nsHtml5StreamParser::CopySegmentsToParser(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*) (parser/html/nsHtml5StreamParser.cpp:1320)
#17: nsStringInputStream::ReadSegments(nsresult (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) (xpcom/io/nsStringStream.cpp:275)
#18: nsHtml5StreamParser::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) (parser/html/nsHtml5StreamParser.cpp:1299)
#19: mozilla::net::nsHTTPCompressConv::do_OnDataAvailable(nsIRequest*, nsISupports*, unsigned long, char const*, unsigned int) (netwerk/streamconv/converters/nsHTTPCompressConv.cpp:528)
#20: mozilla::net::nsHTTPCompressConv::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) (netwerk/streamconv/converters/nsHTTPCompressConv.cpp:443)
#21: mozilla::net::HttpChannelChild::DoOnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) (netwerk/protocol/http/HttpChannelChild.cpp:1103)
#22: mozilla::net::HttpChannelChild::OnTransportAndData(nsresult const&, nsresult const&, unsigned long const&, unsigned int const&, nsTString<char> const&) (netwerk/protocol/http/HttpChannelChild.cpp:984)
#23: mozilla::net::ChannelEventQueue::FlushQueue() (netwerk/ipc/ChannelEventQueue.cpp:93)
#24: mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() (firefox-debug/dist/include/mozilla/net/ChannelEventQueue.h:329)
#25: nsThread::ProcessNextEvent(bool, bool*) (xpcom/threads/nsThread.cpp:1231)
#26: NS_ProcessNextEvent(nsIThread*, bool) (xpcom/threads/nsThreadUtils.cpp:530)
#27: mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) (ipc/glue/MessagePump.cpp:334)
#28: MessageLoop::AutoRunState::~AutoRunState() (ipc/chromium/src/base/message_loop.cc:598)
#29: nsThread::ThreadFunc(void*) (xpcom/threads/nsThread.cpp:505)
#30: _pt_root (nsprpub/pr/src/pthreads/ptthread.c:204)
#31: start_thread (pthread_create.c:?)
#32: __GI___clone (:?)
I see a bunch of crashes in crash stats today with the crash reason in this bug: https://bit.ly/2SexcTP (all but one has that Moz Crash reason).
Henri: this looks to be an issue in encoding_rs, can you take a look?
Flags: needinfo?(hsivonen)
Group: core-security → dom-core-security
Keywords: regression
Not a security bug, since this is a Rust panic. (And, yes, I'll take a look.) Thanks for the repro URL!
Status: NEW → RESOLVED
Closed: Last year
Flags: needinfo?(hsivonen)
Resolution: --- → DUPLICATE
Duplicate of bug: 1509507
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.