Open
Bug 1517945
Opened 5 years ago
Updated 2 years ago
Firefox Desktop - SVG Image,<marquee> and setAttributeNS Crash (with infinite recursion in ProcessReflowCommands)
Categories
(Core :: Layout, defect, P2)
Core
Layout
Tracking
()
NEW
People
(Reporter: lukas, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [reporter-external] [client-bounty-form] [verif?][sg:dos])
Attachments
(1 file)
|
429 bytes,
text/html
|
Details |
Hello while fuzzing Firefox Desktop, I found a bug which leads to a crash of the current Tab. I've tested this Bug on Linux and Windows and on both Platforms Firefox is crashing. The first affected version seems to be 43 - up to the current nightly. 32 and 64 bit builds are affected. In the current nightly on Linux, I've used Debug symbols in order to find the origin of the bug. It might be a IPC/Threading related Bug. Before the crash I got warnings like: ... cell content 0x7f348904e380 has large inline size 35168229 cell content 0x7f348904e380 has large inline size 35168220 ... This might be a overflow, so this Bug could become a security problem! I've created and attached a Crash.html file in order to demonstrate the bug. Basically there is a <marquee> Element with an SVG Image and a Path element. Then Javascript is used to set setAttributeNS with xlink:href on this Element, this leads to the Crash. I hope this report is helpful and if you have further questions, just ask. Greetings Lukas
Flags: sec-bounty?
|
||
Comment 1•5 years ago
|
||
Not really sure what's going on here, but this seems like some kind of layout recursion. Hopefully :jwatt or :dholbert can triage this further. Crash stack from xcode: #0 0x000000010e52073e in nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::ExtendCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long, unsigned long) [inlined] at mozilla-unified/xpcom/ds/nsTArray-inl.h:117 #1 0x000000010e520739 in unsigned char* nsTArray_Impl<unsigned char, nsTArrayInfallibleAllocator>::AppendElements<nsTArrayInfallibleAllocator>(unsigned long) [inlined] at builds/opt/dist/include/nsTArray.h:1645 #2 0x000000010e520739 in nsLineBreaker::AppendText(nsAtom*, unsigned char const*, unsigned int, unsigned int, nsILineBreakSink*) at mozilla-unified/dom/base/nsLineBreaker.cpp:355 #3 0x000000010fd7c543 in BuildTextRunsScanner::SetupBreakSinksForTextRun(gfxTextRun*, void const*) at mozilla-unified/layout/generic/nsTextFrame.cpp:2675 #4 0x000000010fd7a01b in BuildTextRunsScanner::BuildTextRunForFrames(void*) at mozilla-unified/layout/generic/nsTextFrame.cpp:2480 #5 0x000000010fd77f5d in BuildTextRunsScanner::FlushFrames(bool, bool) at mozilla-unified/layout/generic/nsTextFrame.cpp:1658 #6 0x000000010fd7d90e in BuildTextRuns(mozilla::gfx::DrawTarget*, nsTextFrame*, nsIFrame*, nsLineList_iterator const*, nsTextFrame::TextRunType) [inlined] at mozilla-unified/layout/generic/nsTextFrame.cpp:1581 #7 0x000000010fd7d81b in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*) at mozilla-unified/layout/generic/nsTextFrame.cpp:2884 #8 0x000000010fd91b2e in nsTextFrame::AddInlinePrefISizeForFlow(gfxContext*, nsIFrame::InlinePrefISizeData*, nsTextFrame::TextRunType) at mozilla-unified/layout/generic/nsTextFrame.cpp:8481 #9 0x000000010fd925e1 in nsTextFrame::AddInlinePrefISize(gfxContext*, nsIFrame::InlinePrefISizeData*) at mozilla-unified/layout/generic/nsTextFrame.cpp:8618 #10 0x000000010fcb9402 in nsBlockFrame::GetPrefISize(gfxContext*) at mozilla-unified/layout/generic/nsBlockFrame.cpp:870 #11 0x000000010fe0b1f9 in SVGTextFrame::DoReflow() at mozilla-unified/layout/svg/SVGTextFrame.cpp:5125 #12 0x000000010fe02f35 in SVGTextFrame::MaybeReflowAnonymousBlockChild() [inlined] at mozilla-unified/layout/svg/SVGTextFrame.cpp:5081 #13 0x000000010fe02ee1 in SVGTextFrame::ReflowSVGNonDisplayText() at mozilla-unified/layout/svg/SVGTextFrame.cpp:3025 #14 0x000000010fe15b27 in nsSVGContainerFrame::ReflowSVGNonDisplayText(nsIFrame*) at mozilla-unified/layout/svg/nsSVGContainerFrame.cpp:112 #15 0x000000010fe042a7 in nsSVGDisplayContainerFrame::ReflowSVG() at mozilla-unified/layout/svg/nsSVGContainerFrame.cpp:331 #16 0x000000010fe25ec7 in nsSVGOuterSVGFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) at mozilla-unified/layout/svg/nsSVGOuterSVGFrame.cpp:444 #17 0x000000010fd4e3c0 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) at mozilla-unified/layout/generic/nsLineLayout.cpp:883 #18 0x000000010fcc5642 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) at mozilla-unified/layout/generic/nsBlockFrame.cpp:4084 #19 0x000000010fcc5018 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) at mozilla-unified/layout/generic/nsBlockFrame.cpp:3887 #20 0x000000010fcc2858 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) at mozilla-unified/layout/generic/nsBlockFrame.cpp:3772 #21 0x000000010fcc06c1 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) at mozilla-unified/layout/generic/nsBlockFrame.cpp:2791 #22 0x000000010fcbd97a in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) at mozilla-unified/layout/generic/nsBlockFrame.cpp:2334 #23 0x000000010fcbacd8 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) at mozilla-unified/layout/generic/nsBlockFrame.cpp:1207 #24 0x000000010fcc489e in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) at mozilla-unified/layout/generic/nsBlockReflowContext.cpp:297 #25 0x000000010fcc15d1 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) at mozilla-unified/layout/generic/nsBlockFrame.cpp:3408 #26 0x000000010fcbd97a in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) at mozilla-unified/layout/generic/nsBlockFrame.cpp:2334 #27 0x000000010fcbacd8 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) at mozilla-unified/layout/generic/nsBlockFrame.cpp:1207 #28 0x000000010fcd72e5 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) at mozilla-unified/layout/generic/nsContainerFrame.cpp:883 #29 0x000000010fdcd49b in nsTableCellFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) at mozilla-unified/layout/tables/nsTableCellFrame.cpp:859 #30 0x000000010fcd72e5 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) at mozilla-unified/layout/generic/nsContainerFrame.cpp:883 #31 0x000000010fde6e1a in nsTableRowFrame::ReflowChildren(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsTableFrame&, nsReflowStatus&) at mozilla-unified/layout/tables/nsTableRowFrame.cpp:821 #32 0x000000010fde7f33 in nsTableRowFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) at mozilla-unified/layout/tables/nsTableRowFrame.cpp:1019 #33 0x000000010fcd72e5 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) at mozilla-unified/layout/generic/nsContainerFrame.cpp:883 #34 0x000000010fdea2fa in nsTableRowGroupFrame::ReflowChildren(nsPresContext*, mozilla::ReflowOutput&, mozilla::TableRowGroupReflowInput&, nsReflowStatus&, bool*) at mozilla-unified/layout/tables/nsTableRowGroupFrame.cpp:390 #35 0x000000010fdee20c in nsTableRowGroupFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) at mozilla-unified/layout/tables/nsTableRowGroupFrame.cpp:1377 #36 0x000000010fcd72e5 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) at mozilla-unified/layout/generic/nsContainerFrame.cpp:883 #37 0x000000010fdda380 in nsTableFrame::ReflowChildren(mozilla::TableReflowInput&, nsReflowStatus&, nsIFrame*&, nsOverflowAreas&) at mozilla-unified/layout/tables/nsTableFrame.cpp:3178 #38 0x000000010fdd8c16 in nsTableFrame::ReflowTable(mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, nsIFrame*&, nsReflowStatus&) at mozilla-unified/layout/tables/nsTableFrame.cpp:2203 #39 0x000000010fdd86d7 in nsTableFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) at mozilla-unified/layout/tables/nsTableFrame.cpp:1994 #40 0x000000010fcd72e5 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) at mozilla-unified/layout/generic/nsContainerFrame.cpp:883 #41 0x000000010fdf21d9 in nsTableWrapperFrame::OuterDoReflowChild(nsPresContext*, nsIFrame*, mozilla::ReflowInput const&, mozilla::ReflowOutput&, nsReflowStatus&) [inlined] at mozilla-unified/layout/tables/nsTableWrapperFrame.cpp:769 #42 0x000000010fdf212d in nsTableWrapperFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) at mozilla-unified/layout/tables/nsTableWrapperFrame.cpp:923 #43 0x000000010fd04e9a in nsFrame::BoxReflow(nsBoxLayoutState&, nsPresContext*, mozilla::ReflowOutput&, gfxContext*, int, int, int, int, bool) at mozilla-unified/layout/generic/nsFrame.cpp:10004 #44 0x000000010fd0466c in nsFrame::RefreshSizeCache(nsBoxLayoutState&) at mozilla-unified/layout/generic/nsFrame.cpp:9576 #45 0x000000010fd0509c in nsFrame::GetXULPrefSize(nsBoxLayoutState&) at mozilla-unified/layout/generic/nsFrame.cpp:9645 #46 0x000000010fe5df73 in nsSprocketLayout::GetXULPrefSize(nsIFrame*, nsBoxLayoutState&) at mozilla-unified/layout/xul/nsSprocketLayout.cpp:1248 #47 0x000000010fe38a82 in nsBoxFrame::GetXULPrefSize(nsBoxLayoutState&) at mozilla-unified/layout/xul/nsBoxFrame.cpp:683 #48 0x000000010fe5df73 in nsSprocketLayout::GetXULPrefSize(nsIFrame*, nsBoxLayoutState&) at mozilla-unified/layout/xul/nsSprocketLayout.cpp:1248 #49 0x000000010fe38a82 in nsBoxFrame::GetXULPrefSize(nsBoxLayoutState&) at mozilla-unified/layout/xul/nsBoxFrame.cpp:683 #50 0x000000010fd1f8b8 in nsXULScrollFrame::GetXULPrefSize(nsBoxLayoutState&) at mozilla-unified/layout/generic/nsGfxScrollFrame.cpp:1511 #51 0x000000010fe38713 in nsBoxFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) at mozilla-unified/layout/xul/nsBoxFrame.cpp:598 #52 0x000000010fd4e3c0 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) at mozilla-unified/layout/generic/nsLineLayout.cpp:883 #53 0x000000010fcc5642 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) at mozilla-unified/layout/generic/nsBlockFrame.cpp:4084 #54 0x000000010fcc5018 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) at mozilla-unified/layout/generic/nsBlockFrame.cpp:3887 #55 0x000000010fcc2858 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) at mozilla-unified/layout/generic/nsBlockFrame.cpp:3772 #56 0x000000010fcc06c1 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) at mozilla-unified/layout/generic/nsBlockFrame.cpp:2791 #57 0x000000010fcbd97a in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) at mozilla-unified/layout/generic/nsBlockFrame.cpp:2334 #58 0x000000010fcbacd8 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) at mozilla-unified/layout/generic/nsBlockFrame.cpp:1207 #59 0x000000010fd4e3c0 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) at mozilla-unified/layout/generic/nsLineLayout.cpp:883 #60 0x000000010fcc5642 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) at mozilla-unified/layout/generic/nsBlockFrame.cpp:4084 #61 0x000000010fcc5018 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) at mozilla-unified/layout/generic/nsBlockFrame.cpp:3887 #62 0x000000010fcc2858 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) at mozilla-unified/layout/generic/nsBlockFrame.cpp:3772 #63 0x000000010fcc06c1 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) at mozilla-unified/layout/generic/nsBlockFrame.cpp:2791 #64 0x000000010fcbd97a in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) at mozilla-unified/layout/generic/nsBlockFrame.cpp:2334 #65 0x000000010fcbacd8 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) at mozilla-unified/layout/generic/nsBlockFrame.cpp:1207 #66 0x000000010fcc489e in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) at mozilla-unified/layout/generic/nsBlockReflowContext.cpp:297 #67 0x000000010fcc15d1 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) at mozilla-unified/layout/generic/nsBlockFrame.cpp:3408 #68 0x000000010fcbd97a in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) at mozilla-unified/layout/generic/nsBlockFrame.cpp:2334 #69 0x000000010fcbacd8 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) at mozilla-unified/layout/generic/nsBlockFrame.cpp:1207 #70 0x000000010fcd72e5 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) at mozilla-unified/layout/generic/nsContainerFrame.cpp:883 #71 0x000000010fcd6d95 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) at mozilla-unified/layout/generic/nsCanvasFrame.cpp:731 #72 0x000000010fcd72e5 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) at mozilla-unified/layout/generic/nsContainerFrame.cpp:883 #73 0x000000010fd1b582 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) at mozilla-unified/layout/generic/nsGfxScrollFrame.cpp:571 #74 0x000000010fd1b8a5 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) at mozilla-unified/layout/generic/nsGfxScrollFrame.cpp:684 #75 0x000000010fd1cb52 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) at mozilla-unified/layout/generic/nsGfxScrollFrame.cpp:1050 #76 0x000000010fcb26f5 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) at mozilla-unified/layout/generic/nsContainerFrame.cpp:922 #77 0x000000010fcb21a6 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) at mozilla-unified/layout/generic/ViewportFrame.cpp:314 #78 0x000000010fc0a1fc in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) at mozilla-unified/layout/base/PresShell.cpp:8548 #79 0x000000010fc117f6 in mozilla::PresShell::ProcessReflowCommands(bool) at mozilla-unified/layout/base/PresShell.cpp:8714 #80 0x000000010fc113da in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) at mozilla-unified/layout/base/PresShell.cpp:4149 #81 0x000000010fc0aaa5 in mozilla::PresShell::DidDoReflow(bool) at mozilla-unified/layout/base/PresShell.cpp:8366 #82 0x000000010fc11965 in mozilla::PresShell::ProcessReflowCommands(bool) at mozilla-unified/layout/base/PresShell.cpp:8728 #83 0x000000010fc113da in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) at mozilla-unified/layout/base/PresShell.cpp:4149 #84 0x000000010fc0aaa5 in mozilla::PresShell::DidDoReflow(bool) at mozilla-unified/layout/base/PresShell.cpp:8366 #85 0x000000010fc11965 in mozilla::PresShell::ProcessReflowCommands(bool) at mozilla-unified/layout/base/PresShell.cpp:8728 #86 0x000000010fc113da in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) at mozilla-unified/layout/base/PresShell.cpp:4149 #87 0x000000010fc0aaa5 in mozilla::PresShell::DidDoReflow(bool) at mozilla-unified/layout/base/PresShell.cpp:8366 #88 0x000000010fc11965 in mozilla::PresShell::ProcessReflowCommands(bool) at mozilla-unified/layout/base/PresShell.cpp:8728 #89 0x000000010fc113da in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) at mozilla-unified/layout/base/PresShell.cpp:4149 #90 0x000000010fc0aaa5 in mozilla::PresShell::DidDoReflow(bool) at mozilla-unified/layout/base/PresShell.cpp:8366 #91 0x000000010fc11965 in mozilla::PresShell::ProcessReflowCommands(bool) at mozilla-unified/layout/base/PresShell.cpp:8728 #92 0x000000010fc113da in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) at mozilla-unified/layout/base/PresShell.cpp:4149 #93 0x000000010fc0aaa5 in mozilla::PresShell::DidDoReflow(bool) at mozilla-unified/layout/base/PresShell.cpp:8366 #94 0x000000010fc11965 in mozilla::PresShell::ProcessReflowCommands(bool) at mozilla-unified/layout/base/PresShell.cpp:8728 #95 0x000000010fc113da in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) at mozilla-unified/layout/base/PresShell.cpp:4149 #96 0x000000010fc0aaa5 in mozilla::PresShell::DidDoReflow(bool) at mozilla-unified/layout/base/PresShell.cpp:8366 #97 0x000000010fc11965 in mozilla::PresShell::ProcessReflowCommands(bool) at mozilla-unified/layout/base/PresShell.cpp:8728 #98 0x000000010fc113da in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) at mozilla-unified/layout/base/PresShell.cpp:4149 #99 0x000000010fc0aaa5 in mozilla::PresShell::DidDoReflow(bool) at mozilla-unified/layout/base/PresShell.cpp:8366 #100 0x000000010fc11965 in mozilla::PresShell::ProcessReflowCommands(bool) at mozilla-unified/layout/base/PresShell.cpp:8728 #101 0x000000010fc113da in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) at mozilla-unified/layout/base/PresShell.cpp:4149 #102 0x000000010fc0aaa5 in mozilla::PresShell::DidDoReflow(bool) at mozilla-unified/layout/base/PresShell.cpp:8366 #103 0x000000010fc11965 in mozilla::PresShell::ProcessReflowCommands(bool) at mozilla-unified/layout/base/PresShell.cpp:8728 #104 0x000000010fc113da in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) at mozilla-unified/layout/base/PresShell.cpp:4149 #105 0x000000010fc0aaa5 in mozilla::PresShell::DidDoReflow(bool) at mozilla-unified/layout/base/PresShell.cpp:8366 #106 0x000000010fc11965 in mozilla::PresShell::ProcessReflowCommands(bool) at mozilla-unified/layout/base/PresShell.cpp:8728 #107 0x000000010fc113da in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) at mozilla-unified/layout/base/PresShell.cpp:4149 #108 0x000000010fc0aaa5 in mozilla::PresShell::DidDoReflow(bool) at mozilla-unified/layout/base/PresShell.cpp:8366 #109 0x000000010fc11965 in mozilla::PresShell::ProcessReflowCommands(bool) at mozilla-unified/layout/base/PresShell.cpp:8728 #110 0x000000010fc113da in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) at mozilla-unified/layout/base/PresShell.cpp:4149 etc. etc. to: #74484 0x000000010fc0aaa5 in mozilla::PresShell::DidDoReflow(bool) at mozilla-unified/layout/base/PresShell.cpp:8366 #74485 0x000000010fc11965 in mozilla::PresShell::ProcessReflowCommands(bool) at mozilla-unified/layout/base/PresShell.cpp:8728 #74486 0x000000010fc113da in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) at mozilla-unified/layout/base/PresShell.cpp:4149 #74487 0x000000010fc0aaa5 in mozilla::PresShell::DidDoReflow(bool) at mozilla-unified/layout/base/PresShell.cpp:8366 #74488 0x000000010fc11965 in mozilla::PresShell::ProcessReflowCommands(bool) at mozilla-unified/layout/base/PresShell.cpp:8728 #74489 0x000000010fc113da in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) at mozilla-unified/layout/base/PresShell.cpp:4149 #74490 0x000000010fbeeaf5 in nsIPresShell::FlushPendingNotifications(mozilla::ChangesToFlush) [inlined] at mozilla-unified/layout/base/nsIPresShell.h:575 #74491 0x000000010fbeead9 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) at mozilla-unified/layout/base/nsRefreshDriver.cpp:1840 #74492 0x000000010fbf3257 in mozilla::RefreshDriverTimer::TickDriver(nsRefreshDriver*, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) [inlined] at mozilla-unified/layout/base/nsRefreshDriver.cpp:327 #74493 0x000000010fbf324b in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) at mozilla-unified/layout/base/nsRefreshDriver.cpp:304 #74494 0x000000010fbf306f in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) at mozilla-unified/layout/base/nsRefreshDriver.cpp:321 #74495 0x000000010fbf3e57 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) [inlined] at mozilla-unified/layout/base/nsRefreshDriver.cpp:726 #74496 0x000000010fbf3e49 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) at mozilla-unified/layout/base/nsRefreshDriver.cpp:646 #74497 0x000000010fbf3cd4 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) at mozilla-unified/layout/base/nsRefreshDriver.cpp:546 #74498 0x000000010fe90f52 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) at mozilla-unified/layout/ipc/VsyncChild.cpp:65 #74499 0x000000010db93dde in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) at builds/opt/ipc/ipdl/PVsyncChild.cpp:167 #74500 0x000000010d965ae2 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) at mozilla-unified/ipc/glue/MessageChannel.cpp:2159 #74501 0x000000010d964bc7 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) at mozilla-unified/ipc/glue/MessageChannel.cpp:2086 #74502 0x000000010d96553e in mozilla::ipc::MessageChannel::MessageTask::Run() at mozilla-unified/ipc/glue/MessageChannel.cpp:1966 #74503 0x000000010d450099 in nsThread::ProcessNextEvent(bool, bool*) at mozilla-unified/xpcom/threads/nsThread.cpp:1157 #74504 0x000000010d452ba9 in NS_ProcessNextEvent(nsIThread*, bool) at mozilla-unified/xpcom/threads/nsThreadUtils.cpp:468 #74505 0x000000010d967eb6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) at mozilla-unified/ipc/glue/MessagePump.cpp:110 #74506 0x000000010d92cd09 in MessageLoop::RunInternal() [inlined] at mozilla-unified/ipc/chromium/src/base/message_loop.cc:314 #74507 0x000000010d92ccfa in MessageLoop::RunHandler() [inlined] at mozilla-unified/ipc/chromium/src/base/message_loop.cc:307 #74508 0x000000010d92ccfa in MessageLoop::Run() at mozilla-unified/ipc/chromium/src/base/message_loop.cc:289 #74509 0x000000010fa0fc29 in nsBaseAppShell::Run() at mozilla-unified/widget/nsBaseAppShell.cpp:137 #74510 0x000000010fa78c5f in nsAppShell::Run() at mozilla-unified/widget/cocoa/nsAppShell.mm:745 #74511 0x0000000110fe8c98 in XRE_RunAppShell() at mozilla-unified/toolkit/xre/nsEmbedFunctions.cpp:915 #74512 0x000000010d92cd09 in MessageLoop::RunInternal() [inlined] at mozilla-unified/ipc/chromium/src/base/message_loop.cc:314 #74513 0x000000010d92ccfa in MessageLoop::RunHandler() [inlined] at mozilla-unified/ipc/chromium/src/base/message_loop.cc:307 #74514 0x000000010d92ccfa in MessageLoop::Run() at mozilla-unified/ipc/chromium/src/base/message_loop.cc:289 #74515 0x0000000110fe8a14 in XRE_InitChildProcess(int, char**, XREChildData const*) at mozilla-unified/toolkit/xre/nsEmbedFunctions.cpp:753 #74516 0x000000010be79f07 in content_process_main(mozilla::Bootstrap*, int, char**) [inlined] at mozilla-unified/ipc/app/../contentproc/plugin-container.cpp:49 #74517 0x000000010be79edb in main at mozilla-unified/ipc/app/MozillaRuntimeMain.cpp:23 #74518 0x00007fff668f5015 in start () #74519 0x00007fff668f5015 in start ()
Group: firefox-core-security → layout-core-security
Component: Security → Layout
Flags: needinfo?(jwatt)
Flags: needinfo?(dholbert)
Product: Firefox → Core
|
||
Comment 2•5 years ago
|
||
Thanks for the bug report! I can reproduce.
This isn't security sensitive -- it's just a way of triggering us to do infinite recursion until we run out of stack space. (And that's bad, but I don't think it's exploitable.) It's the same issue described in bug 1420029, basically (though with a different testcase.)
Notice the nested triplets of...
#98 0x000000010fc113da in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) at mozilla-unified/layout/base/PresShell.cpp:4149
#99 0x000000010fc0aaa5 in mozilla::PresShell::DidDoReflow(bool) at mozilla-unified/layout/base/PresShell.cpp:8366
#100 0x000000010fc11965 in mozilla::PresShell::ProcessReflowCommands(bool) at mozilla-unified/layout/base/PresShell.cpp:8728
(there are zillions of them, per :Gijs' "etc. etc." in comment 1. That's the infinite recursion, and the stack levels inside of that are just arbitrary and are "the straw that breaks the camel's back" inside the innermost recursion level that we made it to.)
Group: layout-core-security
Status: UNCONFIRMED → NEW
Depends on: 1420029
Ever confirmed: true
Flags: needinfo?(dholbert)
|
|
||
Updated•5 years ago
|
Keywords: testcase
Summary: Firefox Desktop - SVG Image,<marquee> and setAttributeNS Crash! → Firefox Desktop - SVG Image,<marquee> and setAttributeNS Crash (with infinite recursion in ProcessReflowCommands)
|
|
||
Comment 3•5 years ago
|
||
(Ah, looks like bug 1403656 is really the main place we're tracking this general issue.)
|
|
||
Comment 4•5 years ago
|
||
Also, just for good measure / due dilligence before un-hiding this bug, I ran the testcase here in an ASAN build of Firefox, and I got this output:
==16340==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcda476a78
And that's consistent with bug 1403656 / bug 1420029 (so, ASAN's not reporting anything beyond the possibility of a stack-overflow that we're already aware of per bug 1403656).
|
||
Comment 5•5 years ago
|
||
Daniel seems to nicely dug into this. :) Clearing NI.
Flags: needinfo?(jwatt)
|
||
Updated•5 years ago
|
Flags: sec-bounty? → sec-bounty-
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][sg:dos]
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•