Closed Bug 1562361 Opened 6 years ago Closed 6 years ago

global-buffer-overflow in [@ nsCSSFrameConstructor::GetAnonymousContent]

Categories

(Core :: CSS Parsing and Computation, defect, P2)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla69
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- fixed

People

(Reporter: tsmith, Assigned: heycam)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords)

Attachments

(3 files)

testcase.html
304 bytes, text/html
Details
Bug 1562361 - Clear cached style indices whenever we clear the actual styles.
47 bytes, text/x-phabricator-request
Details | Review
Bug 1562361 - Turn the cached style pref back on.
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Reduced with m-c:
BuildID=20190628231925
SourceStamp=900a0b1270437d60f87cd2832743439824ee9473

Test case may require a few refreshes to trigger the crash.

==110554==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fd590a1bc68 at pc 0x7fd583a112e0 bp 0x7ffed5f31200 sp 0x7ffed5f311f8
READ of size 8 at 0x7fd590a1bc68 thread T0 (file:// Content)
    #0 0x7fd583a112df in RefPtr src/obj-firefox/dist/include/mozilla/RefPtr.h:89:27
    #1 0x7fd583a112df in Construct<const RefPtr<mozilla::ComputedStyle> &> src/obj-firefox/dist/include/nsTArray.h:522
    #2 0x7fd583a112df in implementation<RefPtr<mozilla::ComputedStyle>, RefPtr<mozilla::ComputedStyle>, unsigned long, unsigned long> src/obj-firefox/dist/include/nsTArray.h:544
    #3 0x7fd583a112df in AssignRange<RefPtr<mozilla::ComputedStyle> > src/obj-firefox/dist/include/nsTArray.h:2193
    #4 0x7fd583a112df in RefPtr<mozilla::ComputedStyle>* nsTArray_Impl<RefPtr<mozilla::ComputedStyle>, nsTArrayInfallibleAllocator>::AppendElements<RefPtr<mozilla::ComputedStyle>, nsTArrayInfallibleAllocator>(RefPtr<mozilla::ComputedStyle> const*, unsigned long) src/obj-firefox/dist/include/nsTArray.h:2360
    #5 0x7fd5838c6e77 in GetCachedAnonymousContentStyles src/obj-firefox/dist/include/mozilla/ServoStyleSet.h:577:13
    #6 0x7fd5838c6e77 in nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&) src/layout/base/nsCSSFrameConstructor.cpp:3932
    #7 0x7fd5838c53f6 in nsCSSFrameConstructor::BeginBuildingScrollFrame(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, mozilla::PseudoStyleType, bool, nsContainerFrame*&) src/layout/base/nsCSSFrameConstructor.cpp:4275:7
    #8 0x7fd5838c21ff in nsCSSFrameConstructor::SetUpDocElementContainingBlock(nsIContent*) src/layout/base/nsCSSFrameConstructor.cpp:2663:9
    #9 0x7fd5838be42c in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*, nsILayoutHistoryState*) src/layout/base/nsCSSFrameConstructor.cpp:2233:3
    #10 0x7fd5838ec4b0 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsILayoutHistoryState*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:7060:9
    #11 0x7fd5837e07b5 in mozilla::PresShell::Initialize() src/layout/base/PresShell.cpp:1755:26
    #12 0x7fd58392dc66 in nsDocumentViewer::InitPresentationStuff(bool) src/layout/base/nsDocumentViewer.cpp:777:16
    #13 0x7fd583942ca4 in nsDocumentViewer::Show() src/layout/base/nsDocumentViewer.cpp:2271:12
    #14 0x7fd5867c96a2 in nsDocShell::SetVisibility(bool) src/docshell/base/nsDocShell.cpp
    #15 0x7fd57cf69ae7 in nsFrameLoader::Show(int, int, int, int, nsSubDocumentFrame*) src/dom/base/nsFrameLoader.cpp:907:15
    #16 0x7fd583e47218 in nsSubDocumentFrame::ShowViewer() src/layout/generic/nsSubDocumentFrame.cpp:207:40
    #17 0x7fd583ef10e7 in AsyncFrameInit::Run() src/layout/generic/nsSubDocumentFrame.cpp:96:60
    #18 0x7fd57c7e7ef7 in nsContentUtils::RemoveScriptBlocker() src/dom/base/nsContentUtils.cpp:5193:15
    #19 0x7fd58380387e in ~nsAutoScriptBlocker src/obj-firefox/dist/include/nsContentUtils.h:3355:28
    #20 0x7fd58380387e in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4185
    #21 0x7fd58376a860 in FlushPendingNotifications src/obj-firefox/dist/include/mozilla/PresShell.h:1468:5
    #22 0x7fd58376a860 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1959
    #23 0x7fd58377f719 in TickDriver src/layout/base/nsRefreshDriver.cpp:350:13
    #24 0x7fd58377f719 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:327
    #25 0x7fd58377efb2 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:344:5
    #26 0x7fd5837834ef in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:790:5
    #27 0x7fd5837834ef in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:710
    #28 0x7fd583782543 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:605:9
    #29 0x7fd5842fd455 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) src/layout/ipc/VsyncChild.cpp:65:16
    #30 0x7fd57a69e315 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:187:54
    #31 0x7fd57a20d171 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:4717:32
    #32 0x7fd579a898c6 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2158:25
    #33 0x7fd579a847cb in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2082:9
    #34 0x7fd579a86d87 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1939:3
    #35 0x7fd579a87b17 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1970:13
    #36 0x7fd57867f70c in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
    #37 0x7fd578687594 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
    #38 0x7fd579a92c8f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #39 0x7fd579968dee in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #40 0x7fd579968dee in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #41 0x7fd579968dee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #42 0x7fd58307d5f3 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #43 0x7fd5876d8c3e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:919:20
    #44 0x7fd579968dee in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #45 0x7fd579968dee in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #46 0x7fd579968dee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #47 0x7fd5876d7781 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:754:34
    #48 0x558ee31edee3 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #49 0x558ee31edee3 in main src/browser/app/nsBrowserApp.cpp:267
Flags: in-testsuite?

Thanks Tyson. I've turned the pref off for this feature just now in bug 1562359, and I'll look into this next week.

Assignee: nobody → cam
Priority: -- → P2
Regressed by: 1554571

I suspect it's because my leak fix in bug 1561773 was half baked.

(I need to clear mCachedAnonymousContentStyleIndexes too.)

status-firefox68: --- → unaffected
status-firefox-esr60: --- → unaffected
status-firefox-esr68: --- → unaffected
Flags: in-testsuite? → in-testsuite+
Group: core-security-release
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: