Open Bug 1597572 Opened 5 months ago Updated 4 months ago

null pointer passed as argument 2, which is declared to never be null in modules/zlib/src/trees.c:873

Categories

(Core :: JavaScript Engine, defect, P2)

defect

Tracking

()

Tracking Status
firefox72 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined, testcase)

Attachments

(1 file)

Attached file testcase.html

This is triggered with an UBSan build. To enable this check add the following to your mozconfig:

ac_add_options --enable-address-sanitizer
ac_add_options --enable-undefined-sanitizer="nonnull-attribute"
ac_add_options --disable-jemalloc
modules/zlib/src/trees.c:873:42: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:43:28: note: nonnull attribute specified here
    #0 0x7f45f2b8e1b1 in MOZ_Z__tr_stored_block modules/zlib/src/trees.c:873:5
    #1 0x7f45f2b6a7ca in MOZ_Z_deflate modules/zlib/src/deflate.c:1025:17
    #2 0x7f45f301f359 in js::Compressor::compressMore() js/src/vm/Compression.cpp:117:13
    #3 0x7f45f32f6879 in void js::SourceCompressionTask::workEncodingSpecific<char16_t>() js/src/vm/JSScript.cpp:2623:18
    #4 0x7f45f32950d9 in decltype(auto) mozilla::Variant<js::ScriptSource::Compressed<mozilla::Utf8Unit, (js::SourceRetrievable)0>, js::ScriptSource::Uncompressed<mozilla::Utf8Unit, (js::SourceRetrievable)0>, js::ScriptSource::Compressed<mozilla::Utf8Unit, (js::SourceRetrievable)1>, js::ScriptSource::Uncompressed<mozilla::Utf8Unit, (js::SourceRetrievable)1>, js::ScriptSource::Compressed<char16_t, (js::SourceRetrievable)0>, js::ScriptSource::Uncompressed<char16_t, (js::SourceRetrievable)0>, js::ScriptSource::Compressed<char16_t, (js::SourceRetrievable)1>, js::ScriptSource::Uncompressed<char16_t, (js::SourceRetrievable)1>, js::ScriptSource::Retrievable<mozilla::Utf8Unit>, js::ScriptSource::Retrievable<char16_t>, js::ScriptSource::Missing, js::ScriptSource::BinAST>::match<js::SourceCompressionTask::PerformTaskWork>(js::SourceCompressionTask::PerformTaskWork&&) objdir-ff-ubsan/dist/include/mozilla/Variant.h:767:12
    #5 0x7f45f32950d9 in js::ScriptSource::performTaskWork(js::SourceCompressionTask*) js/src/vm/JSScript.cpp:2688:8
    #6 0x7f45f32950d9 in js::SourceCompressionTask::runTask() js/src/vm/JSScript.cpp:2699:11
    #7 0x7f45f30b3d83 in js::HelperThread::handleCompressionWorkload(js::AutoLockHelperThreadState&) js/src/vm/HelperThreads.cpp:2404:11
    #8 0x7f45f30b1323 in js::HelperThread::threadLoop() js/src/vm/HelperThreads.cpp:2658:5
    #9 0x7f45f30c7e2c in void js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::callMain<0ul>(std::integer_sequence<unsigned long, 0ul>) js/src/threading/Thread.h:218:5
    #10 0x7f45f30c7e2c in js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start(void*) js/src/threading/Thread.h:207:11
    #11 0x7f460c7e36da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #12 0x7f460b7c188e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Blocks: grizzly

Jan, any idea who might be the best person to investigate?

Flags: needinfo?(jdemooij)
Priority: -- → P2

It's this line:

    zmemcpy(s->pending_buf + s->pending, (Bytef *)buf, stored_len);

And there are some callers that pass a nullptr buf with stored_len 0, for example here.

This was reported and fixed upstream two years ago: https://github.com/madler/zlib/issues/290 However, according to zlib.net the latest version is still 1.2.11 so there's no stable release with this fixed...

Flags: needinfo?(jdemooij)

In https://github.com/madler/zlib/issues/422 people are asking for a new zlib release and madler said "soon", 5 months ago...

You need to log in before you can comment on or make changes to this bug.