1650811 - AddressSanitizer: heap-buffer-overflow /builds/worker/checkouts/gecko/xpcom/io/Base64.cpp:45:14 in Encode3to4<unsigned char, char16_t>

Status: VERIFIED FIXED

(Core :: DOM: File, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev 6087e976924f.

==28862==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000202200 at pc 0x7f1d4a5dca2d bp 0x7f1d36ca3df0 sp 0x7f1d36ca3de8
WRITE of size 2 at 0x629000202200 thread T34 (DOM Worker)
    #0 0x7f1d4a5dca2c in Encode3to4<unsigned char, char16_t> /builds/worker/checkouts/gecko/xpcom/io/Base64.cpp:45:14
    #1 0x7f1d4a5dca2c in void (anonymous namespace)::Encode<unsigned char, char16_t>(unsigned char const*, unsigned int, char16_t*) /builds/worker/checkouts/gecko/xpcom/io/Base64.cpp:72:5
    #2 0x7f1d4a5dbeed in nsresult (anonymous namespace)::EncodeInputStream_Encoder<nsTSubstring<char16_t> >(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*) /builds/worker/checkouts/gecko/xpcom/io/Base64.cpp:136:3
    #3 0x7f1d4a92b7df in nsBufferedInputStream::ReadSegments(nsresult (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) /builds/worker/checkouts/gecko/netwerk/base/nsBufferedStreams.cpp:446:12
    #4 0x7f1d4a5a7fad in EncodeInputStream<nsTSubstring<char16_t> > /builds/worker/checkouts/gecko/xpcom/io/Base64.cpp:190:24
    #5 0x7f1d4a5a7fad in mozilla::Base64EncodeInputStream(nsIInputStream*, nsTSubstring<char16_t>&, unsigned int, unsigned int) /builds/worker/checkouts/gecko/xpcom/io/Base64.cpp:312:10
    #6 0x7f1d50c3d47e in mozilla::dom::FileReaderSync::ReadAsDataURL(mozilla::dom::Blob&, nsTSubstring<char16_t>&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/file/FileReaderSync.cpp:277:9
    #7 0x7f1d500bdabe in mozilla::dom::FileReaderSync_Binding::readAsDataURL(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/FileReaderSyncBinding.cpp:250:24
    #8 0x7f1d504460f8 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3219:13
    #9 0x7f1d56b1a08b in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:484:13
    #10 0x7f1d56b1a08b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:576:12
    #11 0x7f1d56b1c328 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:639:10
    #12 0x7f1d56b03210 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:643:10
    #13 0x7f1d56b03210 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3296:16
    #14 0x7f1d56ae6b71 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:456:10
    #15 0x7f1d56b1a16d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:611:13
    #16 0x7f1d56b1c328 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:639:10
    #17 0x7f1d56b1c606 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:656:8
    #18 0x7f1d56cc0220 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2846:10
    #19 0x7f1d50038b89 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:276:37
    #20 0x7f1d50b804be in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:367:12
    #21 0x7f1d50b7e6c4 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
    #22 0x7f1d50b434be in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1088:22
    #23 0x7f1d50b44c40 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1279:17
    #24 0x7f1d50b32e1f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:355:17
    #25 0x7f1d50b315bd in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:557:16
    #26 0x7f1d50b35b16 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1054:11
    #27 0x7f1d50b3a849 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
    #28 0x7f1d50afdc75 in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/events/DOMEventTargetHelper.cpp:145:17
    #29 0x7f1d50b51709 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/checkouts/gecko/dom/events/EventTarget.cpp:178:13
    #30 0x7f1d5257860e in mozilla::dom::MessageEventRunnable::DispatchDOMEvent(JSContext*, mozilla::dom::WorkerPrivate*, mozilla::DOMEventTargetHelper*, bool) /builds/worker/checkouts/gecko/dom/workers/MessageEventRunnable.cpp:106:12
    #31 0x7f1d525f7fb8 in mozilla::dom::WorkerRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:370:12
    #32 0x7f1d4a6b31f5 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
    #33 0x7f1d4a6bdf8c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #34 0x7f1d525dd36a in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2979:7
    #35 0x7f1d525a3b07 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2210:40
    #36 0x7f1d4a6b31f5 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
    #37 0x7f1d4a6bdf8c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #38 0x7f1d4ba54162 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:302:20
    #39 0x7f1d4b930997 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #40 0x7f1d4b930997 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #41 0x7f1d4b930997 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #42 0x7f1d4a6abbb7 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:447:10
    #43 0x7f1d6fb40d3e in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #44 0x7f1d6f7826da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #45 0x7f1d6e76088e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x629000202200 is located 0 bytes to the right of 16384-byte region [0x6290001fe200,0x629000202200)
allocated by thread T34 (DOM Worker) here:
    #0 0x5559d620937d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
    #1 0x7f1d4a472c1a in Alloc /builds/worker/checkouts/gecko/xpcom/string/nsSubstring.cpp:206:42
    #2 0x7f1d4a472c1a in nsTSubstring<char16_t>::StartBulkWriteImpl(unsigned int, unsigned int, bool, unsigned int, unsigned int, unsigned int) /builds/worker/checkouts/gecko/xpcom/string/nsTSubstring.cpp:203:32
    #3 0x7f1d4a475e2b in nsTSubstring<char16_t>::SetLength(unsigned int, std::nothrow_t const&) /builds/worker/checkouts/gecko/xpcom/string/nsTSubstring.cpp:937:7
    #4 0x7f1d4a5a7e43 in EncodeInputStream<nsTSubstring<char16_t> > /builds/worker/checkouts/gecko/xpcom/io/Base64.cpp:178:14
    #5 0x7f1d4a5a7e43 in mozilla::Base64EncodeInputStream(nsIInputStream*, nsTSubstring<char16_t>&, unsigned int, unsigned int) /builds/worker/checkouts/gecko/xpcom/io/Base64.cpp:312:10
    #6 0x7f1d50c3d47e in mozilla::dom::FileReaderSync::ReadAsDataURL(mozilla::dom::Blob&, nsTSubstring<char16_t>&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/file/FileReaderSync.cpp:277:9
    #7 0x7f1d500bdabe in mozilla::dom::FileReaderSync_Binding::readAsDataURL(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/FileReaderSyncBinding.cpp:250:24
    #8 0x7f1d504460f8 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3219:13
    #9 0x7f1d56b1a08b in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:484:13
    #10 0x7f1d56b1a08b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:576:12
    #11 0x7f1d56b1c328 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:639:10
    #12 0x7f1d56b03210 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:643:10
    #13 0x7f1d56b03210 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3296:16
    #14 0x7f1d56ae6b71 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:456:10
    #15 0x7f1d56b1a16d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:611:13
    #16 0x7f1d56b1c328 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:639:10
    #17 0x7f1d56b1c606 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:656:8
    #18 0x7f1d56cc0220 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2846:10
    #19 0x7f1d50038b89 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:276:37
    #20 0x7f1d50b804be in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:367:12
    #21 0x7f1d50b7e6c4 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
    #22 0x7f1d50b434be in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1088:22
    #23 0x7f1d50b44c40 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1279:17

Thread T34 (DOM Worker) created by T0 (file:// Content) here:
    #0 0x5559d61f3b2a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
    #1 0x7f1d6fb311e5 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f1d6fb2215e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f1d4a6ae897 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:659:8
    #4 0x7f1d52606007 in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:94:7
    #5 0x7f1d5257ef3a in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1346:14
    #6 0x7f1d5257dc74 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1213:19
    #7 0x7f1d525d7c2e in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2417:24
    #8 0x7f1d5258c131 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:42:41
    #9 0x7f1d4fca462d in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1170:52
    #10 0x7f1d56b1d1ae in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:484:13
    #11 0x7f1d56b1d1ae in CallJSNativeConstructor /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:500:8
    #12 0x7f1d56b1d1ae in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:702:10
    #13 0x7f1d56b1c894 in js::ConstructFromStack(JSContext*, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:729:10
    #14 0x7f1d56af8007 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3286:16
    #15 0x7f1d56ae6b71 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:456:10
    #16 0x7f1d56b1a16d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:611:13
    #17 0x7f1d56b1c328 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:639:10
    #18 0x7f1d56b1c606 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:656:8
    #19 0x7f1d56cc0220 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2846:10
    #20 0x7f1d5003b93e in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:55:8
    #21 0x7f1d50b43a0d in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #22 0x7f1d50b43434 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1082:43
    #23 0x7f1d50b44c40 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1279:17
    #24 0x7f1d50b32e1f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:355:17
    #25 0x7f1d50b315bd in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:557:16
    #26 0x7f1d50b35b16 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1054:11
    #27 0x7f1d532d4552 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1140:7
    #28 0x7f1d55e67afc in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6030:20
    #29 0x7f1d55e66cf5 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5499:7
    #30 0x7f1d55e6a40f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
    #31 0x7f1d4d0f0b50 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1331:3
    #32 0x7f1d4d0efa1c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:937:14
    #33 0x7f1d4d0ebf9b in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:757:9
    #34 0x7f1d4d0ee50d in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:640:5
    #35 0x7f1d4d0ef5ac in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp
    #36 0x7f1d4a9639f7 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:615:22
    #37 0x7f1d4a966c07 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:522:10
    #38 0x7f1d4e6c093f in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:10732:18
    #39 0x7f1d4e6792c7 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10664:9
    #40 0x7f1d4e69baa4 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7300:3
    #41 0x7f1d4e768364 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1188:12
    #42 0x7f1d4e768364 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1194:12
    #43 0x7f1d4e768364 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1240:13
    #44 0x7f1d4a6783bd in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
    #45 0x7f1d4a6823e9 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:209:16
    #46 0x7f1d4a67e978 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:459:24
    #47 0x7f1d4a67ccc8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:337:20
    #48 0x7f1d4a67d0d3 in mozilla::TaskController::ProcessPendingMTTask() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:152:3
    #49 0x7f1d4a68e17f in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:82:37
    #50 0x7f1d4a68e17f in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #51 0x7f1d4a6b31f5 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
    #52 0x7f1d4a6bdf8c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #53 0x7f1d4ba5266f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #54 0x7f1d4b930997 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #55 0x7f1d4b930997 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #56 0x7f1d4b930997 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #57 0x7f1d52cff778 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #58 0x7f1d568aee06 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #59 0x7f1d4b930997 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #60 0x7f1d4b930997 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #61 0x7f1d4b930997 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #62 0x7f1d568ae3ef in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #63 0x5559d623c063 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #64 0x5559d623c063 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
    #65 0x7f1d6e660b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/checkouts/gecko/xpcom/io/Base64.cpp:45:14 in Encode3to4<unsigned char, char16_t>
Shadow bytes around the buggy address:
  0x0c52800383f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5280038400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5280038410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5280038420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5280038430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5280038440:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5280038450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5280038460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5280038470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5280038480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5280038490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==28862==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: prefs.js

Comment 2

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200706095144-5766d99b88f3.
Failed to bisect testcase (Start build crashes!):
> Start: 7e6657f88b7694ecd841088963ff71d767e4ec22 (20190708094556)
> End: 5766d99b88f379d3eb631085387cc9cbae438b6a (20200706095144)
> BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=False, coverage=False, valgrind=False)

Comment 3

[Jens Stutte [:jstutte]]

Hi :baku, Subhamoy is on holiday this week. You are active?

Comment 4

[Andrea Marchesini [:baku]]

Attachment: Bug 1650811 - Make Base64 compatible with ReadSegments() with small buffers, r?asuth

Comment 5

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/integration/autoland/rev/708298a65c5780828a23b3befde7f7ef62972e6e
https://hg.mozilla.org/mozilla-central/rev/708298a65c57

Comment 6

[Ryan VanderMeulen [:RyanVM]]

Please request Beta and ESR78 approval on this when you get a chance. I'm not convinced we need this on ESR68 given how close it is to EOL and this being rated a sec-moderate, but it looks like it'd graft cleanly if we wanted it there too to be safe.

Comment 7

[Andrea Marchesini [:baku]]

Comment on attachment 9161857 [details]
Bug 1650811 - Make Base64 compatible with ReadSegments() with small buffers, r?asuth

Beta/Release Uplift Approval Request

• User impact if declined: A crash can occur using FileReaderSync (and probably FileReader too)
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): There is a logical bug in how the buffer is handled in the Base64 encoding stream. The code is safe enough because in the test I cover all the possible scenarios.
• String changes made/needed:

ESR Uplift Approval Request

• If this is not a sec:{high,crit} bug, please state case for ESR consideration: See the beta request comments
• User impact if declined:
• Fix Landed on Version: 80
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): See the beta-approval request
• String or UUID changes made by this patch: none

Comment 8

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200714153520-bca48c382991.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Comment 9

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9161857 [details]
Bug 1650811 - Make Base64 compatible with ReadSegments() with small buffers, r?asuth

Approved for 79.0b8 and 78.1esr.

Comment 10

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/62b642cf2bfa

Comment 11

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-esr78/rev/aa071acafd70

Comment 12

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9161857 [details]
Bug 1650811 - Make Base64 compatible with ReadSegments() with small buffers, r?asuth

Per Slack discussion with dveditz, approved for 68.11esr also.

Comment 13

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-esr68/rev/69f28404c604