1663438 - AddressSanitizer: heap-buffer-overflow [@ mozilla::dom::SVGSVGElement::CurrentScale] with READ of size 4

Status: VERIFIED FIXED

(Core :: SVG, defect)

Description

[Jason Kratzer [:jkratzer]]

Found while fuzzing mozilla-central rev d4e11195e398. I'm currently reducing the testcase and will attach it here once complete.

==20213==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6130004f6ee0 at pc 0x7fc912483b93 bp 0x7fff50189340 sp 0x7fff50189338
READ of size 4 at 0x6130004f6ee0 thread T0 (Web Content)
    #0 0x7fc912483b92 in mozilla::dom::SVGSVGElement::CurrentScale() const /gecko/dom/svg/SVGSVGElement.cpp:127:52
    #1 0x7fc9124a6680 in mozilla::dom::SVGViewportElement::PrependLocalTransformsTo(mozilla::gfx::BaseMatrix<double> const&, mozilla::SVGTransformTypes) const /gecko/dom/svg/SVGViewportElement.cpp:280:24
    #2 0x7fc91241398e in mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_4::operator()(mozilla::dom::SVGElement const*, bool) const /gecko/dom/svg/SVGContentUtils.cpp:487:16
    #3 0x7fc9123ed01d in mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool) /gecko/dom/svg/SVGContentUtils.cpp:501:15
    #4 0x7fc9123ecd8f in mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool) /gecko/dom/svg/SVGContentUtils.cpp:569:10
    #5 0x7fc91249e8e7 in mozilla::dom::SVGTransformableElement::GetScreenCTM() /gecko/dom/svg/SVGTransformableElement.cpp:256:19
    #6 0x7fc91249ebe6 in mozilla::dom::SVGTransformableElement::GetTransformToElement(mozilla::dom::SVGGraphicsElement&, mozilla::ErrorResult&) /gecko/dom/svg/SVGTransformableElement.cpp:265:36
    #7 0x7fc90fa9d32a in mozilla::dom::SVGGraphicsElement_Binding::getTransformToElement(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/SVGGraphicsElementBinding.cpp:536:76
    #8 0x7fc910a0c478 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3227:13
    #9 0x7fc9170d9248 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:507:13
    #10 0x7fc9170d9248 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:599:12
    #11 0x7fc9170db56b in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:10
    #12 0x7fc9170c22e1 in CallFromStack /gecko/js/src/vm/Interpreter.cpp:668:10
    #13 0x7fc9170c22e1 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3336:16
    #14 0x7fc9170a2eb0 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:468:13
    #15 0x7fc9170d93d9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:636:13
    #16 0x7fc9170db56b in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:10
    #17 0x7fc9170db8f0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:681:8
    #18 0x7fc91773c2c4 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/SelfHosting.cpp:1694:10
    #19 0x7fc91734f759 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /gecko/js/src/vm/AsyncFunction.cpp:128:8
    #20 0x7fc9174a56a9 in AsyncFunctionPromiseReactionJob /gecko/js/src/builtin/Promise.cpp:1700:10
    #21 0x7fc9174a56a9 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /gecko/js/src/builtin/Promise.cpp:1852:12
    #22 0x7fc9170d9248 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:507:13
    #23 0x7fc9170d9248 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:599:12
    #24 0x7fc9170db56b in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:10
    #25 0x7fc9170db8f0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:681:8
    #26 0x7fc91726a9c2 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/jsapi.cpp:2831:10
    #27 0x7fc90f7d480f in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:28:8
    #28 0x7fc90b072ddc in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:91:12
    #29 0x7fc90b072ddc in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:104:12
    #30 0x7fc90b072ddc in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /gecko/xpcom/base/CycleCollectedJSContext.cpp:211:18
    #31 0x7fc90b05335b in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /gecko/xpcom/base/CycleCollectedJSContext.cpp:646:17
    #32 0x7fc90b05438f in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /gecko/xpcom/base/CycleCollectedJSContext.cpp:461:3
    #33 0x7fc90d2ae06d in XPCJSContext::AfterProcessTask(unsigned int) /gecko/js/xpconnect/src/XPCJSContext.cpp:1407:28
    #34 0x7fc90b25e91d in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1271:24
    #35 0x7fc90b2688ec in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #36 0x7fc90c53bbaf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
    #37 0x7fc90c4405a1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #38 0x7fc90c4405a1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #39 0x7fc90c4405a1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #40 0x7fc9131a3b47 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #41 0x7fc916e6e30f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #42 0x7fc90c4405a1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #43 0x7fc90c4405a1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #44 0x7fc90c4405a1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #45 0x7fc916e6d8ac in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #46 0x560424e8d8dd in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #47 0x560424e8dd17 in main /gecko/browser/app/nsBrowserApp.cpp:303:18
    #48 0x7fc9277590b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16
    #49 0x560424de1279 in _start (/home/worker/builds/m-c-20200906094118-fuzzing-asan-opt/firefox+0x5c279)

0x6130004f6ee0 is located 16 bytes to the right of 336-byte region [0x6130004f6d80,0x6130004f6ed0)
allocated by thread T0 (Web Content) here:
    #0 0x560424e5b10d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x7fc90ef95c10 in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/dom/DOMArena.h:43:17
    #2 0x7fc90ef95c10 in nsNodeInfoManager::Allocate(unsigned long) /gecko/dom/base/nsNodeInfoManager.cpp:299:20
    #3 0x7fc91248d295 in NS_NewSVGSymbolElement(nsIContent**, already_AddRefed<mozilla::dom::NodeInfo>&&) /gecko/dom/svg/SVGSymbolElement.cpp:10:1
    #4 0x7fc90da3600b in nsHtml5TreeOperation::CreateSVGElement(nsAtom*, nsHtml5HtmlAttributes*, mozilla::dom::FromParser, nsNodeInfoManager*, nsHtml5DocumentBuilder*, nsresult (*)(nsIContent**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser)) /gecko/parser/html/nsHtml5TreeOperation.cpp:511:9
    #5 0x7fc90da4a945 in operator() /gecko/parser/html/nsHtml5TreeOperation.cpp:834:17
    #6 0x7fc90da4a945 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:257:16
    #7 0x7fc90da4a945 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:269:14
    #8 0x7fc90da4a945 in decltype(auto) mozilla::detail::VariantImplementation<unsigned char, 7ul, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>::match<nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> >(nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher&&, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:269:14
    #9 0x7fc90da3ff66 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:269:14
    #10 0x7fc90da3ff66 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:269:14
    #11 0x7fc90da3ff66 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:269:14
    #12 0x7fc90da3ff66 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:269:14
    #13 0x7fc90da3ff66 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:269:14
    #14 0x7fc90da3ff66 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:269:14
    #15 0x7fc90da3ff66 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:269:14
    #16 0x7fc90da3ff66 in match<TreeOperationMatcher> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:795:12
    #17 0x7fc90da3ff66 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) /gecko/parser/html/nsHtml5TreeOperation.cpp:1176:21
    #18 0x7fc90da3f0e5 in nsHtml5TreeOpExecutor::RunFlushLoop() /gecko/parser/html/nsHtml5TreeOpExecutor.cpp:495:19
    #19 0x7fc90da48e3d in nsHtml5ExecutorReflusher::Run() /gecko/parser/html/nsHtml5TreeOpExecutor.cpp:70:16
    #20 0x7fc90b223dfd in mozilla::SchedulerGroup::Runnable::Run() /gecko/xpcom/threads/SchedulerGroup.cpp:146:20
    #21 0x7fc90b22e309 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:242:16
    #22 0x7fc90b22a817 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:512:26
    #23 0x7fc90b2286b7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:371:15
    #24 0x7fc90b228b0d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:168:36
    #25 0x7fc90b23a111 in operator() /gecko/xpcom/threads/TaskController.cpp:83:37
    #26 0x7fc90b23a111 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #27 0x7fc90b25e164 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1234:14
    #28 0x7fc90b2688ec in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #29 0x7fc90c53bbaf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
    #30 0x7fc90c4405a1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #31 0x7fc90c4405a1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #32 0x7fc90c4405a1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #33 0x7fc9131a3b47 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #34 0x7fc916e6e30f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20

SUMMARY: AddressSanitizer: heap-buffer-overflow /gecko/dom/svg/SVGSVGElement.cpp:127:52 in mozilla::dom::SVGSVGElement::CurrentScale() const
Shadow bytes around the buggy address:
  0x0c2680096d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2680096d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2680096da0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x0c2680096db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2680096dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2680096dd0: 00 00 00 00 00 00 00 00 00 00 fa fa[fa]fa fa fa
  0x0c2680096de0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2680096df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2680096e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2680096e10: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2680096e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Comment 2

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200907153413-c500459f5539.
The bug appears to have been introduced in the following build range:
> Start: 9b5af69ea3884994a93f8ee096e8a39b6bacfac0 (20200825143125)
> End: 6e2a9067912fb9b1737a72d8b1aaf97caa018499 (20200825152908)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=9b5af69ea3884994a93f8ee096e8a39b6bacfac0&tochange=6e2a9067912fb9b1737a72d8b1aaf97caa018499

Comment 3

[Robert Longson [:longsonr]]

Attachment: Bug 1663438 - check element

Comment 4

[Robert Longson [:longsonr]]

Doesn't crash for me but this ought to fix it.

Comment 5

[Robert Longson [:longsonr]]

And this is nightly only so I assume I can just land it as soon as I get a + review.

Comment 6

[Emilio Cobos Álvarez (:emilio)]

Yes, per https://firefox-source-docs.mozilla.org/bug-mgmt/processes/security-approval.html#on-requesting-sec-approval you don't need sec-approval since:

We have not shipped this vulnerability in anything other than a nightly build

Comment 7

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/integration/autoland/rev/3458df3ca4315f8e4b7531adf74f38ea248e450f
https://hg.mozilla.org/mozilla-central/rev/3458df3ca431

Comment 8

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200910040355-7eead7eaf33a.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.