Closed Bug 1681022 (CVE-2020-26974) Opened 3 years ago Closed 3 years ago

heap-use-after-free on mozilla::StyleGenericCalcNode

Categories

(Core :: Layout: Flexbox, defect)

Product:
Core
Component:
Layout: Flexbox
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
85 Branch
Tracking Flags:
Tracking Status
firefox-esr78 84+ verified
firefox83 --- wontfix
firefox84 + verified
firefox85 + verified

People

(Reporter: ahihibughunter, Assigned: emilio)

References

(Regression)

Details

(Keywords: regression, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main84+][sec-survey][adv-esr78.6+])

Attachments

(4 files, 1 obsolete file)

testcase.html
254 bytes, text/html
Details
Bug 1681022 - Ignore flex-basis: content on a table wrapper. r=dholbert
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-release+
RyanVM
: approval-mozilla-esr78+
tjr
: sec-approval+
Details | Review
esr.patch
2.42 KB, patch
Details | Diff | Splinter Review
advisory.txt
368 bytes, text/plain
Details
Attached file testcase.html

Firefox version 85.0a1 (2020-12-06) (64-bit)
Asan output:

==29886==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190002ce398 at pc 0x0001154ec20d bp 0x7ffee67aa8d0 sp 0x7ffee67aa8c8
READ of size 1 at 0x6190002ce398 thread T0
==29886==WARNING: failed to spawn external symbolizer (errno: 9)
==29886==WARNING: failed to spawn external symbolizer (errno: 9)
==29886==WARNING: failed to spawn external symbolizer (errno: 9)
==29886==WARNING: failed to spawn external symbolizer (errno: 9)
==29886==WARNING: failed to spawn external symbolizer (errno: 9)
==29886==WARNING: Failed to use and restart external symbolizer!
    #0 0x1154ec20c in int mozilla::StyleGenericCalcNode<mozilla::StyleCalcLengthPercentageLeaf>::ResolveInternal<int, int (*)(float)>(int, int (*)(float)) const+0x66c (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaedb20c)
    #1 0x1158a1c98 in nsIFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>)+0x27e8 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb290c98)
    #2 0x1157ba61f in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType)+0x220f (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1a961f)
    #3 0x1157b2ee6 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&)+0x5a6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1a1ee6)
    #4 0x1157b4b40 in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>)+0x8c0 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1a3b40)
    #5 0x1158a7bec in nsFlexContainerFrame::GenerateFlexItemForChild(nsFlexContainerFrame::FlexLine&, nsIFrame*, mozilla::ReflowInput const&, nsFlexContainerFrame::FlexboxAxisTracker const&, bool)+0x2ac (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb296bec)
    #6 0x1158bc75b in nsFlexContainerFrame::GenerateFlexLines(mozilla::ReflowInput const&, int, nsTArray<nsFlexContainerFrame::StrutInfo> const&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, bool, nsTArray<nsIFrame*>&, nsTArray<nsFlexContainerFrame::FlexLine>&)+0x12fb (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb2ab75b)
    #7 0x1158c4c81 in nsFlexContainerFrame::DoFlexLayout(mozilla::ReflowInput const&, int&, int&, int&, nsTArray<nsFlexContainerFrame::FlexLine>&, nsTArray<nsFlexContainerFrame::StrutInfo>&, nsTArray<nsIFrame*>&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, int, int, bool, ComputedFlexContainerInfo*)+0x161 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb2b3c81)
    #8 0x1158c100c in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0xb2c (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb2b000c)
    #9 0x115ae5bf9 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&)+0x1d49 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb4d4bf9)
    #10 0x1158284b4 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*)+0x214 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb2174b4)
    #11 0x115826da2 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool)+0x4a2 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb215da2)
    #12 0x11581fc6d in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)+0x7fd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb20ec6d)
    #13 0x115818d9c in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)+0x13c (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb207d9c)
    #14 0x11580ca85 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&)+0x16b5 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1fba85)
    #15 0x115804af3 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0x14c3 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1f3af3)
    #16 0x11588239b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)+0x43b (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb27139b)
    #17 0x11585861b in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0x122b (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb24761b)
    #18 0x115919390 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*)+0x1420 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb308390)
    #19 0x11591b490 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)+0x320 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb30a490)
    #20 0x115927e6a in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0xd8a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb316e6a)
    #21 0x115883345 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)+0x335 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb272345)
    #22 0x1157f4b02 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0x642 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1e3b02)
    #23 0x1155a66a4 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*)+0x1ac4 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf956a4)
    #24 0x1155be1f8 in mozilla::PresShell::ProcessReflowCommands(bool)+0x478 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xafad1f8)
    #25 0x1155bc258 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)+0x1ba8 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xafab258)
    #26 0x11552e136 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)+0x2b36 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf1d136)
    #27 0x115541903 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)+0x213 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf30903)
    #28 0x1155415e8 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)+0xc8 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf305e8)
    #29 0x115540a4c in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)+0x1cc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf2fa4c)
    #30 0x11553fd1e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync()+0x76e (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf2ed1e)
    #31 0x11553f302 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&)+0x92 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf2e302)
    #32 0x1141fb81d in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&)+0x2cd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x9bea81d)
    #33 0x10cc7cb92 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&)+0x4f2 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x266bb92)
    #34 0x10c6dc9af in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&)+0x35f (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x20cb9af)
    #35 0x10bf097f8 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)+0x1e8 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x18f87f8)
    #36 0x10bf0471d in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)+0x71d (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x18f371d)
    #37 0x10bf06f36 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)+0x586 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x18f5f36)
    #38 0x10bf07ca1 in mozilla::ipc::MessageChannel::MessageTask::Run()+0x101 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x18f6ca1)
    #39 0x10a9b8177 in mozilla::RunnableTask::Run()+0x347 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a7177)
    #40 0x10a9b343a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0x107a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a243a)
    #41 0x10a9b095e in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0xae (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39f95e)
    #42 0x10a9b0f67 in mozilla::TaskController::ProcessPendingMTTask(bool)+0xf7 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39ff67)
    #43 0x10a9bf981 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run()+0x11 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3ae981)
    #44 0x10a9e2d45 in nsThread::ProcessNextEvent(bool, bool*)+0x13d5 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3d1d45)
    #45 0x10a9eee4d in NS_ProcessNextEvent(nsIThread*, bool)+0x11d (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3dde4d)
    #46 0x10bf1496e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)+0x40e (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x190396e)
    #47 0x10bdf3ec2 in MessageLoop::Run()+0x1d2 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x17e2ec2)
    #48 0x114e343ff in nsBaseAppShell::Run()+0x4f (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xa8233ff)
    #49 0x114f8d24c in nsAppShell::Run()+0x3cc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xa97c24c)
    #50 0x118eaa71e in XRE_RunAppShell()+0x28e (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xe89971e)
    #51 0x10bdf3ec2 in MessageLoop::Run()+0x1d2 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x17e2ec2)
    #52 0x118ea9b94 in XRE_InitChildProcess(int, char**, XREChildData const*)+0xf94 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xe898b94)
    #53 0x10944bd06 in main+0x1b6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container:x86_64+0x100000d06)
    #54 0x7fff6d7a5cc8 in start+0x0 (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8)

0x6190002ce398 is located 280 bytes inside of 1024-byte region [0x6190002ce280,0x6190002ce680)
freed by thread T0 here:
    #0 0x12ba47cd6 in wrap_free+0xa6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x46cd6)
    #1 0x11b951387 in style::properties::cascade::cascade_rules::h088ae32ca5ec9019+0xf97 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x11340387)
    #2 0x11b96b596 in style::stylist::Stylist::cascade_style_and_visited::h8d1d544df7954eb4+0x96 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x1135a596)
    #3 0x11b9be1ab in Servo_ComputedValues_GetForAnonymousBox+0x3cb (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x113ad1ab)
    #4 0x115442252 in mozilla::ServoStyleSet::ResolveInheritingAnonymousBoxStyle(mozilla::PseudoStyleType, mozilla::ComputedStyle*)+0x92 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xae31252)
    #5 0x11565855c in nsCSSFrameConstructor::ConstructTable(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&)+0x1bc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb04755c)
    #6 0x115670c95 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&)+0x3b5 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb05fc95)
    #7 0x11567b5ed in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&)+0xcd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb06a5ed)
    #8 0x1156597b6 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&)+0x2e6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb0487b6)
    #9 0x11565a732 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*)+0xd02 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb049732)
    #10 0x115671d9e in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&)+0x14be (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb060d9e)
    #11 0x11567b5ed in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&)+0xcd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb06a5ed)
    #12 0x1156597b6 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&)+0x2e6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb0487b6)
    #13 0x11565a732 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*)+0xd02 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb049732)
    #14 0x115664983 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*)+0x7f3 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb053983)
    #15 0x115660842 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*)+0x2a92 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb04f842)
    #16 0x11568331b in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind)+0x3eb (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb07231b)
    #17 0x1155a145a in mozilla::PresShell::Initialize()+0x40a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf9045a)
    #18 0x10f0f773c in nsContentSink::StartLayout(bool)+0x8bc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x4ae673c)
    #19 0x10d768178 in nsHtml5TreeOpExecutor::StartLayout(bool*)+0x128 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3157178)
    #20 0x10d7630ec in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)+0x1fcc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x31520ec)
    #21 0x10d760269 in nsHtml5TreeOpExecutor::RunFlushLoop()+0x9f9 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x314f269)
    #22 0x10d76d00f in nsHtml5ExecutorFlusher::Run()+0x3cf (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x315c00f)
    #23 0x10a9aa1e0 in mozilla::SchedulerGroup::Runnable::Run()+0x80 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3991e0)
    #24 0x10a9b8177 in mozilla::RunnableTask::Run()+0x347 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a7177)
    #25 0x10a9b343a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0x107a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a243a)
    #26 0x10a9b0b6e in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0x2be (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39fb6e)
    #27 0x10a9b0f67 in mozilla::TaskController::ProcessPendingMTTask(bool)+0xf7 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39ff67)
    #28 0x10a9bf981 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run()+0x11 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3ae981)
    #29 0x10a9e2d45 in nsThread::ProcessNextEvent(bool, bool*)+0x13d5 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3d1d45)

previously allocated by thread T0 here:
    #0 0x12ba47b8d in wrap_malloc+0x9d (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x46b8d)
    #1 0x11b94cc6e in smallvec::SmallVec$LT$A$GT$::push::ha7920bdc965a65bc+0x28e (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x1133bc6e)
    #2 0x11b950cae in style::properties::cascade::cascade_rules::h088ae32ca5ec9019+0x8be (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x1133fcae)
    #3 0x11b96b596 in style::stylist::Stylist::cascade_style_and_visited::h8d1d544df7954eb4+0x96 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x1135a596)
    #4 0x11b9be1ab in Servo_ComputedValues_GetForAnonymousBox+0x3cb (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x113ad1ab)
    #5 0x115442252 in mozilla::ServoStyleSet::ResolveInheritingAnonymousBoxStyle(mozilla::PseudoStyleType, mozilla::ComputedStyle*)+0x92 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xae31252)
    #6 0x11565855c in nsCSSFrameConstructor::ConstructTable(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&)+0x1bc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb04755c)
    #7 0x115670c95 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&)+0x3b5 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb05fc95)
    #8 0x11567b5ed in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&)+0xcd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb06a5ed)
    #9 0x1156597b6 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&)+0x2e6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb0487b6)
    #10 0x11565a732 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*)+0xd02 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb049732)
    #11 0x115671d9e in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&)+0x14be (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb060d9e)
    #12 0x11567b5ed in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&)+0xcd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb06a5ed)
    #13 0x1156597b6 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&)+0x2e6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb0487b6)
    #14 0x11565a732 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*)+0xd02 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb049732)
    #15 0x115664983 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*)+0x7f3 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb053983)
    #16 0x115660842 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*)+0x2a92 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb04f842)
    #17 0x11568331b in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind)+0x3eb (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb07231b)
    #18 0x1155a145a in mozilla::PresShell::Initialize()+0x40a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf9045a)
    #19 0x10f0f773c in nsContentSink::StartLayout(bool)+0x8bc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x4ae673c)
    #20 0x10d768178 in nsHtml5TreeOpExecutor::StartLayout(bool*)+0x128 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3157178)
    #21 0x10d7630ec in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)+0x1fcc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x31520ec)
    #22 0x10d760269 in nsHtml5TreeOpExecutor::RunFlushLoop()+0x9f9 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x314f269)
    #23 0x10d76d00f in nsHtml5ExecutorFlusher::Run()+0x3cf (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x315c00f)
    #24 0x10a9aa1e0 in mozilla::SchedulerGroup::Runnable::Run()+0x80 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3991e0)
    #25 0x10a9b8177 in mozilla::RunnableTask::Run()+0x347 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a7177)
    #26 0x10a9b343a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0x107a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a243a)
    #27 0x10a9b0b6e in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0x2be (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39fb6e)
    #28 0x10a9b0f67 in mozilla::TaskController::ProcessPendingMTTask(bool)+0xf7 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39ff67)
    #29 0x10a9bf981 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run()+0x11 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3ae981)

SUMMARY: AddressSanitizer: heap-use-after-free (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaedb20c) in int mozilla::StyleGenericCalcNode<mozilla::StyleCalcLengthPercentageLeaf>::ResolveInternal<int, int (*)(float)>(int, int (*)(float)) const+0x66c
Shadow bytes around the buggy address:
  0x1c3200059c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3200059c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3200059c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3200059c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3200059c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c3200059c70: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3200059c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3200059c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3200059ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3200059cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3200059cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==29886==ABORTING

###!!! [Parent][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost
Flags: sec-bounty?
Group: firefox-core-security → layout-core-security
Type: task → defect
Component: Security → CSS Parsing and Computation
Product: Firefox → Core
Flags: needinfo?(emilio)

This is a bad cast in Layout. In a debug build I get:

Assertion failure: IsSize(), at /home/emilio/src/moz/gecko-4/obj-debug/dist/include/mozilla/ServoStyleConsts.h:6835
#17 0x00007fb6308abc5a in MOZ_ReportAssertionFailure(char const*, char const*, int)
    (aStr=0x74 <error: Cannot access memory at address 0x74>, aFilename=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>, aLine=0)
    at /home/emilio/src/moz/gecko-4/obj-debug/dist/include/mozilla/Assertions.h:106
#18 0x00007fb630939b22 in mozilla::StyleGenericFlexBasis<mozilla::StyleGenericSize<mozilla::StyleLengthPercentageUnion> >::AsSize() const (this=this@entry=0x7fb615fa3a58)
    at /home/emilio/src/moz/gecko-4/obj-debug/dist/include/mozilla/ServoStyleConsts.h:6835
#19 0x00007fb6308b9d8d in nsIFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>)
    (this=<optimized out>, aRenderingContext=0x7fb615f97e00, aWM=..., aCBSize=<optimized out>, aAvailableISize=368720264, aMargin=<optimized out>, aBorderPadding=..., aFlags=mozilla::ComputeSizeFlags = {...})
    at /home/emilio/src/moz/gecko-4/layout/generic/nsIFrame.cpp:6193
#20 0x00007fb630868372 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType) (this=<optimized out>, this@entry=0x7ffca90f8fd8, aPresContext=aPresContext@entry=0x7fb617c71c00, aContainingBlockSize=<optimized out>, aBorder=..., aPadding=..., aFrameType=mozilla::LayoutFrameType::None, 
    aFrameType@entry=mozilla::LayoutFrameType::TableWrapper) at /home/emilio/src/moz/gecko-4/layout/generic/ReflowInput.cpp:2430
#21 0x00007fb630865b8f in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&) (
    this=this@entry=0x7ffca90f8fd8, aPresContext=0x7fb617c71c00, aContainingBlockSize=..., aBorder=..., aPadding=...) at /home/emilio/src/moz/gecko-4/layout/generic/ReflowInput.cpp:357
#22 0x00007fb630866286 in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>)
    (this=0x7ffca90f8fd8, aPresContext=0x7ffca90f6950, aParentReflowInput=<optimized out>, aFrame=0x7fb615fa1c48, aAvailableSpace=..., aContainingBlockSize=..., aFlags=mozilla::ReflowInput::InitFlags = {...}, aComputeSizeFlags=mozilla::ComputeSizeFlags = {...}) at /home/emilio/src/moz/gecko-4/layout/generic/ReflowInput.cpp:216
#23 0x00007fb6308bcef5 in nsFlexContainerFrame::GenerateFlexItemForChild(nsFlexContainerFrame::FlexLine&, nsIFrame*, mozilla::ReflowInput const&, nsFlexContainerFrame::FlexboxAxisTracker const&, bool)
    (this=this@entry=0x7fb615fa1b98, aLine=..., aChildFrame=0x7fb615fa1c48, aParentReflowInput=..., aAxisTracker=..., aHasLineClampEllipsis=false) at /home/emilio/src/moz/gecko-4/layout/generic/nsFlexContainerFrame.cpp:1285
#24 0x00007fb6308c200a in nsFlexContainerFrame::GenerateFlexLines(mozilla::ReflowInput const&, int, nsTArray<nsFlexContainerFrame::StrutInfo> const&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, bool, nsTArray<nsIFrame*>&, nsTArray<nsFlexContainerFrame::FlexLine>&)
    (this=0x7fb615fa1b98, aReflowInput=<optimized out>, aContentBoxMainSize=<optimized out>, aStruts=const nsTArray<nsFlexContainerFrame::StrutInfo> &, aAxisTracker=..., aMainGapSize=0, aHasLineClampEllipsis=<optimized out>, aPlaceholders=nsTArray<nsIFrame*> &, aLines=nsTArray<nsFlexContainerFrame::FlexLine> & = {...}) at /home/emilio/src/moz/gecko-4/layout/generic/nsFlexContainerFrame.cpp:4004
#25 0x00007fb6308c3fec in nsFlexContainerFrame::DoFlexLayout(mozilla::ReflowInput const&, int&, int&, int&, nsTArray<nsFlexContainerFrame::FlexLine>&, nsTArray<nsFlexContainerFrame::StrutInfo>&, nsTArray<nsIFrame*>&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, int, int, bool, ComputedFlexContainerInfo*)
    (this=this@entry=0x7fb615fa1b98, aReflowInput=..., aContentBoxMainSize=@0x7ffca90f9688: 1073741823, aContentBoxCrossSize=@0x7ffca90f9684: -1431655766, aFlexContainerAscent=@0x7ffca90f9680: -1431655766, aLines=nsTArray<nsFlexContainerFrame::FlexLine> & = {...}, aStruts=nsTArray<nsFlexContainerFrame::StrutInfo> &, aPlaceholders=nsTArray<nsIFrame*> &, aAxisTracker=..., aMainGapSize=0, aCrossGapSize=0, aConsumedBSize=0, aHasLineClampEllipsis=<optimized out>, aContainerInfo=0x0) at /home/emilio/src/moz/gecko-4/layout/generic/nsFlexContainerFrame.cpp:4920
#26 0x00007fb6308c3178 in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)
    (this=0x7fb615fa1b98, aPresContext=0x7fb617c71c00, aReflowOutput=..., aReflowInput=<optimized out>, aStatus=<optimized out>) at /home/emilio/src/moz/gecko-4/layout/generic/nsFlexContainerFrame.cpp:4430
#27 0x00007fb630968a30 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) (this=0x7ffca90f9c18, aFrame=<optimized out>, aReflowStatus=..., aMetrics=0x0, aPushedFrame=@0x7ffca90f9a1b: false)
    at /home/emilio/src/moz/gecko-4/layout/generic/nsLineLayout.cpp:875
#28 0x00007fb630890375 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*)
    (this=this@entry=0x7fb615fa1ad0, aState=..., aLineLayout=..., aLine=..., aFrame=aFrame@entry=0x7fb615fa1b98, aLineReflowStatus=0x7ffca90f9afc) at /home/emilio/src/moz/gecko-4/layout/generic/nsBlockFrame.cpp
Status: UNCONFIRMED → NEW
Component: CSS Parsing and Computation → Layout
Ever confirmed: true

The logic has been wrong here all the way since bug 1455976, but it probably didn't cause issues until bug 1527410, which changed how we represent flex-basis values.

Quite scary that our fuzzers haven't found this before...

Component: Layout → Layout: Flexbox
Regressed by: 1527410
Assignee: nobody → emilio
Flags: needinfo?(emilio)
Regressed by: 1455976

Comment on attachment 9191593 [details]
Bug 1681022 - Ignore flex-basis: content on a table wrapper. r=dholbert

Beta/Release Uplift Approval Request

  • User impact if declined: sec-high/crit, probably
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: open test-case
  • List of other uplifts needed: none
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Simple fix to a bad type cast when some CSS is applied to a table.
  • String changes made/needed: none

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: see above
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): see above
  • String or UUID changes made by this patch: none
Attachment #9191593 - Flags: approval-mozilla-esr78?
Attachment #9191593 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Comment on attachment 9191593 [details]
Bug 1681022 - Ignore flex-basis: content on a table wrapper. r=dholbert

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: somewhat easily I suspect.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: Should apply cleanly modulo file moves or what not.
  • How likely is this patch to cause regressions; how much testing does it need?: Fix is trivial.
Attachment #9191593 - Flags: sec-approval?

Comment on attachment 9191593 [details]
Bug 1681022 - Ignore flex-basis: content on a table wrapper. r=dholbert

approved to land if we can take it in the RC, otherwise we should probably wait until January to land.

Attachment #9191593 - Flags: sec-approval? → sec-approval+

Comment on attachment 9191593 [details]
Bug 1681022 - Ignore flex-basis: content on a table wrapper. r=dholbert

Approved for 84.0rc1 and 78.6esr.

Attachment #9191593 - Flags: approval-mozilla-release+
Attachment #9191593 - Flags: approval-mozilla-esr78?
Attachment #9191593 - Flags: approval-mozilla-esr78+
Attachment #9191593 - Flags: approval-mozilla-beta?
Attached patch esr.patchSplinter Review

https://hg.mozilla.org/mozilla-central/rev/9ecb4b649c1f
https://hg.mozilla.org/mozilla-central/rev/4bb72f41a1dd

Group: layout-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox85: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 85 Branch
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-main84+]
Flags: sec-bounty? → sec-bounty+
QA Whiteboard: [qa-triaged]

I've reproduced this bug using the testcase from comment 0, on an affected Nightly build 85.0a1 (2020-12-06).

The crash is not reproducing anymore on the latest asan builds: ESR 78.6, RC1 84.0 and latest Nightly 85.0a1. This was tested on Ubuntu 18.04 x84.

Status: RESOLVED → VERIFIED
status-firefox84: fixedverified
status-firefox85: fixedverified
status-firefox-esr78: fixedverified
Flags: qe-verify+

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(emilio)
Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main84+] → [reporter-external] [client-bounty-form] [verif?][adv-main84+][sec-survey]

Done

Flags: needinfo?(emilio)

Ok, Jason and I did a bit more digging to see why our fuzzers hadn't triggered this.

Turns out that even though the logic bug is there since forever, this is a relatively recent regression, from bug 1673006, after all, which made this codepath possible.

Now, release builds have a different regression range where it bisects to bug 1680172. So it looks like:

  • Logic bug is ancient, but...
  • Only bug 1673006 allows it to happen (content can't access the selector tweaked in that bug), and...
  • Before bug 1680172, Rust was initializing the values differently, somehow, in a way that it didn't trigger an exploitable crash...
Regressed by: 1673006
No longer regressed by: 1455976, 1527410
Has Regression Range: --- → yes

Note that 1.48 changed things wrt uninitialized memory.

Attached file advisory.txt
Attachment #9192285 - Attachment is obsolete: true
Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main84+][sec-survey] → [reporter-external] [client-bounty-form] [verif?][adv-main84+][sec-survey][adv-esr78.6+]
Alias: CVE-2020-26974
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: