Closed Bug 1681559 Opened 4 years ago Closed 4 years ago

AddressSanitizer: stack-buffer-overflow [@ int mozilla::StyleGenericCalcNode<mozilla::StyleCalcLengthPercentageLeaf>::ResolveInternal<int, int (*)(float)>] with READ of size 1

Categories

(Core :: Layout, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1681022
Tracking Status
firefox85 --- affected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: crash, regression)

Attachments

(1 file)

The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 85.0a1-20201207215505-https://hg.mozilla.org/mozilla-central/rev/eeee2b548e51eaad256f018fadaf1cc10e55c479.

For detailed crash information, see attachment.

Not sure if this is actionable, but we will see :) There is two main options here (leaving weird memory corruptions aside): 1) This is a straight buffer overflow on the stack, in which case we should be able to diagnose it or 2) This is caused by a stack-use-after-return, in which case it is harder to diagnose. If we made any recent changes in the area, it might be worthwhile to take a look at these and check for new stack values or returning those by address.

Group: core-security → layout-core-security

Tyson has a UAF crash with a similar-looking signature. ni? to him to look into that once his testcase is reduced, and then he can stick it here.

Flags: needinfo?(twsmith)

Yeah, this looks like bug 1681022.

Crashes we saw were from older builds. The build mentioned in comment 0 was a few hours older than the patches from bug 1681022. I think it's safe to call this a duplicate.

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(twsmith)
Resolution: --- → DUPLICATE
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: