Closed Bug 1696270 Opened 4 years ago Closed 3 years ago

stack-overflow in [@ nsTextEquivUtils::AppendFromAccessible]

Categories

(Core :: Disability Access APIs, defect, P2)

Product:
Core
Component:
Disability Access APIs
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox88 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

testcase.html
235 bytes, text/html
Details
Attached file testcase.html 
==27691==ERROR: AddressSanitizer: stack-overflow on address 0x7fff1610bfe8 (pc 0x55a29131cabe bp 0x7fff1610c830 sp 0x7fff1610bff0 T0)
    #0 0x55a29131cabe in __asan_memmove /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:30:3
    #1 0x7f879f2d71be in move /gecko/xpcom/string/nsCharTraits.h:120:9
    #2 0x7f879f2d71be in nsTSubstring<char16_t>::StartBulkWriteImpl(unsigned int, unsigned int, bool, unsigned int, unsigned int, unsigned int) /gecko/xpcom/string/nsTSubstring.cpp:226:5
    #3 0x7f879f2ec515 in nsTSubstring<char16_t>::Assign(char16_t const*, unsigned int, std::nothrow_t const&) /gecko/xpcom/string/nsTSubstring.cpp:408:12
    #4 0x7f879f2d33f7 in nsTSubstring<char16_t>::Assign(char16_t const*, unsigned int) /gecko/xpcom/string/nsTSubstring.cpp:380:7
    #5 0x7f87a29488bc in mozilla::dom::Element::GetAttr(int, nsAtom const*, nsTSubstring<char16_t>&) const /gecko/dom/base/Element.cpp:2702:7
    #6 0x7f87aa08194b in mozilla::a11y::RelatedAccIterator::RelatedAccIterator(mozilla::a11y::DocAccessible*, nsIContent*, nsAtom*) /gecko/accessible/base/AccIterator.cpp:76:39
    #7 0x7f87aa081ec8 in mozilla::a11y::HTMLLabelIterator::HTMLLabelIterator(mozilla::a11y::DocAccessible*, mozilla::a11y::LocalAccessible const*, mozilla::a11y::HTMLLabelIterator::LabelFilter) /gecko/accessible/base/AccIterator.cpp:113:7
    #8 0x7f87aa0dfc61 in mozilla::a11y::LocalAccessible::NativeName(nsTString<char16_t>&) const /gecko/accessible/generic/LocalAccessible.cpp:2032:23
    #9 0x7f87aa109319 in mozilla::a11y::HyperTextAccessible::NativeName(nsTString<char16_t>&) const /gecko/accessible/generic/HyperTextAccessible.cpp:2105:45
    #10 0x7f87aa0e74f3 in mozilla::a11y::LocalAccessible::Name(nsTString<char16_t>&) const /gecko/accessible/generic/LocalAccessible.cpp:134:29
    #11 0x7f87aa0cd9fd in nsTextEquivUtils::AppendFromAccessible(mozilla::a11y::LocalAccessible*, nsTSubstring<char16_t>*) /gecko/accessible/base/nsTextEquivUtils.cpp:196:20
    #12 0x7f87aa0cdae4 in AppendFromAccessibleChildren /gecko/accessible/base/nsTextEquivUtils.cpp:175:10
    #13 0x7f87aa0cdae4 in nsTextEquivUtils::AppendFromAccessible(mozilla::a11y::LocalAccessible*, nsTSubstring<char16_t>*) /gecko/accessible/base/nsTextEquivUtils.cpp:211:12
    #14 0x7f87aa0cdae4 in AppendFromAccessibleChildren /gecko/accessible/base/nsTextEquivUtils.cpp:175:10
    #15 0x7f87aa0cdae4 in nsTextEquivUtils::AppendFromAccessible(mozilla::a11y::LocalAccessible*, nsTSubstring<char16_t>*) /gecko/accessible/base/nsTextEquivUtils.cpp:211:12
    #16 0x7f87aa0cdae4 in AppendFromAccessibleChildren /gecko/accessible/base/nsTextEquivUtils.cpp:175:10
    #17 0x7f87aa0cdae4 in nsTextEquivUtils::AppendFromAccessible(mozilla::a11y::LocalAccessible*, nsTSubstring<char16_t>*) /gecko/accessible/base/nsTextEquivUtils.cpp:211:12
    #18 0x7f87aa0cdae4 in AppendFromAccessibleChildren /gecko/accessible/base/nsTextEquivUtils.cpp:175:10
    ...
Flags: in-testsuite?
Severity: -- → S2
Priority: -- → P2

The attached test case no longer reproduces the issue. This was last seen by fuzzers running m-c 20211007-796cb80eb626.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: