Closed Bug 1700038 Opened 3 years ago Closed 3 years ago

AddressSanitizer: heap-use-after-free gfx/thebes/gfxTextRun.h:913:1 in operator|= when in responsive design mode

Categories

(Core :: Graphics: Text, task)

Product:
Core
Component:
Graphics: Text
Type:
task

Tracking

()

Status:
VERIFIED DUPLICATE of bug 1699835

People

(Reporter: sourc7, Unassigned)

Details

(Keywords: csectype-uaf, reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(2 files)

testcase.html
316 bytes, text/html
Details
asan.txt
23.00 KB, text/plain
Details
Attached file testcase.html

In Firefox ASAN build when in responsive design mode, the tab crash after page reload itself with SUMMARY: heap-use-after-free gfx/thebes/gfxTextRun.h:913:1 in operator|=

Affected version:

  • Firefox ASan Nightly 88.0a1 (2021-03-21) (64-bit)
  • Firefox ASan ESR 78.9.0esr (64-bit)

Steps to reproduce:

  1. Open Firefox ASan Nightly or ASan ESR
  2. Visit attached testcase.html
  3. Toggle responsive design mode (ctrl+shift+m)
  4. The tab crashed after page reload itself

AddressSanitizer output:

=================================================================
==1868165==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000670610 at pc 0x7f0f3b9fc246 bp 0x7ffd3478f8b0 sp 0x7ffd3478f8a8
READ of size 1 at 0x606000670610 thread T0 (file:// Content)
    #0 0x7f0f3b9fc245 in operator|= /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.h:913:1
    #1 0x7f0f3b9fc245 in void gfxFontGroup::InitScriptRun<char16_t>(mozilla::gfx::DrawTarget*, gfxTextRun*, char16_t const*, unsigned int, unsigned int, mozilla::unicode::Script, gfxMissingFontRecorder*) /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:2832:48
    #2 0x7f0f3b9ccf4a in void gfxFontGroup::InitTextRun<char16_t>(mozilla::gfx::DrawTarget*, gfxTextRun*, char16_t const*, unsigned int, gfxMissingFontRecorder*) /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:2621:9
    #3 0x7f0f3b9cc416 in gfxFontGroup::MakeTextRun(char16_t const*, unsigned int, gfxTextRunFactory::Parameters const*, mozilla::gfx::ShapedTextFlags, nsTextFrameUtils::Flags, gfxMissingFontRecorder*) /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:2493:3
    #4 0x7f0f3dd84fd7 in MakeTextRun<char16_t> /builds/worker/workspace/obj-build/dist/include/gfxTextRun.h:1003:12
    #5 0x7f0f3dd84fd7 in mozilla::dom::CanvasBidiProcessor::SetText(char16_t const*, int, nsBidiDirection) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:3527:26
    #6 0x7f0f4089bcdd in nsBidiPresUtils::ProcessText(char16_t const*, int, unsigned char, nsPresContext*, nsBidiPresUtils::BidiProcessor&, nsBidiPresUtils::Mode, nsBidiPositionResolve*, int, int*, nsBidi*) /builds/worker/checkouts/gecko/layout/base/nsBidiPresUtils.cpp:2229:18
    #7 0x7f0f3dcba14f in mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText(nsTSubstring<char16_t> const&, float, float, mozilla::dom::Optional<double> const&, mozilla::dom::CanvasRenderingContext2D::TextDrawOperation, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:3881:12
    #8 0x7f0f3ce55101 in mozilla::dom::CanvasRenderingContext2D_Binding::strokeText(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/CanvasRenderingContext2DBinding.cpp:6516:24
    #9 0x7f0f3db80f3e in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3238:13
    #10 0x7f0f43d2e0b0 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:435:13
    #11 0x7f0f43d2e0b0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:520:12
    #12 0x7f0f43d2fee9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:10
    #13 0x7f0f43d19132 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:584:10
    #14 0x7f0f43d19132 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3244:16
    #15 0x7f0f43cfce43 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:405:13
    #16 0x7f0f43d2e1ea in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:552:13
    #17 0x7f0f43d2fee9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:10
    #18 0x7f0f43d3016b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:597:8
    #19 0x7f0f4457fe62 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2856:10
    #20 0x7f0f3d7caa1c in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:279:37
    #21 0x7f0f3e33dfc1 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
    #22 0x7f0f3e33c34c in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
    #23 0x7f0f3e306006 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1114:22
    #24 0x7f0f3e307697 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1305:17
    #25 0x7f0f3e2f4c5e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:354:17
    #26 0x7f0f3e2f34d0 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:556:16
    #27 0x7f0f3e2f7751 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1099:11
    #28 0x7f0f3e2fcfa9 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
    #29 0x7f0f3bfd7b00 in mozilla::dom::Document::DispatchPageTransition(mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, bool, bool, bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11146:3
    #30 0x7f0f3bfd8c40 in mozilla::dom::Document::OnPageHide(bool, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11302:7
    #31 0x7f0f408e7314 in nsDocumentViewer::PageHide(bool) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1400:14
    #32 0x7f0f4303bf30 in nsDocShell::FirePageHideNotificationInternal(bool, bool) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:1150:20
    #33 0x7f0f4302c570 in FirePageHideNotification /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:1134:3
    #34 0x7f0f4302c570 in nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:7922:3
    #35 0x7f0f4302b4e4 in nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) /builds/worker/checkouts/gecko/docshell/base/nsDSURIContentListener.cpp:178:20
    #36 0x7f0f3aea50ff in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:597:18
    #37 0x7f0f3aea2890 in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:276:9
    #38 0x7f0f3aea17b3 in nsDocumentOpenInfo::OnStartRequest(nsIRequest*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:154:8
    #39 0x7f0f3951c27d in nsBaseChannel::OnStartRequest(nsIRequest*) /builds/worker/checkouts/gecko/netwerk/base/nsBaseChannel.cpp:833:23
    #40 0x7f0f3955f17e in nsInputStreamPump::OnStateStart() /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:481:21
    #41 0x7f0f3955e8ad in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:390:21
    #42 0x7f0f392106a6 in nsInputStreamReadyEvent::Run() /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:94:20
    #43 0x7f0f392905a6 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:472:16
    #44 0x7f0f3928d173 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:760:26
    #45 0x7f0f3928b047 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:611:15
    #46 0x7f0f3928b49d in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:395:36
    #47 0x7f0f392978d1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:133:37
    #48 0x7f0f392978d1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:534:5
    #49 0x7f0f392b2d64 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1155:16
    #50 0x7f0f392bd4bc in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #51 0x7f0f3a3ba2ba in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #52 0x7f0f3a2e4801 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #53 0x7f0f3a2e4801 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #54 0x7f0f3a2e4801 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #55 0x7f0f402f53d7 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #56 0x7f0f43b02ccf in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:901:20
    #57 0x7f0f3a2e4801 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #58 0x7f0f3a2e4801 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #59 0x7f0f3a2e4801 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #60 0x7f0f43b0245c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #61 0x556fc294b08d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #62 0x556fc294b4b1 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
    #63 0x7f0f5557db24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
    #64 0x556fc289ea4c in _start (/tmp/m-c-20210321213736-asan-opt/firefox+0x55a4c)

0x606000670610 is located 48 bytes inside of 56-byte region [0x6060006705e0,0x606000670618)
freed by thread T0 (file:// Content) here:
    #0 0x556fc291864d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
    #1 0x7f0f40960871 in operator delete /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:51:10
    #2 0x7f0f40960871 in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:463:5
    #3 0x7f0f40960871 in reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:305:7
    #4 0x7f0f40960871 in ~UniquePtr /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:253:18
    #5 0x7f0f40960871 in nsPresContext::~nsPresContext() /builds/worker/checkouts/gecko/layout/base/nsPresContext.cpp:307:1
    #6 0x7f0f40977b97 in ~nsRootPresContext /builds/worker/checkouts/gecko/layout/base/nsPresContext.h:1361:7
    #7 0x7f0f40977b97 in nsRootPresContext::~nsRootPresContext() /builds/worker/checkouts/gecko/layout/base/nsPresContext.h:1361:7
    #8 0x7f0f39115275 in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2459:9
    #9 0x7f0f390f67b6 in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:943:23
    #10 0x7f0f390f7082 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2627:14
    #11 0x7f0f3acc44c0 in AsyncFreeSnowWhite::Run() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSRuntime.cpp:146:9
    #12 0x7f0f392cf44a in IdleRunnableWrapper::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:364:22
    #13 0x7f0f392905a6 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:472:16
    #14 0x7f0f3928d173 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:760:26
    #15 0x7f0f3928b1dd in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:634:15
    #16 0x7f0f3928b49d in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:395:36
    #17 0x7f0f392978d1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:133:37
    #18 0x7f0f392978d1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:534:5
    #19 0x7f0f392b2d64 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1155:16
    #20 0x7f0f392bd4bc in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #21 0x7f0f3a3ba2ba in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #22 0x7f0f3a2e4801 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #23 0x7f0f3a2e4801 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #24 0x7f0f3a2e4801 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #25 0x7f0f402f53d7 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #26 0x7f0f43b02ccf in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:901:20
    #27 0x7f0f3a2e4801 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #28 0x7f0f3a2e4801 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #29 0x7f0f3a2e4801 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #30 0x7f0f43b0245c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #31 0x556fc294b08d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #32 0x556fc294b4b1 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
    #33 0x7f0f5557db24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)

previously allocated by thread T0 (file:// Content) here:
    #0 0x556fc29188cd in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x556fc29525bd in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7f0f409600cf in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7f0f409600cf in MakeUnique<FontMatchingStats> /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:609:23
    #4 0x7f0f409600cf in nsPresContext::nsPresContext(mozilla::dom::Document*, nsPresContext::nsPresContextType) /builds/worker/checkouts/gecko/layout/base/nsPresContext.cpp:254:16
    #5 0x7f0f409711bd in nsRootPresContext::nsRootPresContext(mozilla::dom::Document*, nsPresContext::nsPresContextType) /builds/worker/checkouts/gecko/layout/base/nsPresContext.cpp:2674:7
    #6 0x7f0f408e09cf in CreatePresContext /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:806:14
    #7 0x7f0f408e09cf in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::dom::WindowGlobalChild*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:848:24
    #8 0x7f0f408e06da in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::dom::WindowGlobalChild*) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:700:10
    #9 0x7f0f43067866 in nsDocShell::SetupNewViewer(nsIContentViewer*, mozilla::dom::WindowGlobalChild*) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:8283:7
    #10 0x7f0f430668fc in nsDocShell::Embed(nsIContentViewer*, mozilla::dom::WindowGlobalChild*, bool, bool) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5794:17
    #11 0x7f0f4302d70b in nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:8095:3
    #12 0x7f0f4302b4e4 in nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) /builds/worker/checkouts/gecko/docshell/base/nsDSURIContentListener.cpp:178:20
    #13 0x7f0f3aea50ff in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:597:18
    #14 0x7f0f3aea2890 in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:276:9
    #15 0x7f0f3aea17b3 in nsDocumentOpenInfo::OnStartRequest(nsIRequest*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:154:8
    #16 0x7f0f3951c27d in nsBaseChannel::OnStartRequest(nsIRequest*) /builds/worker/checkouts/gecko/netwerk/base/nsBaseChannel.cpp:833:23
    #17 0x7f0f3955f17e in nsInputStreamPump::OnStateStart() /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:481:21
    #18 0x7f0f3955e8ad in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:390:21
    #19 0x7f0f392106a6 in nsInputStreamReadyEvent::Run() /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:94:20
    #20 0x7f0f392905a6 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:472:16
    #21 0x7f0f3928d173 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:760:26
    #22 0x7f0f3928b047 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:611:15
    #23 0x7f0f3928b49d in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:395:36
    #24 0x7f0f392978d1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:133:37
    #25 0x7f0f392978d1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:534:5
    #26 0x7f0f392b2d64 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1155:16
    #27 0x7f0f392bd4bc in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #28 0x7f0f3a3ba2ba in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #29 0x7f0f3a2e4801 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #30 0x7f0f3a2e4801 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #31 0x7f0f3a2e4801 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #32 0x7f0f402f53d7 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #33 0x7f0f43b02ccf in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:901:20
    #34 0x7f0f3a2e4801 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #35 0x7f0f3a2e4801 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #36 0x7f0f3a2e4801 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #37 0x7f0f43b0245c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.h:913:1 in operator|=
Shadow bytes around the buggy address:
  0x0c0c800c6070: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c800c6080: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c800c6090: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c800c60a0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c800c60b0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
=>0x0c0c800c60c0: fd fd[fd]fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c800c60d0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c800c60e0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
  0x0c0c800c60f0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c800c6100: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c800c6110: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1868165==ABORTING
Flags: sec-bounty?
Attached file asan.txt
Group: firefox-core-security → core-security
Component: Security → Graphics
Product: Firefox → Core
Flags: needinfo?(jmathies)
Group: core-security → gfx-core-security
Component: Graphics → Graphics: Text
Keywords: csectype-uaf
See Also: → CVE-2021-23995

Hopefully Jonathan can figure out if this is a dupe of 1699835 or not. Thanks!

Flags: needinfo?(jmathies) → needinfo?(jfkthame)

This is the same issue as bug 1699835: use of a stale cached fontgroup in a canvas text operation, triggered by the context reconstruction that happens on toggling responsive design mode.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(jfkthame)
Resolution: --- → DUPLICATE
See Also: CVE-2021-23995
Flags: sec-bounty? → sec-bounty-

(In reply to Jonathan Kew (:jfkthame) from comment #3)

This is the same issue as bug 1699835: use of a stale cached fontgroup in a canvas text operation, triggered by the context reconstruction that happens on toggling responsive design mode.

*** This bug has been marked as a duplicate of bug 1699835 ***

Thanks you for the explanation, I confirm this has been fixed by patch on bug 1699835.

Status: RESOLVED → VERIFIED
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: