Open
Bug 1809375
Opened 2 years ago
Updated 4 months ago
Infinite recursion in nsStyledElement::BindToTree
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
NEW
People
(Reporter: eternalsakuraalpha, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(1 file)
41.76 KB,
text/plain
|
Details |
===============
FIREFOX VERSION:
author Ben Hearsum <bhearsum@mozilla.com>
Mon, 09 Jan 2023 18:01:10 +0000 (10 hours ago)
changeset 648462 329b80a0d03371363bd785a9a26cbda7433dd20a
parent 648461 702085eca7a199d7b5ef1c44006b621b85dcccb6
push id 40538
push user mlaza@mozilla.com
push date Mon, 09 Jan 2023 21:21:01 +0000 (7 hours ago)
treeherder mozilla-central@329b80a0d033 [default view] [failures only]
perfherder [talos] [build metrics] [platform microbench] (compared to previous push)
reviewers mkaply
bugs 1807926
milestone 110.0a1
===============
OS: Linux
===============
STEPS TO REPRODUCE:
- run
fuzzfetch -a -n firefox-asan
orfuzzfetch --build 329b80a0d03371363bd785a9a26cbda7433dd20a --asan
to download latest firefox. - simply run
firefox poc.html
to trigger AddressSanitizer abort.
POC
<html>
<script>
function func() {
var tr = document.createElement("tr");
try {
var child = func();
tr.appendChild(child);
} catch (e) {}
return tr;
}
func()
</script>
</html>
===============
AddressSanitizer Log
See attachment below.
Flags: sec-bounty?
Updated•2 years ago
|
Attachment #9311502 -
Attachment mime type: text/x-log → text/plain
Updated•2 years ago
|
Group: firefox-core-security → dom-core-security
Component: Security → DOM: Core & HTML
Product: Firefox → Core
Comment 1•2 years ago
|
||
This isn't a security issue. The test case just causes some kind of infinite recursion. In a regular browser build, it just kind of sits there, using up 100% CPU. Maybe in an ASan build it runs out of stack faster because the stack frames are bigger.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Trigger AddressSanitizer stack-overflow on firefox → Infinite recursion in nsStyledElement::BindToTree
Updated•2 years ago
|
Group: dom-core-security
Comment 2•2 years ago
|
||
The severity field is not set for this bug.
:hsivonen, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(hsivonen)
Comment 3•2 years ago
|
||
I only saw a couple of crashes in the last week on crash-stats that even had nsStyledElement::BindToTree in the proto stack, so I don't think this is a common issue for users.
Severity: -- → S3
Flags: needinfo?(hsivonen)
Updated•1 year ago
|
Flags: sec-bounty? → sec-bounty-
Updated•4 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•