Closed Bug 1864426 Opened 8 months ago Closed 7 months ago

==144037==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcb437cf18 (pc 0x55636770f4f7 bp 0x7ffcb437d750 sp 0x7ffcb437cf20 T0)

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1864396

People

(Reporter: 1319794503, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

I found the issue with our fuzzer. It can be reproduced following steps:

  1. prepare newest 121.0a1 Firefox Nightly (download link: https://www.mozilla.org/en-US/firefox/121.0a1/releasenotes/) or self-built firefox with release_asan.
  2. download the minimized testcase I uploaded in the committed issue.
  3. open the tesecase with Nightly Firefox, the browser will crash.

backtrace info:
__asan_memset
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame*, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox)
nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached()
mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float)
mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*)
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const
mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)
mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool)
mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>)
mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int)
mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*)
__asan_memset

Flags: sec-bounty?

We typically don't treat stack overflows as security issues, because crashing a content process like this doesn't do much, but I'll leave it hidden for now for people more familiar with SVG to take a look.

Group: firefox-core-security → layout-core-security
Component: Security → SVG
Product: Firefox → Core

The testcase seems to be missing.

Is this a duplicate of bug 1864396 - a testcase would confirm that.

Please attach your test case to this. Thanks.

Flags: needinfo?(1319794503)

(In reply to Robert Longson [:longsonr] from comment #2)

The testcase seems to be missing.

The reporter said "download the minimized testcase I uploaded in the committed issue." -- and they set the URL field to https://bugzilla.mozilla.org/show_bug.cgi?id=1864396 i.e. bug 1864396 . So I think they're saying that's where the testcase lives.

Is this a duplicate of bug 1864396 - a testcase would confirm that.

I think so (that's the bug that the reporter linked to share the testcase for). I'm guessing the reporter just noticed that ASAN builds fail with a different error message ("AddressSanitizer: stack-overflow") and thought it was a different sort of bug. But in fact it's just ASAN reporting the same issue as described in bug 1864396.

Status: UNCONFIRMED → RESOLVED
Closed: 7 months ago
Duplicate of bug: 1864396
Flags: needinfo?(1319794503)
Resolution: --- → DUPLICATE
Group: layout-core-security

(note that "AddressSanitizer: stack-overflow" sounds like a security-sensitive thing, but I believe this is just "stack exhaustion", i.e. running out of stack space, due to infinite-recursion or similar, and aborting.)

Yeah, stack-buffer-overflow is the bad one.

Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.