1866663 - stack-overflow in SVG layout

Status: RESOLVED DUPLICATE of bug 1864396

(Core :: SVG, defect)

Description

[bruce]

Attachment: poc.html

Hi, I'm can trigger bug in asan build, directly open poc.

part of asan info

==4015036==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe2e4adf98 (pc 0x5591d6581497 bp 0x7ffe2e4ae7d0 sp 0x7ffe2e4adfa0 T0)
#0 0x5591d6581497 in __asan_memset asan_rtl:3
#1 0x7fc168911476 in BaseMatrix /builds/worker/workspace/obj-build/dist/include/mozilla/gfx/Matrix.h:53:37
#2 0x7fc168911476 in mozilla::SVGUtils::GetBBox(nsIFrame*, unsigned int, mozilla::gfx::BaseMatrix<double> const*) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:893:13
#3 0x7fc168293d00 in nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:9618:11
#4 0x7fc1680304bf in GetSVGBox /builds/worker/checkouts/gecko/layout/style/nsStyleTransformMatrix.cpp:89:26
#5 0x7fc1680304bf in nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached() /builds/worker/checkouts/gecko/layout/style/nsStyleTransformMatrix.cpp:115:12
#6 0x7fc168b60ff4 in X /builds/worker/checkouts/gecko/layout/style/nsStyleTransformMatrix.h:96:5
#7 0x7fc168b60ff4 in GetDeltaToTransformOrigin /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6075:46
#8 0x7fc168b60ff4 in mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6161:11
#9 0x7fc1689172ae in mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:1523:48
#10 0x7fc165e70809 in mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const /builds/worker/checkouts/gecko/dom/svg/SVGContentUtils.cpp:479:13
#11 0x7fc165e3c04c in mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool) /builds/worker/checkouts/gecko/dom/svg/SVGContentUtils.cpp:496:22
#12 0x7fc165e3bf07 in mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool) /builds/worker/checkouts/gecko/dom/svg/SVGContentUtils.cpp:569:10
#13 0x7fc168919594 in mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:1085:35
#14 0x7fc168884a4b in mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int) /builds/worker/checkouts/gecko/layout/svg/SVGGeometryFrame.cpp:383:7
#15 0x7fc168888801 in non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int) /builds/worker/checkouts/gecko/layout/svg/SVGGeometryFrame.cpp:0:0
#16 0x7fc1689117ba in mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:910:12
#17 0x7fc168293d00 in nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:9618:11
#18 0x7fc1680304bf in GetSVGBox /builds/worker/checkouts/gecko/layout/style/nsStyleTransformMatrix.cpp:89:26
#19 0x7fc1680304bf in nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached() /builds/worker/checkouts/gecko/layout/style/nsStyleTransformMatrix.cpp:115:12
#20 0x7fc168b60ff4 in X /builds/worker/checkouts/gecko/layout/style/nsStyleTransformMatrix.h:96:5
#21 0x7fc168b60ff4 in GetDeltaToTransformOrigin /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6075:46
#22 0x7fc168b60ff4 in mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6161:11
#23 0x7fc1689172ae in mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:1523:48
#24 0x7fc165e70809 in mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const /builds/worker/checkouts/gecko/dom/svg/SVGContentUtils.cpp:479:13
#25 0x7fc165e3c04c in mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool) /builds/worker/checkouts/gecko/dom/svg/SVGContentUtils.cpp:496:22
#26 0x7fc165e3bf07 in mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool) /builds/worker/checkouts/gecko/dom/svg/SVGContentUtils.cpp:569:10
#27 0x7fc168919594 in mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>*) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:1085:35
#28 0x7fc168884a4b in mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int) /builds/worker/checkouts/gecko/layout/svg/SVGGeometryFrame.cpp:383:7

Comment 1

[bruce]

Attachment: asan.txt

Comment 2

[Daniel Veditz [:dveditz]]

I have not confirmed this, rating is based on the evidence presented.

Comment 3

[Daniel Veditz [:dveditz]]

I do get an opt build crash so confirming the bug to that extent: bp-7038f164-eec2-4190-b211-3b4690231126

Comment 4

[bruce]

mini poc

<html>
<head>
<style>

#htmlvar00005, #htmlvar00007, line { border-spacing: 0px; mso-pagination: widow-orphan; -webkit-border-start-color: white; align-content: space-evenly; stroke: currentcolor; mso-font-charset: 8; text-overflow: clip clip; border-bottom-color: currentcolor; hyphenate-limit-lines: no-limit; -webkit-min-logical-height: 0px; animation-name: none, none; transform: translate3d(1, 0px, 8px); -webkit-border-end: -1px dashed black; border-collapse: separate; transform-box: border-box; scroll-snap-align: end; -webkit-margin-before-collapse: collapse; container-type: size; -webkit-order: ""; text-decoration-trim: 0px 1px }
</style>


</head>
<body> 

<svg id="svgvar00001" viewBox="69 12 0 1" width="0.8627159553451066" contentStyleType="text/css" externalResourcesRequired="true" y="0in" requiredFeatures="x" min="media" pointsAtZ="0" edgeMode="duplicate" style="scrollbar-color:  white; scroll-timeline-axis: inline; voice-rate: normal; -webkit-column-rule-color: black; backface-visibility: visible">

<line id="svgvar00003" x1="1px" y1="2" x2="0" y2="0.6410206073074981" vector-effect="non-scaling-stroke" transform="translate(1,0) scale(1) scale(0.6556504328855888, 0.5407718561091608) translate(0, 0)" stroke-linecap="round" visibility="hidden" pointer-events="painted" numOctaves="1" font-variant="small-caps" contentStyleType="text/css" mathematical="1" onmouseover="eventhandler3()" />
</body>
</html>

Comment 6

[Timothy Nikkel (:tnikkel)]

Stack overflow is sec-high? Interesting.

Comment 7

[Robert Longson [:longsonr]]

Are you sure that this bug (and its duplicate) are security bugs at all. They just seem like stack overflows, sure it's irritating that your tab crashes but it's not exploitable is it?

Comment 8

[Emilio Cobos Álvarez (:emilio)]

(In reply to Daniel Veditz [:dveditz] from comment #2)

I have not confirmed this, rating is based on the evidence presented.

Yeah I agree it's probably not sec-high.

Comment 9

[Daniel Veditz [:dveditz]]

(In reply to Robert Longson [:longsonr] from comment #7)

Are you sure that this bug (and its duplicate) are security bugs at all. They just seem like stack overflows

You're right -- I misread the ASAN output as "stack BUFFER overflow". over-recursion is just a DoS and doesn't need to be hidden.

"crashing_thread": { "frame_count": 48346

I clearly didn't pay close enough attention to the opt crash I got!