stack-overflow in SVG layout
Categories
(Core :: SVG, defect)
Tracking
()
People
(Reporter: wh0tlif3, Unassigned)
Details
(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(2 files)
Hi, I'm can trigger bug in asan build, directly open poc.
part of asan info
==4015036==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe2e4adf98 (pc 0x5591d6581497 bp 0x7ffe2e4ae7d0 sp 0x7ffe2e4adfa0 T0)
#0 0x5591d6581497 in __asan_memset asan_rtl:3
#1 0x7fc168911476 in BaseMatrix /builds/worker/workspace/obj-build/dist/include/mozilla/gfx/Matrix.h:53:37
#2 0x7fc168911476 in mozilla::SVGUtils::GetBBox(nsIFrame*, unsigned int, mozilla::gfx::BaseMatrix<double> const*) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:893:13
#3 0x7fc168293d00 in nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:9618:11
#4 0x7fc1680304bf in GetSVGBox /builds/worker/checkouts/gecko/layout/style/nsStyleTransformMatrix.cpp:89:26
#5 0x7fc1680304bf in nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached() /builds/worker/checkouts/gecko/layout/style/nsStyleTransformMatrix.cpp:115:12
#6 0x7fc168b60ff4 in X /builds/worker/checkouts/gecko/layout/style/nsStyleTransformMatrix.h:96:5
#7 0x7fc168b60ff4 in GetDeltaToTransformOrigin /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6075:46
#8 0x7fc168b60ff4 in mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6161:11
#9 0x7fc1689172ae in mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:1523:48
#10 0x7fc165e70809 in mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const /builds/worker/checkouts/gecko/dom/svg/SVGContentUtils.cpp:479:13
#11 0x7fc165e3c04c in mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool) /builds/worker/checkouts/gecko/dom/svg/SVGContentUtils.cpp:496:22
#12 0x7fc165e3bf07 in mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool) /builds/worker/checkouts/gecko/dom/svg/SVGContentUtils.cpp:569:10
#13 0x7fc168919594 in mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:1085:35
#14 0x7fc168884a4b in mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int) /builds/worker/checkouts/gecko/layout/svg/SVGGeometryFrame.cpp:383:7
#15 0x7fc168888801 in non-virtual thunk to mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int) /builds/worker/checkouts/gecko/layout/svg/SVGGeometryFrame.cpp:0:0
#16 0x7fc1689117ba in mozilla::SVGUtils::GetBBox(nsIFrame, unsigned int, mozilla::gfx::BaseMatrix<double> const*) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:910:12
#17 0x7fc168293d00 in nsLayoutUtils::ComputeSVGReferenceRect(nsIFrame*, mozilla::StyleGeometryBox) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:9618:11
#18 0x7fc1680304bf in GetSVGBox /builds/worker/checkouts/gecko/layout/style/nsStyleTransformMatrix.cpp:89:26
#19 0x7fc1680304bf in nsStyleTransformMatrix::TransformReferenceBox::EnsureDimensionsAreCached() /builds/worker/checkouts/gecko/layout/style/nsStyleTransformMatrix.cpp:115:12
#20 0x7fc168b60ff4 in X /builds/worker/checkouts/gecko/layout/style/nsStyleTransformMatrix.h:96:5
#21 0x7fc168b60ff4 in GetDeltaToTransformOrigin /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6075:46
#22 0x7fc168b60ff4 in mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties(nsIFrame const*, nsStyleTransformMatrix::TransformReferenceBox&, float) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:6161:11
#23 0x7fc1689172ae in mozilla::SVGUtils::GetTransformMatrixInUserSpace(nsIFrame const*) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:1523:48
#24 0x7fc165e70809 in mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool)::$_0::operator()(mozilla::dom::SVGElement const*, bool) const /builds/worker/checkouts/gecko/dom/svg/SVGContentUtils.cpp:479:13
#25 0x7fc165e3c04c in mozilla::GetCTMInternal(mozilla::dom::SVGElement*, bool, bool) /builds/worker/checkouts/gecko/dom/svg/SVGContentUtils.cpp:496:22
#26 0x7fc165e3bf07 in mozilla::SVGContentUtils::GetCTM(mozilla::dom::SVGElement*, bool) /builds/worker/checkouts/gecko/dom/svg/SVGContentUtils.cpp:569:10
#27 0x7fc168919594 in mozilla::SVGUtils::GetNonScalingStrokeTransform(nsIFrame const*, mozilla::gfx::BaseMatrix<double>*) /builds/worker/checkouts/gecko/layout/svg/SVGUtils.cpp:1085:35
#28 0x7fc168884a4b in mozilla::SVGGeometryFrame::GetBBoxContribution(mozilla::gfx::BaseMatrix<float> const&, unsigned int) /builds/worker/checkouts/gecko/layout/svg/SVGGeometryFrame.cpp:383:7
Comment 2•10 months ago
|
||
I have not confirmed this, rating is based on the evidence presented.
Comment 3•10 months ago
|
||
I do get an opt build crash so confirming the bug to that extent: bp-7038f164-eec2-4190-b211-3b4690231126
mini poc
<html>
<head>
<style>
#htmlvar00005, #htmlvar00007, line { border-spacing: 0px; mso-pagination: widow-orphan; -webkit-border-start-color: white; align-content: space-evenly; stroke: currentcolor; mso-font-charset: 8; text-overflow: clip clip; border-bottom-color: currentcolor; hyphenate-limit-lines: no-limit; -webkit-min-logical-height: 0px; animation-name: none, none; transform: translate3d(1, 0px, 8px); -webkit-border-end: -1px dashed black; border-collapse: separate; transform-box: border-box; scroll-snap-align: end; -webkit-margin-before-collapse: collapse; container-type: size; -webkit-order: ""; text-decoration-trim: 0px 1px }
</style>
</head>
<body>
<svg id="svgvar00001" viewBox="69 12 0 1" width="0.8627159553451066" contentStyleType="text/css" externalResourcesRequired="true" y="0in" requiredFeatures="x" min="media" pointsAtZ="0" edgeMode="duplicate" style="scrollbar-color: white; scroll-timeline-axis: inline; voice-rate: normal; -webkit-column-rule-color: black; backface-visibility: visible">
<line id="svgvar00003" x1="1px" y1="2" x2="0" y2="0.6410206073074981" vector-effect="non-scaling-stroke" transform="translate(1,0) scale(1) scale(0.6556504328855888, 0.5407718561091608) translate(0, 0)" stroke-linecap="round" visibility="hidden" pointer-events="painted" numOctaves="1" font-variant="small-caps" contentStyleType="text/css" mathematical="1" onmouseover="eventhandler3()" />
</body>
</html>
Updated•10 months ago
|
Comment 6•10 months ago
|
||
Stack overflow is sec-high? Interesting.
Comment 7•10 months ago
|
||
Are you sure that this bug (and its duplicate) are security bugs at all. They just seem like stack overflows, sure it's irritating that your tab crashes but it's not exploitable is it?
Comment 8•10 months ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #2)
I have not confirmed this, rating is based on the evidence presented.
Yeah I agree it's probably not sec-high.
Comment 9•10 months ago
|
||
(In reply to Robert Longson [:longsonr] from comment #7)
Are you sure that this bug (and its duplicate) are security bugs at all. They just seem like stack overflows
You're right -- I misread the ASAN output as "stack BUFFER overflow". over-recursion is just a DoS and doesn't need to be hidden.
"crashing_thread": { "frame_count": 48346
I clearly didn't pay close enough attention to the opt crash I got!
Updated•9 months ago
|
Updated•4 months ago
|
Description
•