Open
Bug 1900403
Opened 1 year ago
Updated 1 year ago
Hit MOZ_CRASH(attempt to multiply with overflow) at /builds/worker/checkouts/gecko/third_party/rust/cssparser/src/unicode_range.rs:143
Categories
(Core :: CSS Parsing and Computation, defect)
Core
CSS Parsing and Computation
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox128 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug, )
Details
(Keywords: assertion, pernosco)
Found with m-c 20240602-d2b4393709e7 (--enable-debug --enable-fuzzing)
This was found by visiting a live website with a debug build.
STR:
- Launch browser and visit site
This issue was triggered by visiting http://redkiwiapp.com/.
Hit MOZ_CRASH(attempt to multiply with overflow) at /builds/worker/checkouts/gecko/third_party/rust/cssparser/src/unicode_range.rs:143
8|0|xul.dll|RustMozCrash(char const*, int, char const*)|hg:hg.mozilla.org/mozilla-central:mozglue/static/rust/wrappers.cpp:d2b4393709e72f29db9433124e0a166a555591cd|18|0x23
8|1|xul.dll|mozglue_static::panic_hook(core::panic::panic_info::PanicInfo*)|hg:hg.mozilla.org/mozilla-central:mozglue/static/rust/lib.rs:d2b4393709e72f29db9433124e0a166a555591cd|98|0x91
8|2|xul.dll|core::ops::function::Fn::call<void (*)(ref$<core::panic::panic_info::PanicInfo>),tuple$<ref$<core::panic::panic_info::PanicInfo> > >(void (**)(core::panic::panic_info::PanicInfo*), core::panic::panic_info::PanicInfo*)|/rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library/core/src/ops/function.rs|79|0x11
8|3|xul.dll|std::panicking::rust_panic_with_hook()|git:github.com/rust-lang/rust:library/std/src/panicking.rs:9b00956e56009bab2aa15d7bff10916599e3d6d6|783|0x12b
8|4|xul.dll|std::panicking::begin_panic_handler::closure$0()|git:github.com/rust-lang/rust:library/std/src/panicking.rs:9b00956e56009bab2aa15d7bff10916599e3d6d6|649|0x7a
8|5|xul.dll|std::sys_common::backtrace::__rust_end_short_backtrace<std::panicking::begin_panic_handler::closure_env$0,never$>()|git:github.com/rust-lang/rust:library/std/src/sys_common/backtrace.rs:9b00956e56009bab2aa15d7bff10916599e3d6d6|171|0x8
8|6|xul.dll|std::panicking::begin_panic_handler()|git:github.com/rust-lang/rust:library/std/src/panicking.rs:9b00956e56009bab2aa15d7bff10916599e3d6d6|645|0x35
8|7|xul.dll|core::panicking::panic_fmt()|git:github.com/rust-lang/rust:library/core/src/panicking.rs:9b00956e56009bab2aa15d7bff10916599e3d6d6|72|0x36
8|8|xul.dll|core::panicking::panic()|git:github.com/rust-lang/rust:library/core/src/panicking.rs:9b00956e56009bab2aa15d7bff10916599e3d6d6|145|0x41
8|9|xul.dll|cssparser::unicode_range::UnicodeRange::parse(cssparser::parser::Parser*)|hg:hg.mozilla.org/mozilla-central:third_party/rust/cssparser/src/unicode_range.rs:d2b4393709e72f29db9433124e0a166a555591cd|45|0x663
8|10|xul.dll|cssparser::parser::Parser::parse_entirely<style::font_face::impl$78::parse_value::closure_env$6,alloc::vec::Vec<cssparser::unicode_range::UnicodeRange,alloc::alloc::Global>,enum2$<style_traits::StyleParseErrorKind> >(style::font_face::impl$78::parse_value::closure_env$6)|hg:hg.mozilla.org/mozilla-central:third_party/rust/cssparser/src/parser.rs:d2b4393709e72f29db9433124e0a166a555591cd|695|0xb5
8|11|xul.dll|style::font_face::impl$78::parse_value(style::font_face::FontFaceRuleParser*, cssparser::cow_rc_str::CowRcStr, cssparser::parser::Parser*)|hg:hg.mozilla.org/mozilla-central:servo/components/style/font_face.rs:d2b4393709e72f29db9433124e0a166a555591cd|685|0x25d
8|12|xul.dll|style::font_face::parse_font_face_block(style::parser::ParserContext*, cssparser::parser::Parser*, cssparser::tokenizer::SourceLocation)|hg:hg.mozilla.org/mozilla-central:servo/components/style/font_face.rs:d2b4393709e72f29db9433124e0a166a555591cd|474|0x5f7
8|13|xul.dll|style::stylesheets::rule_parser::impl$7::parse_block(style::stylesheets::rule_parser::NestedRuleParser*, enum2$<style::stylesheets::rule_parser::AtRulePrelude>, cssparser::parser::ParserState*, cssparser::parser::Parser*)|hg:hg.mozilla.org/mozilla-central:servo/components/style/stylesheets/rule_parser.rs:d2b4393709e72f29db9433124e0a166a555591cd|755|0x8a1
8|14|xul.dll|cssparser::rules_and_declarations::parse_at_rule<style::stylesheets::rule_parser::TopLevelRuleParser,enum2$<style_traits::StyleParseErrorKind> >(cssparser::parser::ParserState*, cssparser::cow_rc_str::CowRcStr, cssparser::parser::Parser*, style::stylesheets::rule_parser::TopLevelRuleParser*)|hg:hg.mozilla.org/mozilla-central:third_party/rust/cssparser/src/rules_and_declarations.rs:d2b4393709e72f29db9433124e0a166a555591cd|471|0xcc4
8|15|xul.dll|style::stylesheets::stylesheet::Stylesheet::parse_rules(ref$<str$>, style::stylesheets::UrlExtraData*, style::stylesheets::origin::Origin, style::shared_lock::SharedRwLock*, enum2$<core::option::Option<ref$<dyn$<style::stylesheets::loader::StylesheetLoader> > > >, enum2$<core::option::Option<ref$<dyn$<style::error_reporting::ParseErrorReporter> > > >, selectors::context::QuirksMode, enum2$<core::option::Option<ref$<style::use_counters::UseCounters> > >, style::stylesheets::stylesheet::AllowImportRules, enum2$<core::option::Option<ref_mut$<style::stylesheets::stylesheet::SanitizationData> > >)|hg:hg.mozilla.org/mozilla-central:servo/components/style/stylesheets/stylesheet.rs:d2b4393709e72f29db9433124e0a166a555591cd|470|0x6ce
8|16|xul.dll|style::stylesheets::stylesheet::StylesheetContents::from_str(ref$<str$>, style::stylesheets::UrlExtraData, style::stylesheets::origin::Origin, style::shared_lock::SharedRwLock*, enum2$<core::option::Option<ref$<dyn$<style::stylesheets::loader::StylesheetLoader> > > >, enum2$<core::option::Option<ref$<dyn$<style::error_reporting::ParseErrorReporter> > > >, selectors::context::QuirksMode, enum2$<core::option::Option<ref$<style::use_counters::UseCounters> > >, style::stylesheets::stylesheet::AllowImportRules, enum2$<core::option::Option<ref_mut$<style::stylesheets::stylesheet::SanitizationData> > >)|hg:hg.mozilla.org/mozilla-central:servo/components/style/stylesheets/stylesheet.rs:d2b4393709e72f29db9433124e0a166a555591cd|89|0x90
8|17|xul.dll|geckoservo::stylesheet_loader::AsyncStylesheetParser::parse(geckoservo::stylesheet_loader::AsyncStylesheetParser)|hg:hg.mozilla.org/mozilla-central:servo/ports/geckolib/stylesheet_loader.rs:d2b4393709e72f29db9433124e0a166a555591cd|135|0x126
8|18|xul.dll|rayon_core::job::impl$6::execute<rayon_core::spawn::spawn_job::closure_env$0<geckoservo::glue::Servo_StyleSheet_FromUTF8BytesAsync::closure_env$0> >(tuple$<>*)|hg:hg.mozilla.org/mozilla-central:third_party/rust/rayon-core/src/job.rs:d2b4393709e72f29db9433124e0a166a555591cd|169|0x6e
8|19|xul.dll|rayon_core::registry::WorkerThread::wait_until_cold(rayon_core::latch::CoreLatch*)|hg:hg.mozilla.org/mozilla-central:third_party/rust/rayon-core/src/registry.rs:d2b4393709e72f29db9433124e0a166a555591cd||0x65
8|20|xul.dll|rayon_core::registry::ThreadBuilder::run(rayon_core::registry::ThreadBuilder)|hg:hg.mozilla.org/mozilla-central:third_party/rust/rayon-core/src/registry.rs:d2b4393709e72f29db9433124e0a166a555591cd|52|0x408
8|21|xul.dll|std::sys_common::backtrace::__rust_begin_short_backtrace<style::global_style_data::thread_spawn::closure_env$0,tuple$<> >(style::global_style_data::thread_spawn::closure_env$0)|/rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library/std/src/sys_common/backtrace.rs|155|0x4f
8|22|xul.dll|core::ops::function::FnOnce::call_once<std::thread::impl$0::spawn_unchecked_::closure_env$1<style::global_style_data::thread_spawn::closure_env$0,tuple$<> >,tuple$<> >(std::thread::impl$0::spawn_unchecked_::closure_env$1<style::global_style_data::thread_spawn::closure_env$0,tuple$<> >*)|/rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library/core/src/ops/function.rs|250|0x58
8|23|xul.dll|std::sys::pal::windows::thread::impl$0::new::thread_start()|git:github.com/rust-lang/rust:library/std/src/sys/pal/windows/thread.rs:9b00956e56009bab2aa15d7bff10916599e3d6d6|54|0x4b
8|24|||||
8|25|mozglue.dll|patched_BaseThreadInitThunk(int, void*, void*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:d2b4393709e72f29db9433124e0a166a555591cd|562|0x8a
8|26|ntdll.dll||||
8|27|KERNELBASE.dll||||
|
Reporter | |
Comment 1•1 year ago
|
||
A Pernosco session is available here: https://pernos.co/debug/uGJ76nUoWtv5DCRb1PYdIw/index.html
Keywords: pernosco
|
||
Comment 2•1 year ago
|
||
This is triggered because the site has a @font-face rule with a bad unicode-range descriptor:
@font-face {
font-family: "Tossface";
src: url("./TossFaceFontMac-11.woff2") format("woff2"),
url("./TossFaceFontMac-11.woff") format("woff");
unicode-range: U+200D, U+FE0F, U+1F3FB-1F3FF, U+1F9B0-1F9B3, U+2640, U+2642,
U+26F9, U+E100-E11D, U+1F6DC-1F6DF, U+1F7F0, U+1F979, U+1F9CC, U+1FA75-1FA77,
U+1FA7B-1FA7C, U+1FA87-1FA88, U+1FAA9-1FAAF, U+1FAB7-1FABD, U+1FABF,
U+1FAC3-1FAC5, U+1FACE-1FACF, U+1FAD7-1FADB, U+1FAE0-1FAE8, U+1FAF0-1FAF8,
U+26F9200D2640, U+26F9200D2642;
}
Obviously they're hoping this font will be used for the sequence <26F9, 200D, 2640>, but that's not how unicode-range works.
Still, the parser should reject this more cleanly (there's a limit of 6 hex digits) rather than attempting to interpret the entire "number" and overflowing.
Severity: -- → S3
|
|
||
Comment 3•1 year ago
|
||
The Syntax spec[2] explicitly says to read "no more than 6" hex digits in a unicode-range component. The cssparser code[2] checks the length, but only after it has called consume_hex with a potentially longer string, and that's where the overflow happens.
[1] https://drafts.csswg.org/css-syntax/#consume-unicode-range-token
[2] https://searchfox.org/mozilla-central/rev/f9139f56bbcc0d587966c007178910ea31df7d58/third_party/rust/cssparser/src/unicode_range.rs#107-112
|
|
||
Comment 4•1 year ago
|
||
I opened https://github.com/servo/rust-cssparser/pull/391 with a proposed patch to handle this.
You need to log in
before you can comment on or make changes to this bug.
Description
•