Closed
Bug 1904582
Opened 5 months ago
Closed 5 months ago
Hit MOZ_CRASH(nsStandardURL::SanityCheck failed) at /netwerk/base/nsStandardURL.cpp:298
Categories
(Core :: Networking, defect, P2)
Tracking
()
RESOLVED
FIXED
130 Branch
Tracking | Status | |
---|---|---|
firefox130 | --- | fixed |
People
(Reporter: jkratzer, Assigned: sekim)
References
(Blocks 2 open bugs)
Details
(Keywords: testcase, Whiteboard: [necko-triaged])
Attachments
(3 files)
Testcase found while fuzzing mozilla-central rev fc0f7d3e6a3d built with: --enable-address-sanitizer --enable-fuzzing.
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch
$ python -m fuzzfetch --build fc0f7d3e6a3d -a --fuzzing --target firefox gtest -n firefox
$ FUZZER=URIParser ./firefox/firefox testcase.bin
Hit MOZ_CRASH(nsStandardURL::SanityCheck failed) at /netwerk/base/nsStandardURL.cpp:298
==218==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7d259a4e9ba4 bp 0x7ffc3d216650 sp 0x7ffc3d216500 T0)
==218==The signal is caused by a WRITE memory access.
==218==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
#0 0x7d259a4e9ba4 in mozilla::net::nsStandardURL::SanityCheck() /netwerk/base/nsStandardURL.cpp:298:5
#1 0x7d259a4f87e3 in mozilla::net::nsStandardURL::SetSpecWithEncoding(nsTSubstring<char> const&, mozilla::Encoding const*) /netwerk/base/nsStandardURL.cpp:1816:3
#2 0x7d259a50763c in mozilla::net::nsStandardURL::SetFilePath(nsTSubstring<char> const&) /netwerk/base/nsStandardURL.cpp:3139:12
#3 0x7d259bd387f7 in SetFilePath /builds/worker/workspace/obj-build/dist/include/nsIURIMutator.h:546:25
#4 0x7d259bd387f7 in SetFilePath /modules/libjar/nsJARURI.cpp:486:34
#5 0x7d259bd387f7 in nsJARURI::Mutator::SetFilePath(nsTSubstring<char> const&, nsIURIMutator**) /modules/libjar/nsJARURI.h:108:5
#6 0x7d25964d4b6e in FuzzingRunURIParser(unsigned char const*, unsigned long) /netwerk/test/fuzz/TestURIFuzzing.cpp
#7 0x623ddc48827b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:570:11
#8 0x623ddc487d01 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:479:7
#9 0x623ddc489137 in fuzzer::Fuzzer::MutateAndTestOne() /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:717:19
#10 0x623ddc489b45 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:861:9
#11 0x623ddc47b16b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /tools/fuzzing/libfuzzer/FuzzerDriver.cpp:864:14
#12 0x7d25a6f9a20b in mozilla::FuzzerRunner::Run(int*, char***) /tools/fuzzing/interface/harness/FuzzerRunner.cpp:75:13
#13 0x7d25a6edc51c in XREMain::XRE_mainStartup(bool*) /toolkit/xre/nsAppRunner.cpp:4705:35
#14 0x7d25a6ee864f in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5980:12
#15 0x7d25a6ee9531 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:6049:21
#16 0x623ddc2e10f7 in do_main /browser/app/nsBrowserApp.cpp:230:22
#17 0x623ddc2e10f7 in main /browser/app/nsBrowserApp.cpp:448:16
#18 0x7d25bc9c4082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
#19 0x623ddc208a98 in _start (/home/worker/firefox/firefox+0xd5a98) (BuildId: 20f97eda4a224bc930ba7aa9c66a9ed98a1c02d3)
DEDUP_TOKEN: mozilla::net::nsStandardURL::SanityCheck()
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /netwerk/base/nsStandardURL.cpp:298:5 in mozilla::net::nsStandardURL::SanityCheck()
Command: /home/worker/firefox/firefox -rss_limit_mb=3500 -use_value_profile=1 -timeout=5 -entropic=1 -dict=./tokens.dict ./corpora/ -handle_segv=0 -handle_bus=0 -handle_abrt=0 -handle_ill=0 -handle_fpe=0 -print_pcs=1
==218==ABORTING
Reporter | ||
Comment 1•5 months ago
|
||
Reporter | ||
Comment 2•5 months ago
|
||
Reporter | ||
Updated•5 months ago
|
Attachment #9409417 -
Attachment filename: testcase.html → testcase.bin
I think I am able to reproduce this error, will look into this.
Assignee: nobody → sekim
Flags: needinfo?(sekim)
Updated•5 months ago
|
Severity: -- → S3
Priority: -- → P2
Whiteboard: [necko-triaged]
Updated•5 months ago
|
Attachment #9409616 -
Attachment description: Bug 1904582 - Fix a case where the basename position is not initialized r?kershaw → Bug 1904582 - Fix an edge case where the basename, query, and hash position is not initialized r?kershaw
Updated•5 months ago
|
Attachment #9409616 -
Attachment description: Bug 1904582 - Fix an edge case where the basename, query, and hash position is not initialized r?kershaw → Bug 1904582 - Fix an edge case where the basename, query, and ref position are not initialized r?kershaw
Updated•5 months ago
|
Attachment #9409616 -
Attachment description: Bug 1904582 - Fix an edge case where the basename, query, and ref position are not initialized r?kershaw → Bug 1904582 - Fix an edge case for NS_MutateURI where the basename, query, and ref position are not adjusted accordingly r?kershaw
Pushed by archaeopteryx@coole-files.de:
https://hg.mozilla.org/integration/autoland/rev/ac10105ea2df
Fix an edge case for NS_MutateURI where the basename, query, and ref position are not adjusted accordingly r=kershaw,necko-reviewers
Comment 7•5 months ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 5 months ago
status-firefox130:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 130 Branch
Reporter | ||
Updated•16 days ago
|
Blocks: fuzzing-uri
You need to log in
before you can comment on or make changes to this bug.
Description
•