Closed Bug 2019107 Opened 2 months ago Closed 2 months ago

Deeply nested CSS multicol containers cause C++ stack overflow in nsCSSFrameConstructor::BeginBuildingColumns

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1973126

People

(Reporter: nohsecbug, Unassigned)

Details

(Keywords: ai-involved, reporter-external, Whiteboard: [client-bounty-form])

Attachments

(1 file)

poc.html
819 bytes, text/html
Details
Attached file poc.html

Description

Deeply nested elements with columns CSS property crash the content process via C++ stack overflow during frame construction. No user interaction required — visiting a page that creates the nested DOM is sufficient.

Steps to reproduce:

  1. Save attached poc.html to disk
  2. Open in Firefox: firefox --no-remote poc.html
  3. Tab crashes: "Gah. Your tab just crashed."

ASan output (mozilla-central, macOS 26.3, aarch64):

==70906==ERROR: AddressSanitizer: stack-overflow on address 0x00016d133bd0
    #0 smallvec::SmallVecData::from_inline
    #1 smallvec::SmallVec::new
    #2 <smallvec::SmallVec as core::default::Default>::default
    #3 <style::properties::cascade::Declarations as Default>::default
    #4 style::properties::cascade::apply_declarations
    #5 style::properties::cascade::cascade_rules
    #6 style::properties::cascade::cascade
    #7 style::stylist::Stylist::cascade_style_and_visited
    #8 style::stylist::Stylist::compute_pseudo_element_style_with_inputs
    #9 style::stylist::Stylist::precomputed_values_for_pseudo_with_rule_node
    #10 Servo_ComputedValues_GetForAnonymousBox
    #11 mozilla::ServoStyleSet::ResolveInheritingAnonymousBoxStyle
    #12 nsCSSFrameConstructor::BeginBuildingColumns
    #13 nsCSSFrameConstructor::ConstructBlock
    #14 nsCSSFrameConstructor::ConstructNonScrollableBlock
    #15 nsCSSFrameConstructor::ConstructFrameFromItemInternal
    #16 nsCSSFrameConstructor::ConstructFramesFromItem
    #17 nsCSSFrameConstructor::ConstructFramesFromItemList
    #18 nsCSSFrameConstructor::ProcessChildren
    #19 nsCSSFrameConstructor::ConstructBlock
    ... (cycle repeats: ProcessChildren -> ConstructBlock -> BeginBuildingColumns -> style resolution -> ProcessChildren, 200+ times)
SUMMARY: AddressSanitizer: stack-overflow in smallvec::SmallVecData::from_inline

Root cause: Each nested multicol element triggers nsCSSFrameConstructor::BeginBuildingColumns() (layout/base/nsCSSFrameConstructor.cpp) which creates anonymous column frames and resolves their styles. This calls ConstructBlock()ProcessChildren() which recurses back for the next multicol child. Each nesting level consumes ~6 C++ stack frames for frame construction PLUS additional frames for anonymous box style resolution via Servo_ComputedValues_GetForAnonymousBox. The existing mCurrentDepth limit (kMaxDepth = 2 * MAX_REFLOW_DEPTH = 2052) is either bypassed by the anonymous frame creation path or insufficient because each multicol level consumes multiple depth increments.

Note: This is a C++ stack overflow during frame construction. The anonymous frame creation in BeginBuildingColumns triggers style resolution that consumes significant additional stack space per level, making the existing depth limit ineffective for multicol.

Suggested fix: Either reduce the frame construction depth limit for multicol containers specifically, or ensure BeginBuildingColumns checks mCurrentDepth before creating anonymous frames and recursing.

Severity: sec-high — reliable zero-click content process crash via C++ stack overflow. Uses only standard CSS columns property. All Firefox versions with multicol support, all platforms.

URL

(n/a — local HTML file)

Flags: sec-bounty?
Group: firefox-core-security
Component: Security → Layout
Keywords: ai-involved
Product: Firefox → Core

Thanks for the bug reports, but we don't really consider stack overflow crashes like this to be security issues. If a web page crashes a content process, it doesn't crash the browser and the user can just close the tab and continue on with what they are doing.

Thank you for letting me know! I will shift my focus towards more security-relevant findings in the future.

Status: UNCONFIRMED → RESOLVED
Closed: 2 months ago
Duplicate of bug: css-nesting-limit
Resolution: --- → DUPLICATE

ASAN is a good tool to use, but stack-overflow is an out of memory type condition and not at all the same thing as the scarier "stack BUFFER overflow". Other ASAN errors like use-after-free or out-of-bounds and others are worth reporting as security bugs.

Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: