Closed Bug 733112 Opened 13 years ago Closed 6 years ago

OOM Crash [@ nsAString_internal::Last] with out of bounds access

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash)

Crash Data

Tested on m-c revision 8ea5c983743f: During OOM testing I got the following crash: Program received signal SIGSEGV, Segmentation fault. 0x00002aaaac5ec26c in nsAString_internal::Last (this=0x7fffffff9820) at ../../../dist/include/nsTSubstring.h:252 252 return mData[mLength - 1]; (gdb) p mData $1 = (nsAString_internal::char_type *) 0x2aaaae464cb8 (gdb) p mLength $2 = 0 (gdb) bt 8 #0 0x00002aaaac5ec26c in nsAString_internal::Last (this=0x7fffffff9820) at ../../../dist/include/nsTSubstring.h:252 #1 0x00002aaaace9eccc in nsOSHelperAppService::GetHandlerAndDescriptionFromMailcapFile (aFilename=<optimized out>, aMajorType=..., aMinorType=..., aTypeOptions=..., aHandler=..., aDescription=..., aMozillaFlags=...) at /srv/repos/browser/mozilla-central/uriloader/exthandler/unix/nsOSHelperAppService.cpp:1020 #2 0x00002aaaace9f732 in nsOSHelperAppService::DoLookUpHandlerAndDescription (aMajorType=..., aMinorType=..., aTypeOptions=..., aHandler=..., aDescription=..., aMozillaFlags=<optimized out>, aUserData=false) at /srv/repos/browser/mozilla-central/uriloader/exthandler/unix/nsOSHelperAppService.cpp:956 #3 0x00002aaaace9ff06 in nsOSHelperAppService::LookUpHandlerAndDescription (aMajorType=..., aMinorType=..., aTypeOptions=..., aHandler=..., aDescription=..., aMozillaFlags=...) at /srv/repos/browser/mozilla-central/uriloader/exthandler/unix/nsOSHelperAppService.cpp:901 #4 0x00002aaaacea053e in nsOSHelperAppService::GetFromExtension (this=0x1d478e0, aFileExt=...) at /srv/repos/browser/mozilla-central/uriloader/exthandler/unix/nsOSHelperAppService.cpp:1347 #5 0x00002aaaacea061c in nsOSHelperAppService::GetMIMEInfoFromOS (this=0x1d478e0, aType=..., aFileExt=..., aFound=0x7fffffffa877) at /srv/repos/browser/mozilla-central/uriloader/exthandler/unix/nsOSHelperAppService.cpp:1543 #6 0x00002aaaace95fec in nsExternalHelperAppService::GetTypeFromExtension (this=0x1d478e0, aFileExt=..., aContentType=...) at /srv/repos/browser/mozilla-central/uriloader/exthandler/nsExternalHelperAppService.cpp:2602 #7 0x00002aaaace93127 in nsExternalHelperAppService::GetTypeFromFile (this=0x1d478e0, aFile=<optimized out>, aContentType=...) at /srv/repos/browser/mozilla-central/uriloader/exthandler/nsExternalHelperAppService.cpp:2741 => 0x2aaaac5ec26c <nsAString_internal::Last() const+60>: mov (%rax,%rdx,2),%ax rax 0x2aaaae464cb8 46912556649656 rdx 0xffffffff 4294967295 For some reason, the mLength is 0 due to the OOM condition which causes an out of bounds access on the mData array. The last failing allocation is: #0 /srv/repos/browser/mozilla-central/objdir-ff-gcc64dbg/dist/bin/libmozalloc.so(moz_malloc+0x5f) #1 nsStringBuffer::Alloc(unsigned long) at xpcom/string/src/nsSubstring.cpp:210 #2 nsAString_internal::MutatePrep(unsigned int, unsigned short**, unsigned int*) at xpcom/string/src/nsTSubstring.cpp:163 #3 nsAString_internal::ReplacePrepInternal(unsigned int, unsigned int, unsigned int, unsigned int) at xpcom/string/src/nsTSubstring.cpp:199 #4 nsAString_internal::Replace(unsigned int, unsigned int, unsigned short const*, unsigned int) at xpcom/string/src/nsTSubstring.cpp:487 #5 nsOSHelperAppService::GetHandlerAndDescriptionFromMailcapFile(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, nsHashtable&, nsAString_internal&, nsAString_internal&, nsAString_internal&) at uriloader/exthandler/unix/nsOSHelperAppService.cpp:1020 #6 nsOSHelperAppService::DoLookUpHandlerAndDescription(nsAString_internal const&, nsAString_internal const&, nsHashtable&, nsAString_internal&, nsAString_internal&, nsAString_internal&, bool) at uriloader/exthandler/unix/nsOSHelperAppService.cpp:956 #7 nsOSHelperAppService::LookUpHandlerAndDescription(nsAString_internal const&, nsAString_internal const&, nsHashtable&, nsAString_internal&, nsAString_internal&, nsAString_internal&) at uriloader/exthandler/unix/nsOSHelperAppService.cpp:901 #8 nsOSHelperAppService::GetFromExtension(nsCString const&) at uriloader/exthandler/unix/nsOSHelperAppService.cpp:1347 #9 ~nsACString_internal at objdir-ff-gcc64dbg/uriloader/exthandler/../../dist/include/nsTSubstring.h:113 #10 nsCOMPtr at objdir-ff-gcc64dbg/uriloader/exthandler/../../dist/include/nsCOMPtr.h:574 #11 ~nsACString_internal at objdir-ff-gcc64dbg/uriloader/exthandler/../../dist/include/nsTSubstring.h:113 #12 ~nsCOMPtr at objdir-ff-gcc64dbg/netwerk/protocol/file/../../../dist/include/nsCOMPtr.h:519 #13 nsFileChannel::OpenContentStream(bool, nsIInputStream**, nsIChannel**) at netwerk/protocol/file/nsFileChannel.cpp:371 #14 nsBaseChannel::BeginPumpingData() at netwerk/base/src/nsBaseChannel.cpp:239 #15 nsBaseChannel::AsyncOpen(nsIStreamListener*, nsISupports*) at netwerk/base/src/nsBaseChannel.cpp:610 Although there is an out of bounds access I assume it's unlikely to be exploitable at all as the access is not controllable.
Closing because no crashes reported for 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.